问题描述
有简单的Spring Web应用安全与密码编码方式:
Have simple Spring Security webapp with password encoding:
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider user-service-ref="personService">
<security:password-encoder hash="md5" ref="passwordEncoder">
<!-- <security:salt-source user-property="username"/> -->
</security:password-encoder>
</security:authentication-provider>
</security:authentication-manager>
编码也很简单:
person.setPassword(encoder.encodePassword(person.getPassword(), null));
因此,在数据库中的所有密码都将被连接codeD。
现在我想做的apllication中的某些部分的用户名用户的认证。
(当passswords是明文)之前,它是这样的:
So in DataBase all passwords will be encoded.Now I want to do authentication of some user with certain username within the apllication.Before(when passswords was in plaintext) it was like this:
UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(
username, password);
Authentication authentication = authenticationManager.authenticate(token);
SecurityContextHolder.getContext().setAuthentication(authentication);
但现在我得到的途中从DB codeD密码,不能做鉴定前。
But now I get encoded password from DB and cant do authentication as before.
的问题。那个春天不知道密码,从UsernamePasswordAuthenticationToken卡梅斯已连接codeD。而且他编码它,它第二次。
谁可以帮助?
The problem. that Spring dont know that password cames from UsernamePasswordAuthenticationToken already encoded. And he is encoding it it second time.Who can help?
修改
所以,我在这里看到的两个解决方案:
So I see two solutions here:
- 实现自定义DaoAuthenticationProvider的时候在那里添加检查,如果两个密码哈希已
- 实现自定义的认证和手动把它放在安全上下文。
任何其他方面?什么是最好的?
Any others? What is the best?
推荐答案
您还没有真正说了什么不顺心的,但验证code应该是完全一样的非散列版本。
You haven't actually said what goes wrong, but the authentication code should be exactly the same as for the non-hashed version.
如果你在数据库中的哈希密码和相应的EN注入身份验证提供codeR,由用户提供的密码将由EN codeR它与数据库版本比较之前散列。
If you have a hashed password in the database and the corresponding encoder injected into the authentication provider, the password supplied by the user will be hashed by the encoder before comparing it with the database version.
确认:
- 您在创建时使用散列的口令值
UsernamePasswordAuthenticationToken
- 在数据库中的价值真的是一样的EN codeR产生的哈希值。自己加载它,并检查它在测试。该数据库可能将它存储在上层的情况下,例如
此外,你应该选择的东西比普通的MD5更好。你可能想看看bcrypt,例如,这是一个Spring Security 3.1支持,并自动使用一个随机值。
Also, you should probably choose something better than plain MD5. You might want to look at bcrypt, for example, which is supported in Spring Security 3.1 and automatically uses a random salt value.
更新
您创造它接受散列密码的供应商的建议是不太好。这将允许任何人谁偷了密码哈希直接与它(从而击败在首位散列的目的)进行身份验证。
Your suggestion of creating a provider which accepts hashed passwords is not a good one. This would allow anyone who steals a password hash to authenticate with it directly (thus defeating the purpose of hashing in the first place).
只需验证您的邮件的URL链接,加载该用户的信息,并为他们创建一个验证
对象:
Just validate your email URL links, load the information for that user and create an Authentication
object for them:
UserDetails user = ... // load user here
Authentication a = new UsernamePasswordAuthenticationToken(user, null, user.getAuthorities());
SecurityContextHolder.getContext().setAuthentication(a);
这篇关于验证Spring Security的蒙山EN codeD密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!