春季安全3:腌制密码问题 [英] Spring Security 3: Salting password issue

查看:145
本文介绍了春季安全3:腌制密码问题的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我有一个简单的应用程序,可以在其中注册用户并对其进行身份验证。我已经使用密码编码并成功验证了它们。我在我的应用程序中使用了Spring 3,Spring Security 3和Hibernate 3.



现在我想用密码填入用户的ID,但我无法实现这一功能。有人能帮我实现吗?我一直在尝试做相当长的一段时间,但不能完成它。



这里是我用来腌制用户的代码ID和身份验证。



xyz-security.xml 

 < http auto-config =trueuse-expressions =true> 
< intercept-url pattern =/ welcome.doaccess =hasRole('ROLE_USER')/> 
< form-login login-page =/ login.doauthentication-failure-url =/ login.do?login_error=1\"/> 
< logout invalidate-session =truelogout-url =/ logoutlogout-success-url =//> 
< / http> 
 
< bean:bean id =daoAuthenticationProviderclass =org.springframework.security.authentication.dao.DaoAuthenticationProvider> 
< beans:property name =userDetailsS​​erviceref =userDetailsS​​ervice/> 
< / beans:bean> 
 
< beans:bean id =authenticationManagerclass =org.springframework.security.authentication.ProviderManager> 
< beans:property name =providers> 
< beans:list> 
< beans:ref local =daoAuthenticationProvider/> 
< / beans:list> 
< / beans:property> 
< / beans:bean> 
 
< authentication-manager> 
< authentication-provider user-service-ref =userDetailsS​​ervice> 
< password-encoder ref =passwordEncoder> 
< salt-source ref =saltSource/> 
< / password-encoder> 
< / authentication-provider> 
< / authentication-manager> 
 
 <! - 用于哈希和腌制用户密码 - > 
< beans:bean id =passwordEncoderclass =org.springframework.security.authentication.encoding.ShaPasswordEncoder/> 
< beans:bean id =saltSourceclass =org.springframework.security.authentication.dao.ReflectionSaltSource
 p:userPropertyToUse =id/>

UserDetailsAdapter.java 

  @Service(userDetailsAdapter)
 public class UserDetailsAdapter {
 
 private Long id; 
 
 org.springframework.security.core.userdetails.User buildUserFromUserEntity(User userEntity){
 String username = userEntity.getUsername(); 
 String password = userEntity.getPassword(); 
 boolean enabled = userEntity.isEnabled(); 
布尔accountNonExpired = true; 
布尔credentialsNonExpired = true; 
布尔accountNonLocked = true; 
 
收藏<授权授权> authority = new ArrayList< GrantedAuthority>(); 
 for(String authority:userEntity.getAuthorities()){
 
 authorities.add(new GrantedAuthorityImpl(authority)); 
} 
 
 this.id = userEntity.getId(); 
 
 org.springframework.security.core.userdetails.User user = new org.springframework.security.core.userdetails.User(username,password,enabled,accountNonExpired,credentialsNonExpired,accountNonLocked,authorities); 
返回用户; 
} 
 
 public Long getId(){
 return id; 
 
 
 
 
 $ b UserDetailsS​​erviceImpl  
 
 
  @Service(userDetailsS​​ervice)
 public class UserDetailsS​​erviceImpl实现UserDetailsS​​ervice {
 
 @Autowired 
 private UserDao userDao; 
 
 @Autowired 
私人UserDetailsAdapter userDetailsAdapter; 
 
 public UserDetails loadUserByUsername(String username)引发UsernameNotFoundException,DataAccessException {
 UserDetails userDetails = null; 
 User userEntity = userDao.findByUsername(username); 
 
 if(userEntity == null){
 throw new UsernameNotFoundException(user not found); 
} 
 userDetails = userDetailsAdapter.buildUserFromUserEntity(userEntity); 
 
返回userDetails; 
} 
} 
  
  UserServiceImpl  
  @Service 
 public class UserServiceImpl implements UserService {
 $ b $ @Autowired 
 private UserDao userDao ; 
 
 @Autowired 
 private PasswordEncoder passwordEncoder; 
 
 @Autowired 
私人SaltSource saltSource; 
 $ b $ public User getByUsername(String username){
 return userDao.findByUsername(username); 
} 
 
 public User getByEmail(String email){
 return userDao.findByEmail(email); 
} 
 
 public void createUser(User user){
 userDao.create(user); 
 
 UserDetailsAdapter userDetailsAdapter = new UserDetailsAdapter(); 
 org.springframework.security.core.userdetails.User userDetails = userDetailsAdapter.buildUserFromUserEntity(user); 
 String password = userDetails.getPassword(); 
 Object salt = saltSource.getSalt(userDetails); 
 user.setPassword(passwordEncoder.encodePassword(password,salt)); 
 userDao.update(user); 
 
 
 
 public void updateUser(User user){
 userDao.update(user); 
 
 
 
 
 
 
 $ b 
有人能帮我理解我在这里错过了什么吗? 
非常感谢。 
 
解决方案 
  ReflectionSaltSource   UserDetails 的实例。但是使用 org.springframework.security.core.userdetails.User 作为 UserDetails 的实现,它不会' t有一个名为 id 的属性(而不是你在 UserDetailsAdapter 中有这个属性,这是没有意义的,因为 UserDetailsAdapter 是一个单例)。
 
 
所以,你需要创建一个 org.springframework.security.core.userdetails.User  id 属性,并从您的 UserDetailsAdapter 
 
I have got an simple application made in which I am able to register users and authenticate them. I've got the passwords encoded using and successfully able to authenticate them. I am using Spring 3, Spring Security 3 and Hibernate 3 in my application.



