Spring Security:在DB和applicationContext中的密码编码 [英] Spring Security:password encoding in DB and in applicationContext
问题描述
有config(applicationContext-security.xml):
Have config (applicationContext-security.xml):
<authentication-manager alias="authenticationManager">
<authentication-provider>
<password-encoder hash="sha"/>
<jdbc-user-service data-source-ref="dataSource"/>
</authentication-provider>
</authentication-manager>
从我的 dataSource
( JdbcDaoImpl ):
...
public static final String DEF_USERS_BY_USERNAME_QUERY =
"select username,password,enabled " +
"from users " +
"where username = ?";
...
现在有关于 code>在此代码中,因此密码选自标准的Spring Security
用户
表未编码。
,我应该在我的hibernate映射配置中为 password
列提供一些 sha
属性:
Perhaps, I should provide some sha
attribute for password
column in my hibernate mapping config here:
<class name="model.UserDetails" table="users">
<id name="id">
<generator class="increment"/>
</id>
<property name="username" column="username"/>
<property name="password" column="password"/>
<property name="enabled" column="enabled"/>
<property name="mail" column="mail"/>
<property name="city" column="city"/>
<property name="confirmed" column="confirmed"/>
<property name="confirmationCode" column="confirmation_code"/>
<set name="authorities" cascade="all" inverse="true">
<key column="id" not-null="true"/>
<one-to-many class="model.Authority"/>
</set>
</class>
现在密码保存到DB,但应该编码。
For now password saved to DB as is,but should be encoded.
如何与朋友 applicationContext
配置和数据库查询是相同的密码编码?
How to friend applicationContext
config and DB queries to be the same password encoding?
推荐答案
如果你自己选择一个哈希系统,而不是使用已经包含哈希密码的现有数据库构建应用程序,那么你应该确保你的哈希算法也使用盐。不要只是使用一个简单的摘要。
If you are choosing a hashing system yourself, rather than building an app using an existing database which already contains hashed passwords, then you should make sure your hashing algorithm also uses a salt. Don't just use a plain digest.
一个不错的选择是bcrypt,我们现在直接在Spring Security 3.1中通过 BCryptPasswordEncoder
(使用 jBCrypt 实施)。这会自动生成一个盐,并将它与单个String中的哈希值连接。
A good choice is bcrypt, which we now support directly in Spring Security 3.1 via the BCryptPasswordEncoder
(implemented using jBCrypt). This automatically generates a salt and concatenates it with the hash value in a single String.
一些数据库内置了对哈希值的支持(例如 Postgres )。否则,你需要自己在传递给JDBC之前哈希密码:
Some databases have built-in support for hashing (e.g. Postgres). Otherwise, you need to hash the password yourself before passing it to JDBC:
String password = "plaintextPassword";
PasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
String hashedPassword = passwordEncoder.encode(password);
这就是您在创建用户时对密码进行编码所需要做的。
That's all you need to do to encode the passwords when you create a user.
对于身份验证,您可以使用类似于
For authentication, you would use something like:
<bean id="encoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>
<bean id="authProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="yourJdbcUserService" />
<property name="passwordEncoder" ref="encoder" />
</bean>
这篇关于Spring Security:在DB和applicationContext中的密码编码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!