Spring安全盐

发布于 2024-12-14 15:29:05 字数 794 浏览 1 评论 0原文

我试图在添加新用户/密码时添加盐，但文档似乎缺少如何执行此操作。

这是一个基本示例：

<authentication-manager>
    <authentication-provider user-service-ref="userDetailsService">
        <password-encoder hash="md5">
            <salt-source user-property="username"/>
        </password-encoder>
    </authentication-provider>
</authentication-manager>

您可以通过示例看到，没有使用自定义盐或自定义密码编码器。

那么，添加新用户/密码时如何连接 Salt？我认为它会是这样的：

@Autowired SaltSource saltSource;
protected void foo(final CustomUser user) {
    final PasswordEncoder encoder = new Md5PasswordEncoder();
    user.setPassword(encoder.encodePassword(user.getPassword(), saltSource));
}

但是，由于我使用默认的盐/密码编码器并且我没有自定义盐 bean，因此自动装配会失败。

有任何线索如何使这项工作有效吗？

原文

I'm trying to add a salt when adding a new user/pwd, but the docs seem to be missing how to do this.

Here's a basic example:

<authentication-manager>
    <authentication-provider user-service-ref="userDetailsService">
        <password-encoder hash="md5">
            <salt-source user-property="username"/>
        </password-encoder>
    </authentication-provider>
</authentication-manager>

You can see by the example that neither a custom salt or custom password encoder is used.

So, how would I wire the Salt in when adding a new user/pwd? I'd assume it would be something along the lines of:

@Autowired SaltSource saltSource;
protected void foo(final CustomUser user) {
    final PasswordEncoder encoder = new Md5PasswordEncoder();
    user.setPassword(encoder.encodePassword(user.getPassword(), saltSource));
}

However, since I am using the default salt/password encoders and I don't have a custom salt bean the autowire would fail.

Any clue how to make this work?

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

初见 2024-12-21 15:29:05

添加用户时不会自动装配 SaltSource。 SaltSource 是 Spring 使用的一个抽象，用于提供仅用于密码检查的盐源。

要创建正确编码的密码哈希，您只需将盐本身传递给 PasswordEncoder - username 属性的值，而不是 SaltSource

private PasswordEncoder encoder = new Md5PasswordEncoder();

public User createUser(String username, String plainTextPassword) {
    User u = new User();
    u.setUsername(username);
    u.setPassword(encoder.encodePassword(plainTextPassword, username));
    getEntityManager().persist(u); // optional
    return u;
}

： SaltSource 的 autowire 在被定义为内部 bean 之前不会起作用。您可以将 ReflectionSaltSource 定义为顶级 bean，并将其 ID 传递给 password-encoder，即：

<bean id="saltSource"
    class="org.springframework.security.authentication.dao.ReflectionSaltSource"
    p:userPropertyToUse="username" />

<bean id="passwordEncoder" 
    class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" />

<bean id="daoAuthenticationProvider"
    class="org.springframework.security.authentication.dao.DaoAuthenticationProvider"
    p:passwordEncoder-ref="passwordEncoder"
    p:saltSource-ref="saltSource"
    p:userDetailsService-ref="userDetailsService" />

<authentication-manager>
    <authentication-provider ref="daoAuthenticationProvider" />
</authentication-manager>

然后：

@Autowired private PasswordEncoder passwordEncoder;
@Autowired private SaltSource saltSource;

public CustomUserDetails createUser(String username, String plainTextPassword) {
    CustomUserDetails u = new CustomUserDetails();
    u.setUsername(username);
    u.setPassword(passwordEncoder.encodePassword(
            plainTextPassword, saltSource.getSalt(u)));
    getEntityNamager().persist(u); // optional
    return u;
}

You don't autowire the SaltSource when adding user. The SaltSource is an abstraction used by Spring to provide the source of the salt for password checking only.

To create a properly encoded password hash You just past the salt itself to the PasswordEncoder - the value of username property, not the SaltSource:

private PasswordEncoder encoder = new Md5PasswordEncoder();

public User createUser(String username, String plainTextPassword) {
    User u = new User();
    u.setUsername(username);
    u.setPassword(encoder.encodePassword(plainTextPassword, username));
    getEntityManager().persist(u); // optional
    return u;
}

Moreover the autowire of SaltSource won't work until it's defined as an inner bean. You could define the ReflectionSaltSource as top level bean and pass it's ID to the password-encoder, i.e.:

<bean id="saltSource"
    class="org.springframework.security.authentication.dao.ReflectionSaltSource"
    p:userPropertyToUse="username" />

<bean id="passwordEncoder" 
    class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" />

<bean id="daoAuthenticationProvider"
    class="org.springframework.security.authentication.dao.DaoAuthenticationProvider"
    p:passwordEncoder-ref="passwordEncoder"
    p:saltSource-ref="saltSource"
    p:userDetailsService-ref="userDetailsService" />

<authentication-manager>
    <authentication-provider ref="daoAuthenticationProvider" />
</authentication-manager>

And then:

@Autowired private PasswordEncoder passwordEncoder;
@Autowired private SaltSource saltSource;

public CustomUserDetails createUser(String username, String plainTextPassword) {
    CustomUserDetails u = new CustomUserDetails();
    u.setUsername(username);
    u.setPassword(passwordEncoder.encodePassword(
            plainTextPassword, saltSource.getSalt(u)));
    getEntityNamager().persist(u); // optional
    return u;
}

回复收藏 0 原文

~没有更多了~