spring安全使用bcrypt算法对密码进行编码 [英] spring security encode password with bcrypt algorithm

问题描述

我正在尝试更改密码并将其保存到数据库..但我总是得到错误，因为defferent字符串..

喜欢这个..

在控制器..

  printlnpassword =+ oldPass 
 printlnpassword 1 =+ springSecurityService.encodePassword（'password'）
 println password 2 =+ springSecurityService.encodePassword（'password'）
 printlnpassword =+ springSecurityService.encodePassword（oldPass）
  

和这个输出

它的奇怪...每次我编码密码，我会得到不同的结果。

我使用grails 3.0.5并使用bcrypt算法

  grails.plugin.springsecurity.p assword.algorithm ='bcrypt'
  

我把这行放在application.groovy中。

像这样

  //由Spring Security Core插件添加：
 grails .plugin.springsecurity.userLookup.userDomainClassName ='com.akiong.security.User'
 grails.plugin.springsecurity.userLookup.authorityJoinClassName ='com.akiong.security.UserRole'
 grails.plugin.springsecurity .authority.className ='com.akiong.security.Role'
 grails.plugin.springsecurity.requestMap.className ='com.akiong.security.RequestMap'
 grails.plugin.springsecurity.securityConfigType =' Requestmap'
 grails.plugin.springsecurity.controllerAnnotations.staticRules = [
'/'：['permitAll']，
'/ error'：['permitAll']，
 '/ index'：['permitAll']，
'/index.gsp'：['permitAll']，
'/ shutdown'：['permitAll']，
'/ assets / **'：['permitAll']，
'/ ** / js / **'：['permitAll']，
'/ ** / css / **' ：['permitAll']，
'/ ** / images / **'：['permitAll']，
'/**/favicon.ico'：['permitAll'] 
] 
 grails.plugin.springsecurity.password.algorithm ='bcrypt'
  

但是当我用bootstrap创建一个用户帐户，并将其保存到数据库..
然后我登录...它正确运行..

解决方案

这是一项功能。 bcrypt 使用随机盐，因此即使对于相同的密码，每次都会生成不同的哈希值。

如果您想检查输入的密码是否有效，您需要为Grails使用 passwordEncoder.isPasswordvalid ，例如：
$ b $ pre $ assert passwordEncoder.isPasswordValid（
'$ 2a $ 10 $ Qb7ENpWOSsFUS2UvwT1BRefZhn55roXPgUI8fjJRm6c / nR3JIQP8a'，
'password '，null）
assert passwordEncoder.isPasswordValid（
'$ 2a $ 10 $ sC3.yrmNn2VLS2Aer359rei / DxoLlwFq7s6ndAHm10ncyQpIr3MfO'，
'password'，null）


或者普通的Spring Security passwordEncoder.matches ：

  assert passwordEncoder.matches（'password'，
'$ 2a $ 10 $ Qb7ENpWOSsFUS2UvwT1BRefZhn55roXPgUI8fjJRm6c / nR3JIQP8a'）
 assert passwordEncoder.matches（'password'， 
'$ 2a $ 10 $ sC3.yrmNn2VLS2Aer359rei / DxoLlwFq7s6ndAHm10ncyQpIr3MfO'）
  

自动导入 passwordEncoder bean只是将它定义为cla的属性ss：

  def passwordEncoder 
  

i get something strange... in spring security for encode password..

i am trying to change my password and save it to database..but i always get error because defferent string..

like this..

in controller ..

println "password  = "+oldPass
println "password 1 = "+springSecurityService.encodePassword('password')
println "password 2 = "+springSecurityService.encodePassword('password')
println "password  = "+springSecurityService.encodePassword(oldPass)

and this ooutput

its strange...everytime i encodePassword, i will get different result.

i am using grails 3.0.5 and use bcrypt algorithm

grails.plugin.springsecurity.password.algorithm = 'bcrypt'

i put this line in application.groovy

like this

    // Added by the Spring Security Core plugin:
grails.plugin.springsecurity.userLookup.userDomainClassName = 'com.akiong.security.User'
grails.plugin.springsecurity.userLookup.authorityJoinClassName = 'com.akiong.security.UserRole'
grails.plugin.springsecurity.authority.className = 'com.akiong.security.Role'
grails.plugin.springsecurity.requestMap.className = 'com.akiong.security.RequestMap'
grails.plugin.springsecurity.securityConfigType = 'Requestmap'
grails.plugin.springsecurity.controllerAnnotations.staticRules = [
    '/':                ['permitAll'],
    '/error':           ['permitAll'],
    '/index':           ['permitAll'],
    '/index.gsp':       ['permitAll'],
    '/shutdown':        ['permitAll'],
    '/assets/**':       ['permitAll'],
    '/**/js/**':        ['permitAll'],
    '/**/css/**':       ['permitAll'],
    '/**/images/**':    ['permitAll'],
    '/**/favicon.ico':  ['permitAll']
]
grails.plugin.springsecurity.password.algorithm = 'bcrypt'

but when i create an user account with bootstrap and save it to database.. then i login ...it run with correctly..

解决方案

It's a feature. bcrypt uses a random salt, so each time it generates a different hash even for same password.

If you want to check if entered password is valid, you need to use passwordEncoder.isPasswordvalid for Grails, like:

assert passwordEncoder.isPasswordValid( 
       '$2a$10$Qb7ENpWOSsFUS2UvwT1BRefZhn55roXPgUI8fjJRm6c/nR3JIQP8a',
       'password', null)
assert passwordEncoder.isPasswordValid(
       '$2a$10$sC3.yrmNn2VLS2Aer359rei/DxoLlwFq7s6ndAHm10ncyQpIr3MfO',
       'password', null)

or for plain Spring Security passwordEncoder.matches:

assert passwordEncoder.matches('password', 
       '$2a$10$Qb7ENpWOSsFUS2UvwT1BRefZhn55roXPgUI8fjJRm6c/nR3JIQP8a')
assert passwordEncoder.matches('password', 
       '$2a$10$sC3.yrmNn2VLS2Aer359rei/DxoLlwFq7s6ndAHm10ncyQpIr3MfO')

To autowire passwordEncoder bean just define it as a property of your class:

def passwordEncoder

这篇关于spring安全使用bcrypt算法对密码进行编码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！