验证 grails 中的加密密码
在 grails 中,我可以将密码字段设置为最小大小限制为 5(任意)。问题是我使用 spring security 服务对我的密码进行编码,并且无论我输入什么值,编码/加密的密码都比 5 个字符长得多。
另一个论坛回复建议在 save 方法中进行验证。还有其他人解决过这个问题并且知道解决方法吗?
Spring security 不提供解码方法(可能是出于安全目的)...所以我想一个想法是获得一个不同的密码编码器,可以解码密码以用于验证目的...但我的直觉说 spring security 留下了这个有充分的理由,也许我也应该......
static constraints = {
username(blank: false, unique: true)
password(minSize: 5, blank: false, unique: true,
validator: { passwd, user ->
return passwd != user.username
})
passwordRepeat(nullable: false,
validator: { passwd2, user ->
return passwd2 == user.password
})
}
所以我使用静态约束来验证,因为大多数其他变量都是以这种方式验证的。
我对不可读的评论表示歉意。
谢谢你, -Asaf
编辑:我认为一个简单的修复方法如上所述,在保存方法中进行验证(在加密之前),但我只是觉得某个地方的某个人之前必须处理过这个问题。我的意思是,有很多网站需要密码,如果密码太短,如果密码不包含小写和大写字母,如果密码没有符号,它们就会对你大喊大叫……他们都是如何做各种事情的?他们使用的验证方法?
In grails I can set the password field to have a minimum size constraint of 5 (arbitrary). The problem is that I use spring security service to encode my password and the encoded/encrypted password is much longer than 5 characters almost no matter what value I put in.
Another forum response suggested doing that validation in the save method. Has anyone else tackled this problem and knows a way around it?
Spring security does not provide a decode method (probably for security purposes)... so I guess one idea would be to get a different password encoder that could decode the password for validation purposes... but my instinct says that spring security leaves this out for a good reason and maybe I should too...
static constraints = {
username(blank: false, unique: true)
password(minSize: 5, blank: false, unique: true,
validator: { passwd, user ->
return passwd != user.username
})
passwordRepeat(nullable: false,
validator: { passwd2, user ->
return passwd2 == user.password
})
}
So I'm using the static constraints to validate as most other variables are validated this way.
My apologies for the unreadable comment.
Thank you,
-Asaf
Edit: I think a simple fix is as mentioned above, doing the validation in the save method (before encryption), but I just feel like someone somewhere must have had to deal with this issue before. I mean there's so many websites that require passwords and that yell at you if it's too short, if it doesn't contain both lowercase and uppercase letters, if it doesn't have a symbol... How do all of them do the various validation methods they use?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
你无法解码 Spring Security 编码的内容...那就是 md5 或 sha-256 !这正是加密过程的目的。那么,即使数据库文件被盗,你也无法知道密码是多少。
为了验证密码,你需要提示用户输入明确的密码(请以https传输),然后使用相同的算法对其进行编码。然后,您必须将其与存储的编码密码进行比较
使用类 DigestUtils 使用第一次使用的相同算法对您收到的密码进行编码。这是一个 Spring Security 配置
grails.plugins.springsecurity.password.algorithm是的,您必须在保存之前进行验证...为此,我们在 Bootstrap 中添加了一个元类,
以具有一个独特的点在保存密码之前验证我们的密码
you can't decode what Spring Security encodes... That's md5 or sha-256 !!! That's exactly the purpose of the crypting process. Then, you can't know what's the password even if the databases files are stolen
To validate passwords, you need to prompt the user for a clear one, (transmit in https, please) and then encode it with the same algorithm. Then, you have to compare it to the encoded password you stored
Use the class DigestUtils to encode your received password with the same algorithm used the first time. This is a Spring Security Config
grails.plugins.springsecurity.password.algorithmAnd yes, you have to validate before saving... For that we have added a metaclass in Bootstrap
to have a unique point from which validating our passwords before saving them