Spring Security:DB和applicationContext中的密码编码 [英] Spring Security:password encoding in DB and in applicationContext
问题描述
有配置(applicationContext-security.xml):
Have config (applicationContext-security.xml):
<authentication-manager alias="authenticationManager">
<authentication-provider>
<password-encoder hash="sha"/>
<jdbc-user-service data-source-ref="dataSource"/>
</authentication-provider>
</authentication-manager>
从另一边有我的 dataSource的SQL
(它是 JdbcDaoImpl ):
from other side have SQLs from my dataSource
(it's JdbcDaoImpl):
...
public static final String DEF_USERS_BY_USERNAME_QUERY =
"select username,password,enabled " +
"from users " +
"where username = ?";
...
现在有关于 sha
在此代码中,所以密码从标准的Spring Security 用户
表中选择不编码。
There is now word about sha
in this code,so password selected from standard Spring Security users
table not encoded.
也许我应该在我的hibernate映射配置中为 password
列提供一些 sha
属性:
Perhaps, I should provide some sha
attribute for password
column in my hibernate mapping config here:
<class name="model.UserDetails" table="users">
<id name="id">
<generator class="increment"/>
</id>
<property name="username" column="username"/>
<property name="password" column="password"/>
<property name="enabled" column="enabled"/>
<property name="mail" column="mail"/>
<property name="city" column="city"/>
<property name="confirmed" column="confirmed"/>
<property name="confirmationCode" column="confirmation_code"/>
<set name="authorities" cascade="all" inverse="true">
<key column="id" not-null="true"/>
<one-to-many class="model.Authority"/>
</set>
</class>
现在,密码保存到数据库,但应编码。
For now password saved to DB as is,but should be encoded.
如何朋友 applicationContext
配置和数据库查询是相同的密码编码?
How to friend applicationContext
config and DB queries to be the same password encoding?
推荐答案
如果您自己选择一个散列系统,而不是使用已经包含散列密码的现有数据库构建应用程序,那么您应该确保您的散列算法也使用盐。不要仅仅使用简单的摘要。
If you are choosing a hashing system yourself, rather than building an app using an existing database which already contains hashed passwords, then you should make sure your hashing algorithm also uses a salt. Don't just use a plain digest.
一个好的选择是bcrypt,我们现在通过 BCryptPasswordEncoder直接支持Spring Security 3.1。 code>(使用 jBCrypt 实现)。这会自动生成一个盐,并将其与单个字符串中的哈希值相连接。
A good choice is bcrypt, which we now support directly in Spring Security 3.1 via the BCryptPasswordEncoder
(implemented using jBCrypt). This automatically generates a salt and concatenates it with the hash value in a single String.
某些数据库内置了对哈希的支持(例如 Postgres )。否则,您需要在将其传递给JDBC之前自己将密码进行哈希:
Some databases have built-in support for hashing (e.g. Postgres). Otherwise, you need to hash the password yourself before passing it to JDBC:
String password = "plaintextPassword";
PasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
String hashedPassword = passwordEncoder.encode(password);
创建用户时,您需要做的是对密码进行编码。
That's all you need to do to encode the passwords when you create a user.
对于身份验证,您可以使用以下内容:
For authentication, you would use something like:
<bean id="encoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>
<bean id="authProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="yourJdbcUserService" />
<property name="passwordEncoder" ref="encoder" />
</bean>
这篇关于Spring Security:DB和applicationContext中的密码编码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!