Bcrypt为相同的输入生成不同的哈希值？ [英] Bcrypt generates different hashes for the same input?

问题描述

我刚刚为我的新Grails项目添加了注册功能。为了测试它，我通过发送邮件和密码进行了注册。在将密码保存到数据库之前，我正在使用bcrypt算法对密码进行散列处理。 然而，当我尝试使用与注册时相同的电子邮件和密码进行登录时，登录失败。我调试的应用程序，并发现其为相同的密码生成的散列是不同的，当我尝试与已经散列一个从数据库，因此登录失败（的 Registration.findByEmailAndPassword（params.email，hashPassd比较）在LoginController.groovy中返回null ）。

这是我的域类Registration.groovy：

<$注册{

transient springSecurityService

字符串全名
字符串密码
字符串电子邮件

static constraints = {
fullName（空白：false）
密码（空白：false，密码：true）
email（空白：false，email：true，unique：true）

$ b $ def beforeInsert = {
encodePassword（）
}

protected void encodePassword（）{
password = springSecurityService。 encodePassword（密码）
}
}

这是我的LoginCont roller.groovy：

  class LoginController {
 
 / ** 
 *依赖注入springSecurityService。 
 * / 
 def springSecurityService 
 
 def index = {
 if（springSecurityService.isLoggedIn（））{
 render（view：../homepage ）
} 
 else {
 render（view：../index）
} 
} 
 
 / ** 
 *显示登录页面。 
 * / 
 def handleLogin = {
 
 if（springSecurityService.isLoggedIn（））{
 render（view：../homepage）
返回
} 
 
高清hashPassd = springSecurityService.encodePassword（params.password）
 //查找用户名
高清用户= Registration.findByEmailAndPassword（params.email，hashPassd ）
 if（！user）{
 flash.message =用户未找到电子邮件：$ {params.email}
 render（view：../index）
 return 
} else {
 session.user = user 
 render（view：../homepage）
} 
} 
} 
 


$ b 这是Config.groovy的一个片段，它告诉grails使用bcrypt算法来散列密码和回合的次数键控的：

  grails.plugins.springsecurity.password.algorithm = 'bcrypt' 
 grails.plugins.springsecurity。 password.bcrypt.logrounds = 16 
   passwordEncoder  bean添加一个依赖注入（ def passwordEncoder ）并将查找更改为
  def handleLogin = {
 
 if（springSecurityService.isLoggedIn（））{
 render（view： ../homepage）
返回
} 
 
高清用户= Registration.findByEmail（params.email）
如果（用户放大器;&安培;！的PasswordEncoder。 （！用户）{
 flash.message =用户密码有效性（user.password，params.password，null））{
 user = null 
} 
 
找不到电子邮件：$ {params.email}
 render（view：../index）
 return 
} 
 
 session.user = user 
 render（view：../homepage）
} 
  
注意您不会在明文提交的密码中为 isPasswordValid  call-pass编码密码。
 
 
 
另外 - 完全无关 - 这是一个坏主意，存储的用户在会话中。身份验证委托人随时可用，并存储用户ID，以便根据需要轻松重新加载用户（例如 User.get（springSecurityService.principal.id））。当你是服务器的唯一用户时，大型的Hibernate对象在开发模式下效果很好，但是可能会大量浪费内存并迫使你解决被断开连接的对象（例如，必须使用 merge 等）。
 
I just added a registration functionality to my new grails project. For testing it, I registered by giving an email and a password. I am using bcrypt algorithm for hashing the password before saving it to the database. 

However when I try to login with the same email and password that I gave while registering, login fails. I debugged the application and found out that the hash that is generated for the same password is different when I try to compare with the already hashed one from database and hence the login is failing (Registration.findByEmailAndPassword(params.email,hashPassd) in LoginController.groovy returns null).

Here's my domain class Registration.groovy:
class Registration {

   transient springSecurityService

   String fullName
   String password
   String email

   static constraints = {
      fullName(blank:false)
      password(blank:false, password:true)
      email(blank:false, email:true, unique:true)
   }

   def beforeInsert = {
      encodePassword()
   }

   protected void encodePassword() {
      password = springSecurityService.encodePassword(password)
   }
}
Here's my LoginController.groovy:
class LoginController {

   /**
    * Dependency injection for the springSecurityService.
    */
   def springSecurityService

   def index = {
      if (springSecurityService.isLoggedIn()) {
         render(view: "../homepage")
      }
      else {
         render(view: "../index")
      }
   }

   /**
    * Show the login page.
    */
   def handleLogin = {

      if (springSecurityService.isLoggedIn()) {
         render(view: "../homepage")
         return
      }

      def hashPassd = springSecurityService.encodePassword(params.password)
      // Find the username
      def user = Registration.findByEmailAndPassword(params.email,hashPassd)
      if (!user) {
         flash.message = "User not found for email: ${params.email}"
         render(view: "../index")
         return
      } else {
         session.user = user
         render(view: "../homepage")
      }
   }
}
Here's a snippet from my Config.groovy telling grails to use bcrypt algorithm to hash passwords and the number of rounds of keying:
grails.plugins.springsecurity.password.algorithm = 'bcrypt'
grails.plugins.springsecurity.password.bcrypt.logrounds = 16

解决方案
Jan is correct - bcrypt by design doesn't generate the same hash for each input string. But there's a way to check that a hashed password is valid, and it's incorporated into the associated password encoder. So add a dependency injection for the passwordEncoder bean in your controller (def passwordEncoder) and change the lookup to
def handleLogin = {

   if (springSecurityService.isLoggedIn()) {
      render(view: "../homepage")
      return
   }

   def user = Registration.findByEmail(params.email)
   if (user && !passwordEncoder.isPasswordValid(user.password, params.password, null)) {
      user = null
   }

   if (!user) {
      flash.message = "User not found for email: ${params.email}"
      render(view: "../index")
      return
   }

   session.user = user
   render(view: "../homepage")
}
Note that you don't encode the password for the isPasswordValid call - pass in the cleartext submitted password.

Also - completely unrelated - it's a bad idea to store the user in the session. The auth principal is readily available and stores the user id to make it easy to reload the user as needed (e.g. User.get(springSecurityService.principal.id). Storing disconnected potentially large Hibernate objects works great in dev mode when you're the only user of your server, but can be a significant waste of memory and forces you to work around the objects being disconnected (e.g. having to use merge, etc.).

                        
这篇关于Bcrypt为相同的输入生成不同的哈希值？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！