发布弹簧安全密码 [英] Issue in encoding password with spring security
问题描述
这是我对密码进行编码的方法:
字符串encodePassword(字符串密码){
返回springSecurityService.encodePassword(密码)
}
并像那样使用
log.debug encodePassword(mkb)
log.debug encodePassword(mkb)
log.debug encodePassword(mkb)
我编码相同的密码几次,每次获得不同的编码密码。
logs:
$ 2a $ 10 $ h8T4BxgOeozmH / VSPJl7NeTaF2P0iONpSdqDN7dDFFAG.sy8WG / 8K
$ 2a $ 10 $ a7qybaiLF / eNrTSwFohjkezNaJTTDdMEinRYKjxDzEt.OoxaIgFOu
$ 2a $ 10 $ nZVhUT0QTmmbtt22CPtM..cLxU252RGBIMkd5aSd2AFXNTNLQ。/ 6u
<这很好。看起来您使用的是BCrypt密码哈希,每次您对密码进行编码时,此算法都会使用随机盐(其他哈希算法使用盐源属性,如id)。这个salt被前置为哈希
所以你有:
- salt版本
$ 10
$ h8T4BxgOeozmH / VSPJl7NeTaF2P0iONpSdqDN7dDFFAG.sy8WG / 8K
- salt + hash的Base64,salt前24个字符,hash取其余部分:
h8T4BxgOeozmH / VSPJl7NeTaF
- salt
2P0iONpSdqDN7dDFFAG.sy8WG / 8K
查看Spring Security的BCrypt资源: https://github.com/spring-projects/spring-security/blob/master/crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCrypt.java
如果您需要手动检查用户密码,您必须使用 passwordEncoder
,例如:
//依赖注入
def passwordEncoder
//验证
String enteredPassword = params.password
User user =。 ..
if(!passwordEncoder.isPasswordValid(user.password,enteredPassword,null)){//验证原始密码对散列
// ...输入错误密码
}
I am using grails 2.3.0 and facing the weird issue when encoding the password with spring security:
This is my method to encode password:
String encodePassword(String password) {
return springSecurityService.encodePassword(password)
}
and using like that
log.debug encodePassword("mkb")
log.debug encodePassword("mkb")
log.debug encodePassword("mkb")
I am encoding the same password several times and each time I am getting the different encoded password.
logs:
$2a$10$h8T4BxgOeozmH/VSPJl7NeTaF2P0iONpSdqDN7dDFFAG.sy8WG/8K
$2a$10$a7qybaiLF/eNrTSwFohjkezNaJTTDdMEinRYKjxDzEt.OoxaIgFOu
$2a$10$nZVhUT0QTmmbtt22CPtM..cLxU252RGBIMkd5aSd2AFXNTNLQ./6u
That's fine. Looks like you're using BCrypt password hash, this algorithm uses random salt each time you encode password (other hashing algorithms use a 'salt source property', like id). This salt is prepended to hash
So you have:
$2a
- salt version$10
- rounds$h8T4BxgOeozmH/VSPJl7NeTaF2P0iONpSdqDN7dDFFAG.sy8WG/8K
- Base64 for salt+hash, where salt get first 24 characters, and hash takes the rest:h8T4BxgOeozmH/VSPJl7NeTaF
- salt2P0iONpSdqDN7dDFFAG.sy8WG/8K
- hash (10 rounds for salt + password)
See Spring Security's BCrypt sources: https://github.com/spring-projects/spring-security/blob/master/crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCrypt.java
If you need to check user password manually, you have to use passwordEncoder
, like:
//dependency injection
def passwordEncoder
//validate
String enteredPassword = params.password
User user = ...
if (!passwordEncoder.isPasswordValid(user.password, enteredPassword, null)) { //validates raw password against hashed
//... wrong password entered
}
这篇关于发布弹簧安全密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!