我正在使用Java EE,Spring安全框架和Oracle 11g数据库开发应用程序。我需要在Spring安全性中添加MD5哈希,但我还没有成功。
到目前为止我做了什么:
1 - 在最初几周,我尝试将md5哈希添加到我的应用程序中,而不向springsecuritycontext.xml添加任何代码,我成功了。
这就是我所做的:
在名为ma.dyaralmansour.zkgui.policy的包中有两个类。第一个叫做PolicyManager,这个类实现了spring-security UserDetailService。第二个叫做LoginLoggingPolicyService,这个类作为一个方面从Spring AOP调用,用于记录。
所以这就是我所做的:
*** I added an MD5Password class to the ma.dyaralmansour.zkgui.policy and I added some code to the PolicyManager class to activate the hash and it's working.
我现在的问题是:
我的所有密码都使用MD5哈希进行哈希处理,但是当我使用普通密码时,我无法再访问该应用程序。
现在我有2个选项,但我不知道如何实现它们:
1-在MD5password类中有一个名为testPassword的方法(String clearTextTestPassword,String encodedActualPassword)
它将普通密码与存储在数据库中的散列密码进行比较,但我无法理解如何将其添加到我的policymanager类中。
2 - 完全删除我所做的所有事情,只关注Spring安全性的配置,以便在使用普通密码时散列密码并访问应用程序。
或者还有其他解决方案吗?
http://www.mediafire.com/download/gxgda63wyhkpehn/DamPromoZK4.rar
<!-- Spring namespace-based configuration -->
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:zksp="http://www.zkoss.org/2008/zkspring"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:aop="http://www.springframework.org/schema/aop"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.1.xsd
http://www.springframework.org/schema/aop
http://www.springframework.org/schema/aop/spring-aop-2.0.xsd">
<!-- Enable the @Secured annotation to secure service layer methods -->
<global-method-security secured-annotations="enabled" />
<http auto-config="true">
<!-- ### If we have our own LoginPage. So we must ### -->
<!-- ### tell Spring the name and the place. ### -->
<!-- ### In our case we take the same page ### -->
<!-- ### for a error message by a failure. ### -->
<!-- ### Further the page after a successfully login. ### -->
<form-login login-page="/index.zul"
authentication-failure-url="/index.zul?login_error=1"
default-target-url="/AccueilIntranet.zul" />
<!-- ### Tell Spring where it goes after logout. ### -->
<!-- ### logout-url is a action url. ### -->
<logout logout-url="/j_spring_logout" logout-success-url="/index.zul" />
<!-- ### Define the pages that are to be intercepted ### -->
<!-- ### It is parsed from top to bottom. Means that ### -->
<!-- ### the most specific pattern is standing on TOP ### -->
<!-- ### and the CATCH ALL is on BOTTOM! ### -->
<intercept-url pattern="/pages/**" access="IS_AUTHENTICATED_REMEMBERED" filters="none" />
<intercept-url pattern="/WEB-INF/pages/**" access="IS_AUTHENTICATED_REMEMBERED" filters="none"/>
<!-- ### The root page is accessible by everyone but ### -->
<!-- ### internally spring makes a login and ### -->
<!-- ### this user becames a UserDetails ### -->
<!-- ### (in there are the ip-address and others) ### -->
<intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" filters="none"/>
<!-- ### Per user one session !! ### -->
<concurrent-session-control max-sessions="1" />
</http>
<!-- ### We define the kind of authentification with a ### -->
<!-- ### so called authentication-provider ### -->
<!-- ### So we have our users stored in a DB we use ### -->
<!-- ### our own user-service class and point to her. ### -->
<authentication-provider user-service-ref="myUserDetailsService">
</authentication-provider>
<!-- ### The Implementation of the Interface ### -->
<!-- ### UserDetailService for the logged in ### -->
<!-- ### user and his rights ### -->
<beans:bean id="myUserDetailsService" class="ma.dyaralmansour.zkgui.policy.PolicyManager">
<beans:property name="userService" ref="userService" />
</beans:bean>
<authentication-provider user-service-ref="myUserDetailsService">
<password-encoder hash="md5"/>
</authentication-provider>
<!-- ### This aspect call automatically the methode ### -->
<!-- ### 'loginLogging' which is for writing a log for ### -->
<!-- ### all successfully and failed logins, if a ### -->
<!-- ### methode is called that handles the ### -->
<!-- ### Authentication. ### -->
<beans:bean id="LoginLoggingPolicyService"
class="ma.dyaralmansour.zkgui.policy.LoginLoggingPolicyService">
<beans:property name="loginLoggingService" ref="loginLoggingService" />
</beans:bean>
<aop:config>
<aop:aspect id="LoginLoggingAspect" ref="LoginLoggingPolicyService">
<aop:pointcut id="authPointcut"
expression="execution(public org.springframework.security.Authentication org.springframework.security.providers.AuthenticationProvider.authenticate(org.springframework.security.Authentication))" />
<aop:around pointcut-ref="authPointcut" method="loginLogging" />
</aop:aspect>
</aop:config>
</beans:beans>
答案 0 :(得分:3)
使用新的BCryptPasswordEncoder:
它会自动为您密码。
我推荐BCrypt,因为它很强大,速度慢,并且没有已知的弱点。 “慢度”实际上是您在散列算法中所需的功能,因为这意味着如果有人窃取您的密码需要更长的时间才能破解。
SHA 256被削弱了。 MD5肯定是坏了。
答案 1 :(得分:2)
你为什么要重新发明轮子? Spring Security支持开箱即用的密码散列,这只是一个配置问题。您UserDetailService的自定义实现必须只返回为用户名找到的用户(不检查密码或其他内容)。然后,Spring Security将使用配置的哈希检查密码。
只需在<authentication-provider .. >元素
<authentication-provider user-service-ref="myUserDetailsService">
<password-encoder hash="md5"/>
</authentication-provider>
您也可以查看Spring Security documentation
另一个改进建议是不使用AOP进行日志记录(假设这是你唯一做的事情)而是实现ApplicationListener并监听AbstractAuthenticationEvent。您可能需要检查默认LoggerListener以获取简单的工作样本。