我正在使用Spring 3并从MySQL数据库中抓取用户。
目前,在测试中,我的用户拥有MD5密码。我可以使用它进行身份验证。
但是,我们希望在如何散列密码方面更加安全。我们想:
MD5(username + salt + password)
salt是存储在用户记录中的随机字符串。但我似乎无法弄清楚在哪里/如何做到这一点。这就是我到目前为止所做的:
userDAO的
public class UserDao {
public static Users findUserByUsername(String paUsername) {
String hql = "from Users where username = :username";
List<Users> list = null;
Users user = null;
try {
IO io = new IO("web"); // custom Hibernate framework
IOQuery query = new IOQuery();
query.setStatement(hql);
query.setParameter(new IOParameter("username", paUsername));
list = io.runQuery(query);
if (list.isEmpty()) {
return null;
}
return list.get(0);
} catch (Exception ex) {
return null;
}
}
}
UserDetailsServiceImpl
@Service("userDetailsService")
public class UserDetailsServiceImpl implements UserDetailsService {
@Autowired
private UserDao userDao;
@Override
public UserDetails loadUserByUsername(String paUsername) throws UsernameNotFoundException {
Users user = userDao.findUserByUsername(paUsername);
if(user == null) {
throw new UsernameNotFoundException("User not found");
}
return new User(
user.getUsername(),
user.getPassword(),
user.getEnabled(),
true,
true,
true,
getAuthorities(Enums.UserRoles.IT));
}
private Collection<? extends GrantedAuthority> getAuthorities(Enums.UserRoles paRole) {
List<GrantedAuthority> authList = getGrantedAuthorities(getRoles(paRole));
return authList;
}
private List<String> getRoles(Enums.UserRoles paRole) {
List<String> roles = new ArrayList<>();
if (paRole.equals(Enums.UserRoles.USER)) {
roles.add(Enums.UserRoles.USER.name());
} else if (paRole.equals(Enums.UserRoles.IT)) {
roles.add(Enums.UserRoles.USER.name());
roles.add(Enums.UserRoles.IT.name());
}
return roles;
}
private static List<GrantedAuthority> getGrantedAuthorities(List<String> paRoles) {
List<GrantedAuthority> authorities = new ArrayList<>();
for (String role : paRoles) {
authorities.add(new SimpleGrantedAuthority(role));
}
return authorities;
}
}
的UserDetailsService
public class UserDetailService implements UserDetailsService {
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
return new UserDetailsServiceImpl().loadUserByUsername(username);
}
}
安全应用程式内上下文
<beans:bean id="loginSuccessHandler" class="com.myapp.security.LoginSuccessHandler" />
<beans:bean id="loginFailureHandler" class="com.myapp.security.LoginFailureHandler" />
<beans:bean id="detailsService" class="com.myapp.security.UserDetailService" />
关于我需要做什么的任何想法?
由于
答案 0 :(得分:1)
这是我的应用用于设置密码编码的安全配置的一个片段:
<sec:authentication-manager alias="authenticationManager">
<sec:authentication-provider ref="authenticationProvider" />
</sec:authentication-manager>
<bean id="authenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="userDetailsServiceImpl"/>
<property name="passwordEncoder" ref="cryptoPasswordEncoder" />
</bean>
<bean id="cryptoPasswordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />
我们无需在DaoAuthenticationProvider中设置Salt来源,因为BCryptPasswordEncoder使用了自己的来源。
答案 1 :(得分:0)
使用:
public class PasswordEncoder extends org.springframework.security.authentication.encoding.MessageDigestPasswordEncoder{
public PasswordEncoder() {
super("MD5");
}
@Override
public String encodePassword(String originalPassword, Object salt) {
// here supply salt = username + saltString
String encryptedPassword = super.encodePassword(originalPassword, salt);
return encryptedPassword;
}
}