如何获取用户名和输入密码而无需使用spring boot security进行编码

时间:2015-11-26 15:23:04

标签: spring-security spring-boot

我已经实现了具有spring boot安全性的安全层,并且我已经使用MD5加密机制对所呈现的密码进行编码。它按预期完美地工作但我需要获得用户在DAO中输入的用户名和原始密码或服务层。以下是我使用的代码

@Autowired
UserDao userDao;

@Autowired
@Qualifier("userDetailsService")
UserDetailsService userDetailsService;

@Autowired
private RESTAuthenticationEntryPoint authenticationEntryPoint;

@Autowired
private RESTAuthenticationFailureHandler authenticationFailureHandler;
@Autowired
private RESTAuthenticationSuccessHandler authenticationSuccessHandler;

@Override
public void configure(WebSecurity web) throws Exception {
    web.ignoring().antMatchers("/css/**", "/fonts/**", "/images/**");
}


/**
 * Security implementation to access the services
 */
@Override
protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests().antMatchers("/", "/index.html","/home.html","/page/*","/home/*", "/login.html","/login","/cms/createPhoneNo").permitAll();
    http.authorizeRequests().anyRequest().fullyAuthenticated().and().httpBasic().and().csrf().disable();
    http.exceptionHandling().authenticationEntryPoint(authenticationEntryPoint);
    http.formLogin().loginProcessingUrl("/login/authenticate").successHandler(authenticationSuccessHandler);
    http.formLogin().failureHandler(authenticationFailureHandler);
    http.logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout")).invalidateHttpSession(true);
    http.exceptionHandling().accessDeniedHandler(accessDeniedHandler());

    // CSRF tokens handling
    http.addFilterAfter(new CsrfTokenResponseHeaderBindingFilter(), CsrfFilter.class);
}

/**
 * Configures the authentication manager bean which processes authentication
 * requests.
 */
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    // Dao based authentication
    auth.userDetailsService(userDetailsService).passwordEncoder(new Md5PasswordEncoder());
}

private AccessDeniedHandler accessDeniedHandler() {
    return new AccessDeniedHandler() {

        @Override
        public void handle(HttpServletRequest request, HttpServletResponse response,
                AccessDeniedException accessDeniedException) throws IOException, ServletException {
            response.getWriter().append("Access denied");
            response.setStatus(403);
        }
    };
}

/**
 * This bean is load the user specific data when form login is used.
 */
@Bean
public UserDetailsService userDetailsService() {
    return new MyCustomUserDetailsService(userDao);
}

}

有人可以帮助我实现这种情况吗?

谢谢,

2 个答案:

答案 0 :(得分:1)

添加到您的auth.eraseCredentials(false); 方法:

String username = SecurityContextHolder.getContext().getAuthentication().getName();
Object rawPassword  = SecurityContextHolder.getContext().getAuthentication().getCredentials();

然后,您可以使用

获取当前用户的用户名和密码
body.dynamic = true    

答案 1 :(得分:1)

在我提供答案之前,必须发出警告:

  

以明文形式存储用户密码极具风险。无论谁   有权访问db有权访问用户的密码,这意味着他们可以   在您的应用程序中模拟用户。用户也倾向于重用   密码,因此您将该用户暴露给其他系统上的风险(他们的   电子邮件,他们的Facebook等...)。

把它排除在外,哦等一下,再来一次:

  

MD5是一种极弱的单向哈希。它受rainbow tables的约束   生成给定哈希的纯文本很容易被发现。   考虑切换到更强大的东西,比如SHA-256,Scrypt,   Bcrypt或PBKDF2。

好的,完成了。使用org.springframework.security.authentication.encoding.PlaintextPasswordEncoder并在DAO中按需应用MD5(或更好,轻推nudge)哈希。