当前位置: 文江博客话题详情

Symfony2 创建自己的编码器来存储密码

发布于 2024-12-11 18:41:33 字数 1916 浏览 0 评论 0原文

我是 Symfony2 的新手,我可能有一个关于在数据库中编码用户密码的简单问题。

我想以这种方式编码并存储在数据库中我的用户密码:

encoded_password = salt . sha1 ( salt . raw_password )

我找到了各种编码器(sha1、sha512、明文),我看到我的数据库 raw_password{salt} 中有明文,但我仍然对 Symfony2 中的signin/login/getSalt()方法不适应。

如果您可以帮我解决这个问题(请假设我不想使用现有的用户管理包,我想制作自己的包),那就太棒了!

谢谢

编辑:

我可以在我的signinAction()中做到这一点:

$salt = substr(md5(time()),0,10);
$pwd = $encoder->encodePassword($user->getPassword(), $salt);
$user->setPassword($salt.$pwd);

我可以在我的getSalt()中做到这一点:

return substr($this->password,0,10);

但我目前在我的loginAction()中只有这个:(参见这里:http://symfony.com/doc/current/book/security.html

// src/Acme/SecurityBundle/Controller/Main;
namespace Acme\SecurityBundle\Controller;

use Symfony\Bundle\FrameworkBundle\Controller\Controller;
use Symfony\Component\Security\Core\SecurityContext;

class SecurityController extends Controller
{
    public function loginAction()
    {
        $request = $this->getRequest();
        $session = $request->getSession();

        // get the login error if there is one
        if ($request->attributes->has(SecurityContext::AUTHENTICATION_ERROR)) {
            $error = $request->attributes->get(SecurityContext::AUTHENTICATION_ERROR);
        } else {
            $error = $session->get(SecurityContext::AUTHENTICATION_ERROR);
        }

        return $this->render('AcmeSecurityBundle:Security:login.html.twig', array(
            // last username entered by the user
            'last_username' => $session->get(SecurityContext::LAST_USERNAME),
            'error'         => $error,
        ));
    }
}

我如何告诉Symfony2在登录操作期间检查密码我需要吗? (目前正在执行encode(password,salt)而不是salt.encode(password,salt)

原文

I'm new to Symfony2 and I have maybe a simple question about encoding my user passwords in my DB.

I'd like to encode and store in DB my users' password that way:

encoded_password = salt . sha1 ( salt . raw_password )

I've found various encoders (sha1, sha512, plaintext), I saw that with plaintext I have in my DB raw_password{salt} but I'm still not comfortable with signin/login/getSalt() method in Symfony2.

If you could give me a lift on that (please, assume I do not want to use an existing bundle for UserManagement, I'd like to make my own) it would be AWESOME!

Thanks

EDIT:

I could do that in my signinAction():

$salt = substr(md5(time()),0,10);
$pwd = $encoder->encodePassword($user->getPassword(), $salt);
$user->setPassword($salt.$pwd);

I could do that in my getSalt():

return substr($this->password,0,10);

But I currently have only that in my loginAction(): (see here: http://symfony.com/doc/current/book/security.html)

// src/Acme/SecurityBundle/Controller/Main;
namespace Acme\SecurityBundle\Controller;

use Symfony\Bundle\FrameworkBundle\Controller\Controller;
use Symfony\Component\Security\Core\SecurityContext;

class SecurityController extends Controller
{
    public function loginAction()
    {
        $request = $this->getRequest();
        $session = $request->getSession();

        // get the login error if there is one
        if ($request->attributes->has(SecurityContext::AUTHENTICATION_ERROR)) {
            $error = $request->attributes->get(SecurityContext::AUTHENTICATION_ERROR);
        } else {
            $error = $session->get(SecurityContext::AUTHENTICATION_ERROR);
        }

        return $this->render('AcmeSecurityBundle:Security:login.html.twig', array(
            // last username entered by the user
            'last_username' => $session->get(SecurityContext::LAST_USERNAME),
            'error'         => $error,
        ));
    }
}

How can I tell Symfony2 to check the password during the login action the way I need? (curently doing encode(password,salt) and not salt.encode(password,salt)

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

粉红×色少女 2024-12-18 18:41:33

为了简单起见:您必须创建并添加一个新的 Service,添加它到您的包并指定 User 类将使用它。首先,您必须实现自己的密码编码器

namespace Acme\TestBundle\Service;

use Symfony\Component\Security\Core\Encoder\PasswordEncoderInterface;

class Sha256Salted implements PasswordEncoderInterface
{

    public function encodePassword($raw, $salt)
    {
        return hash('sha256', $salt . $raw); // Custom function for password encrypt
    }

    public function isPasswordValid($encoded, $raw, $salt)
    {
        return $encoded === $this->encodePassword($raw, $salt);
    }

}

然后您将添加服务定义,并指定使用您的自定义编码器 User 类。在 TestBundle/Resources/config/services.yml 中,您添加自定义编码器:

services:
    sha256salted_encoder:
        class: Acme\TestBundle\Service\Sha256Salted

并且在 app/config/security.yml 中,您可以将自定义类指定为默认编码器(例如Acme\TestBundle\Entity\User 类):

 encoders:
   Acme\TestBundle\Entity\User:
     id: acme.test.sha256salted_encoder

