使用发送到电子邮件的动态URL实现Spring安全密码恢复的指南 [英] Guide to implementing spring security password recovery with dynamic URL sent to email
问题描述
我发现很难进行密码恢复,因为我以前从未这样做过。
I found it very difficult to do password recovery, since I've never done it before.
到目前为止,我有一个网络应用程序:
So far I have web app which has:
Spring Security,其中密码被正确散列并且用户角色实现并正常工作。
Spring Security, where password is properly hashed and user roles implemented and work correctly.
策略提示stackoverflow的研究:
The strategy hints research from stackoverflow:
- 用户点击忘记密码按钮,输入他的电子邮件地址。
- 发送动态链接发送电子邮件地址
- 用户打开电子邮件地址中的链接
- 将他重定向到密码重置页面
- User hits forgot-password button, where he enters his email address.
- Dynamic link is sent to email address
- User opens link in email address
- Which redirects him to password reset page
未知之处:
- 如何赋予链接动态性 - 世代方法
- 链接超时 - 此处发现了一些问题,但通常涉及自定义处理程序或弹簧安全功能的扩展
- 请求映射方法以响应此类动态链接
- 临时链接存储方法 - 数据库,会话等。 ?
- How to give link dynamic nature - methods of generations
- Link has a timeout - some questions were found here, but often involve custom handler or extension to spring security functionality
- A request mapping methods to respond to such dynamic link
- Temporary link storage methods - database, session etc. ?
正如您所看到的,对于单个问题,列表非常严重。因此希望您能够提供指导资源,以便逐步完成。我有点惊讶我在Spring Security文档中找不到这个。谢谢。
As you can see the list is quite severe for a single question. So was hoping you might be able to provide guide resources to how to do it step by step. I was a little surprised I could not find much on this in Spring Security documentation. Thanks.
我是学生,所以不知道这样做的行业最佳实践,特别是在Java环境中,所以我真的希望任何人都能提供帮助。
I am student so don't know really industry best practices for doing so especially in the context of Java, so I really hope anyone will be able to help.
推荐答案
这个问题与Spring Security并没有多大关系。如果您知道用户数据库的结构和使用的密码编码器,它实际上只是实现了涉及数据访问,Web控制器和发送电子邮件的工作流。该链接应包含一个随机令牌字符串(例如,使用 SecureRandom 和一个base64编码器),它应该存储在带有userId和时间戳的数据库中(用于验证链接有效的窗口)。控制器将简单地从传入请求中提取令牌,使用令牌从数据库加载数据。它会检查时间戳,然后将用户转发到密码输入表单。根据要求,您可能还希望他们回答其他一些安全问题。然后,您将验证并对密码进行编码,并将其存储在与重置链接表中存储的userId匹配的帐户中。运行批处理作业以从数据库中删除过期的链接也是有意义的。
The problem doesn't really have much to do with Spring Security. Provided you know the structure of the user database and the password encoder used, it's really just implementing a workflow involving data access, web controllers and sending an email. The link should contain a random token string (use SecureRandom and a base64 encoder, for example) and it should be stored in a database with the userId and a timestamp (for validating the window within which the link is valid). The controller would simply extract the token from the incoming request, load the data from the database using the token. It would check the timestamp and then forward the user to a password entry form. Depending on requirements, you might also want them to answer some other security questions too. You'd then validate and encode the password and store it in the account matching the userId stored in the reset link table. It would also make sense to have a batch job running to remove expired links from the database.
Grails Spring Security UI插件已经有一个忘记密码选项,您可以直接使用或用作参考。
The Grails Spring Security UI plugin already has a forgot password option which you can either use directly or use as a reference.
这篇关于使用发送到电子邮件的动态URL实现Spring安全密码恢复的指南的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
