Spring Security：DB和applicationContext中的密码编码 [英] Spring Security:password encoding in DB and in applicationContext

问题描述

有配置（applicationContext-security.xml）：

Have config (applicationContext-security.xml):

<authentication-manager alias="authenticationManager">
    <authentication-provider>
    <password-encoder hash="sha"/>
        <jdbc-user-service data-source-ref="dataSource"/>
    </authentication-provider>
</authentication-manager>

从另一边有我的 dataSource的SQL （它是 JdbcDaoImpl ）：

from other side have SQLs from my dataSource(it's JdbcDaoImpl):

...
    public static final String DEF_USERS_BY_USERNAME_QUERY =
            "select username,password,enabled " +
            "from users " +
            "where username = ?";
...

现在有关于 sha 在此代码中，所以密码从标准的Spring Security 用户表中选择不编码。

There is now word about sha in this code,so password selected from standard Spring Security users table not encoded.

也许我应该在我的hibernate映射配置中为 password 列提供一些 sha 属性：

Perhaps, I should provide some sha attribute for password column in my hibernate mapping config here:

<class name="model.UserDetails" table="users">
    <id name="id">
        <generator class="increment"/>
    </id>
    <property name="username" column="username"/>
    <property name="password" column="password"/>
    <property name="enabled" column="enabled"/>
    <property name="mail" column="mail"/>
    <property name="city" column="city"/>
    <property name="confirmed" column="confirmed"/>
    <property name="confirmationCode" column="confirmation_code"/>

    <set name="authorities" cascade="all" inverse="true">
        <key column="id" not-null="true"/>
        <one-to-many class="model.Authority"/>
    </set>

</class>

现在，密码保存到数据库，但应编码。

For now password saved to DB as is,but should be encoded.

如何朋友 applicationContext 配置和数据库查询是相同的密码编码？

How to friend applicationContext config and DB queries to be the same password encoding?

推荐答案

如果您自己选择一个散列系统，而不是使用已经包含散列密码的现有数据库构建应用程序，那么您应该确保您的散列算法也使用盐。不要仅仅使用简单的摘要。

If you are choosing a hashing system yourself, rather than building an app using an existing database which already contains hashed passwords, then you should make sure your hashing algorithm also uses a salt. Don't just use a plain digest.

一个好的选择是bcrypt，我们现在通过 BCryptPasswordEncoder直接支持Spring Security 3.1。 code>（使用 jBCrypt 实现）。这会自动生成一个盐，并将其与单个字符串中的哈希值相连接。

A good choice is bcrypt, which we now support directly in Spring Security 3.1 via the BCryptPasswordEncoder (implemented using jBCrypt). This automatically generates a salt and concatenates it with the hash value in a single String.

某些数据库内置了对哈希的支持（例如 Postgres ）。否则，您需要在将其传递给JDBC之前自己将密码进行哈希：

Some databases have built-in support for hashing (e.g. Postgres). Otherwise, you need to hash the password yourself before passing it to JDBC:

String password = "plaintextPassword";
PasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
String hashedPassword = passwordEncoder.encode(password);

创建用户时，您需要做的是对密码进行编码。

That's all you need to do to encode the passwords when you create a user.

对于身份验证，您可以使用以下内容：

For authentication, you would use something like:

<bean id="encoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>

<bean id="authProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
  <property name="userDetailsService" ref="yourJdbcUserService" />
  <property name="passwordEncoder" ref="encoder" />
</bean>

这篇关于Spring Security：DB和applicationContext中的密码编码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！