当然,salt 在密码加密中起着核心作用。盐是唯一的,并为每个用户存储。 User 类可以使用 YAML 注释自动生成(表当然应该包含用户名、密码、salt 等字段),并且应该实现 UserInterface

最后,当您必须创建新的 Acme\TestBundle\Entity\User 时,您可以使用它(控制器代码):

// Add a new User
$user = new User();
$user->setUsername = 'username';
$user->setSalt(uniqid(mt_rand())); // Unique salt for user

// Set encrypted password
$encoder = $this->container->get('acme.test.sha256salted_encoder')
  ->getEncoder($user);
$password = $encoder->encodePassword('MyPass', $user->getSalt());
$user->setPassword($password);

To make it simple: you have to create and add a new Service, add it to your bundle and specity that the User class will use it. First you have to implement your own password encoder:

namespace Acme\TestBundle\Service;

use Symfony\Component\Security\Core\Encoder\PasswordEncoderInterface;

class Sha256Salted implements PasswordEncoderInterface
{

    public function encodePassword($raw, $salt)
    {
        return hash('sha256', $salt . $raw); // Custom function for password encrypt
    }

    public function isPasswordValid($encoded, $raw, $salt)
    {
        return $encoded === $this->encodePassword($raw, $salt);
    }

}

Then you'll add the service definition and you want to specify to use your custom encoder for the class User. In TestBundle/Resources/config/services.yml you add custom encoder:

services:
    sha256salted_encoder:
        class: Acme\TestBundle\Service\Sha256Salted

and in app/config/security.yml you can therefore specify your custom class as default encoder (for Acme\TestBundle\Entity\User class):

 encoders:
   Acme\TestBundle\Entity\User:
     id: acme.test.sha256salted_encoder

Of course, salt plays a central role in password encryption. Salt is unique and is stored for each user. The class User can be auto-generated using YAML annotations (table should - of course - contain fields username, password, salt and so on) and should implement UserInterface.

Finally you can use it (controller code) when you have to create a new Acme\TestBundle\Entity\User:

// Add a new User
$user = new User();
$user->setUsername = 'username';
$user->setSalt(uniqid(mt_rand())); // Unique salt for user

// Set encrypted password
$encoder = $this->container->get('acme.test.sha256salted_encoder')
  ->getEncoder($user);
$password = $encoder->encodePassword('MyPass', $user->getSalt());
$user->setPassword($password);
回复 原文
青春如此纠结 2024-12-18 18:41:33

谢谢gremo,您的代码的最后一个片段有一个小问题,在使用该服务时,我们应该将其名称命名为“sha256salted_encoder”,而不是 acme.test.sha256salted_encoder。
另外

// Add a new User
$user = new User();
$user->setUsername = 'username';
$user->setSalt(uniqid(mt_rand())); // Unique salt for user

// Set encrypted password
$encoder = $this->container->get('security.encoder_factory')
  ->getEncoder($user);
$password = $encoder->encodePassword('MyPass', $user->getSalt());
$user->setPassword($password);

首先我们会调用安全编码器,然后我们会发现

sha256salted_编码器

和该服务将会很有用。

一切顺利

Thank you gremo, There's a small problem in the last snippet of your code, when using the service we should put it's name "sha256salted_encoder" and not acme.test.sha256salted_encoder.
in addition

// Add a new User
$user = new User();
$user->setUsername = 'username';
$user->setSalt(uniqid(mt_rand())); // Unique salt for user

// Set encrypted password
$encoder = $this->container->get('security.encoder_factory')
  ->getEncoder($user);
$password = $encoder->encodePassword('MyPass', $user->getSalt());
$user->setPassword($password);

first of all we will call the security encoder, then we will find

sha256salted_encoder

and the service will be useful.

All the best

回复 原文
甜点 2024-12-18 18:41:33

基本上,您应该/必须仅使用 bcrypt 编码器将密码安全地存储到数据库中。

原因如下:

http://dustwell.com/how-to-handle-passwords -bcrypt.html

http://adambard.com/blog/3-wrong-ways-to-store-a-password/

要配置此编码器,您应该编辑 security.yml 文件

security:
    encoders:
        Symfony\Component\Security\Core\User\UserInterface: bcrypt

此编码器用于在 UserPasswordEncoder 类中,可以在这里找到:Symfony\Component\Security\Core\Encoder

Basically, you should / must only use the bcrypt encoder to safely store password into your database.

here is why:

http://dustwell.com/how-to-handle-passwords-bcrypt.html

http://adambard.com/blog/3-wrong-ways-to-store-a-password/

To configure this encoder you should edit your security.yml file

security:
    encoders:
        Symfony\Component\Security\Core\User\UserInterface: bcrypt

This encoder is used inside the UserPasswordEncoder class which can be found here: Symfony\Component\Security\Core\Encoder

回复 原文
~没有更多了~

关于作者

夜血缘

暂无简介

0 文章
0 评论
1015 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

已经忘了多久

文章 0 评论 0

15867725375

文章 0 评论 0

LonelySnow

文章 0 评论 0

走过海棠暮

文章 0 评论 0

轻许诺言

文章 0 评论 0

信馬由缰

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文