java 使用 Spring Security 3 散列和加盐密码
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/7378107/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Hashing and Salting Passwords with Spring Security 3
提问by kamaci
How can I hash passwords and salt them with Spring Security 3?
如何使用 Spring Security 3 散列密码并将它们加盐?
回答by Ali
Programmatic-ally you would do it as follows:
以编程方式,您可以按如下方式进行:
In your application-context.xml (defined in web.xml under contextConfigLocation) file define the bean (this example uses md5).
在您的 application-context.xml(在 web.xml 下contextConfigLocation定义)文件中定义 bean(本示例使用md5)。
<bean class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" id="passwordEncoder" />
Then Autowire the password encoder:
然后自动连接密码编码器:
@Autowired
PasswordEncoder passwordEncoder;
In your method or wherever you want to hash and salt.
在您的方法中或任何您想要散列和加盐的地方。
passwordEncoder.encodePassword("MyPasswordAsString", "mySaltAsStringOrObject");
The above call should return a salted hash (as a String).
上面的调用应该返回一个加盐的哈希(作为 a String)。
That should do it. I'm assuming you can figure out the jar's you'll need.
那应该这样做。我假设你能找出你需要的罐子。
UPDATE
更新
It should go without saying that using MD5 is not the best idea. Ideally you should use SHA-256 at least. This can be done with the ShaPasswordEncoder.
不用说,使用 MD5 并不是最好的主意。理想情况下,您应该至少使用 SHA-256。这可以通过ShaPasswordEncoder.
Replace the MD5 bean config above with:
将上面的 MD5 bean 配置替换为:
<bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.ShaPasswordEncoder">
<constructor-arg value="256"/>
</bean>
回答by Kawalya
Simplest seems to be Spring Security 3.1 assuming no constraints on the way hashing should be done:
最简单的似乎是 Spring Security 3.1,假设对散列的方式没有限制:
<bean id="encoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>
<security:authentication-manager>
<security:authentication-provider>
<security:password-encoder ref="encoder"/>
<security:jdbc-user-service data-source-ref="dataSource" users-by-username-query="select username,password, enabled from users where username=?" authorities-by-username-query="select u.username, ur.authority from users u, user_roles ur where u.username = ur.username and u.username =?"/>
</security:authentication-provider>
</security:authentication-manager>
@Controller
@Stateless
public class UsersEJB {
@PersistenceContext(unitName = "somePU")
private EntityManager em;
@Transactional
public void create(Users users) {
PasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
String hashedPassword = passwordEncoder.encode(users.getPassword());
users.setPassword(hashedPassword);
em.persist(users);
}
}
回答by OhadR
easiest way, as documented:
最简单的方法,如文档所示:
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="userDetailsService" >
<password-encoder hash="sha">
<salt-source user-property="username"/>
</password-encoder>
</authentication-provider>
</authentication-manager>
HTH
HTH
