java 使用发送到电子邮件的动态 URL 实现 Spring Security 密码恢复的指南
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/17219917/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Guide to implementing spring security password recovery with dynamic URL sent to email
提问by Aubergine
I found it very difficult to do password recovery, since I've never done it before.
我发现恢复密码非常困难,因为我以前从未这样做过。
So far I have web app which has:
到目前为止,我的网络应用程序具有:
Spring Security, where password is properly hashed and user roles implemented and work correctly.
Spring Security,密码正确散列,用户角色实现并正常工作。
The strategy hints research from stackoverflow:
该策略提示来自 stackoverflow 的研究:
- User hits forgot-password button, where he enters his email address.
- Dynamic link is sent to email address
- User opens link in email address
- Which redirects him to password reset page
- 用户点击忘记密码按钮,在那里他输入他的电子邮件地址。
- 动态链接发送到电子邮件地址
- 用户打开电子邮件地址中的链接
- 这将他重定向到密码重置页面
What is not known:
什么是不知道的:
- How to give link dynamic nature - methods of generations
- Link has a timeout - some questions were found here, but often involve custom handler or extension to spring security functionality
- A request mapping methods to respond to such dynamic link
- Temporary link storage methods - database, session etc. ?
- 如何赋予链接动态性 - 世代方法
- 链接超时 - 在这里找到了一些问题,但通常涉及自定义处理程序或 spring 安全功能的扩展
- 一种响应这种动态链接的请求映射方法
- 临时链接存储方法 - 数据库、会话等 ?
As you can see the list is quite severe for a single question. So was hoping you might be able to provide guide resources to how to do it step by step. I was a little surprised I could not find much on this in Spring Security documentation. Thanks.
正如您所看到的,该列表对于单个问题非常严格。因此,希望您能够提供指导资源以指导如何逐步进行。我有点惊讶我在 Spring Security 文档中找不到太多关于这个的信息。谢谢。
I am student so don't know really industry best practices for doing so especially in the context of Java, so I really hope anyone will be able to help.
我是学生,所以不知道这样做的真正行业最佳实践,尤其是在 Java 的背景下,所以我真的希望任何人都能够提供帮助。
回答by Shaun the Sheep
The problem doesn't really have much to do with Spring Security. Provided you know the structure of the user database and the password encoder used, it's really just implementing a workflow involving data access, web controllers and sending an email. The link should contain a random token string (use SecureRandomand a base64 encoder, for example) and it should be stored in a database with the userId and a timestamp (for validating the window within which the link is valid). The controller would simply extract the token from the incoming request, load the data from the database using the token. It would check the timestamp and then forward the user to a password entry form. Depending on requirements, you might also want them to answer some other security questions too. You'd then validate and encode the password and store it in the account matching the userId stored in the reset link table. It would also make sense to have a batch job running to remove expired links from the database.
这个问题与 Spring Security 并没有太大关系。如果您知道用户数据库的结构和使用的密码编码器,它实际上只是实现了一个涉及数据访问、Web 控制器和发送电子邮件的工作流。该链接应包含一个随机令牌字符串(使用SecureRandom和 base64 编码器,例如),它应该与用户 ID 和时间戳(用于验证链接有效的窗口)一起存储在数据库中。控制器将简单地从传入请求中提取令牌,使用令牌从数据库加载数据。它会检查时间戳,然后将用户转发到密码输入表单。根据要求,您可能还希望他们也回答一些其他安全问题。然后验证并编码密码,并将其存储在与存储在重置链接表中的 userId 匹配的帐户中。运行批处理作业以从数据库中删除过期链接也是有意义的。
The Grails Spring Security UI plugin already has a forgot passwordoption which you can either use directly or use as a reference.
Grails Spring Security UI 插件已经有一个忘记密码选项,您可以直接使用或用作参考。
回答by OhadR
I have implemented a JAVA project for this use case. It is on GitHub, open source.
我已经为这个用例实现了一个 JAVA 项目。它在 GitHub 上,开源。
There are explanation for everything (and if something is missing - let me know...)
一切都有解释(如果有什么遗漏 - 让我知道......)
Have a look: https://github.com/OhadR/Authentication-Flows
看看:https: //github.com/OhadR/Authentication-Flows
This is the client web-app that uses the auth-flows, with the README with all explanations. it directs you the implementation: https://github.com/OhadR/oAuth2-sample/tree/master/authentication-flows
这是使用 auth-flows 的客户端 web 应用程序,带有所有解释的自述文件。它指导您实施:https: //github.com/OhadR/oAuth2-sample/tree/master/authentication-flows
