Spring Security salt用于自定义UserDetails [英] Spring Security salt for custom UserDetails

问题描述

我想添加salt：

PasswordEncoder encoder = new ShaPasswordEncoder();
        userDetails.setPassword(encoder.encodePassword(userDetails.getPassword(),saltSource.getSalt(userDetails));

userDetails 是我的自定义 UserDetail 类的实例，我不得不把它放到这个春天类： UserDetails
，但因为它在逻辑上预期我在运行时：

as far userDetails is instance of my custom UserDetail class,i obliged to cast it to this spring class:UserDetails ,but as it's logically expected i got in Runtime:

java.lang.ClassCastException: model.UserDetails cannot be cast to org.springframework.security.core.userdetails.UserDetails

config：

<beans:bean id="saultSource" class="org.springframework.security.authentication.dao.ReflectionSaltSource">
        <beans:property name="userPropertyToUse" value="username"/>
</beans:bean>

<authentication-manager alias="authenticationManager">
<authentication-provider>
<password-encoder hash="sha">
    <salt-source user-property="username"/>
</password-encoder>
    <jdbc-user-service data-source-ref="dataSource"/>
</authentication-provider>
</authentication-manager>

如何在这种情况下正确配置 salt ？

How can I configure salt correctly in this case?

推荐答案

ReflectionSaltSource 仅适用于 UserDetails object（我假设你在哪里得到类转换异常？），所以你必须实现 UserDetails 或创建自己的 SaltSource 实现与您的对象。

ReflectionSaltSource only works with a UserDetails object (I'm assuming that's where you get the class-cast exception?), so you would have to either implement UserDetails or create your own SaltSource implementation which works with your object.

但是，我不会使用用户的属性作为盐，除非您使用的是已经执行此操作的旧系统。用户名不是一个非常好的盐值。最好使用随密码存储的随机盐。一个很好的例子是BCrypt算法。有关使用Spring Security 3.1的示例，请参阅我对此问题的回答。如下所述，BCrypt自动生成一个随机盐，它存储在与散列密码相同的字符串中。

However, I wouldn't use a property of the user as the salt unless you are working with a legacy system which already does this. The username is not a very good salt value. It's much better to use a random salt which is stored with the password. A good example is the BCrypt algorithm. See my answer to this question for an example of using it with Spring Security 3.1. As explained there, BCrypt automatically generates a random salt which it stores in the same string as the hashed password.

注意，实际上有一个新的 PasswordEncoder 接口在Spring Security 3.1crypto包中（在 org.springframework.security.crypto.password 中）。这不会在 API方法，因为它假定盐是在内部生成的（因为它是与BCrypt实现）。框架通常会接受其中一个或传统的 org.springframework.security.authentication.encoding.PasswordEncoder 。

Note that there is actually a new PasswordEncoder interface in the Spring Security 3.1 "crypto" package (in org.springframework.security.crypto.password). This doesn't include a salt in the API methods, since it assumes the salt is internally generated (as it is with the BCrypt implementation). The framework will generally accept one of these or the legacy org.springframework.security.authentication.encoding.PasswordEncoder.

这篇关于Spring Security salt用于自定义UserDetails的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！