Now I want to salt their passwords with the ID of the user but I am not able to achieve this functionality. Could someone help me achieve it? I've been trying to do it for quite some time but ain't able to get it done.



Here is the code I've got for salting users with their ID and authenticating them.



xyz-security.xml
<http auto-config="true" use-expressions="true">
    <intercept-url pattern="/welcome.do" access="hasRole('ROLE_USER')" /> 
    <form-login login-page="/login.do" authentication-failure-url="/login.do?login_error=1"/>       
    <logout invalidate-session="true" logout-url="/logout" logout-success-url="/"/>
</http>

<beans:bean id="daoAuthenticationProvider"  class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
    <beans:property name="userDetailsService" ref="userDetailsService"/>
</beans:bean>

<beans:bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager">
    <beans:property name="providers">
        <beans:list>
            <beans:ref local="daoAuthenticationProvider" />
        </beans:list>
    </beans:property>
</beans:bean>

<authentication-manager>
    <authentication-provider user-service-ref="userDetailsService">
        <password-encoder ref="passwordEncoder">                
            <salt-source ref="saltSource"/>
            </password-encoder>
    </authentication-provider>
</authentication-manager>

<!-- For hashing and salting user passwords -->
<beans:bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.ShaPasswordEncoder"/>
<beans:bean id="saltSource" class="org.springframework.security.authentication.dao.ReflectionSaltSource"
    p:userPropertyToUse="id"/>

UserDetailsAdapter.java
@Service("userDetailsAdapter")
public class UserDetailsAdapter {   

    private Long id;

    org.springframework.security.core.userdetails.User buildUserFromUserEntity(User userEntity) {
        String username = userEntity.getUsername();
        String password = userEntity.getPassword();
        boolean enabled = userEntity.isEnabled();
        boolean accountNonExpired = true;
        boolean credentialsNonExpired = true;
        boolean accountNonLocked = true;

        Collection<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
        for (String authority: userEntity.getAuthorities()) {

            authorities.add(new GrantedAuthorityImpl(authority));
        }

        this.id = userEntity.getId();

        org.springframework.security.core.userdetails.User user = new org.springframework.security.core.userdetails.User(username, password, enabled, accountNonExpired, credentialsNonExpired, accountNonLocked, authorities);
        return user;
    }

    public Long getId() {
        return id;
    }

}

UserDetailsServiceImpl
@Service("userDetailsService")
public class UserDetailsServiceImpl implements UserDetailsService {

    @Autowired
    private UserDao userDao;

    @Autowired
    private UserDetailsAdapter userDetailsAdapter;

    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException {
        UserDetails userDetails = null;
        User userEntity = userDao.findByUsername(username);

        if (userEntity == null) {
          throw new UsernameNotFoundException("user not found");
        }
        userDetails = userDetailsAdapter.buildUserFromUserEntity(userEntity);

        return userDetails;
    }
}

UserServiceImpl
@Service
public class UserServiceImpl implements UserService {

    @Autowired
    private UserDao userDao;

    @Autowired
    private PasswordEncoder passwordEncoder;

    @Autowired
    private SaltSource saltSource;

    public User getByUsername(String username) {
        return userDao.findByUsername(username);
    }

    public User getByEmail(String email) {
        return userDao.findByEmail(email);
    }

    public void createUser(User user) {
        userDao.create(user);

        UserDetailsAdapter userDetailsAdapter = new UserDetailsAdapter();
        org.springframework.security.core.userdetails.User userDetails =  userDetailsAdapter.buildUserFromUserEntity(user);
        String password = userDetails.getPassword();
        Object salt = saltSource.getSalt(userDetails);
        user.setPassword(passwordEncoder.encodePassword(password, salt));
        userDao.update(user);

    }

    public void updateUser(User user) {
        userDao.update(user);
    }
}

Could someone help me understand what am I missing here?
Many thanks.
 解决方案 
ReflectionSaltSource extracts a salt from the instance of UserDetails. But you use org.springframework.security.core.userdetails.User as an implementation of UserDetails, and it doesn't have a property named id (instead of that you have this property in UserDetailsAdapter, that doesn't make sense, since UserDetailsAdapter is a singleton).



So, you need to create a subclass of org.springframework.security.core.userdetails.User with id property, and return it from your UserDetailsAdapter.


                        
这篇关于春季安全3:腌制密码问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

                        
                    

                    

                        查看全文
相关文章
J2EE最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