spring 春季安全盐
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/8067564/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Spring Security Salt
提问by user973479
I'm trying to add a salt when adding a new user/pwd, but the docs seem to be missing how to do this.
我试图在添加新用户/密码时添加盐,但文档似乎缺少如何执行此操作。
Here's a basic example:
这是一个基本示例:
<authentication-manager>
<authentication-provider user-service-ref="userDetailsService">
<password-encoder hash="md5">
<salt-source user-property="username"/>
</password-encoder>
</authentication-provider>
</authentication-manager>
You can see by the example that neither a custom salt or custom password encoder is used.
您可以通过示例看到,既没有使用自定义盐也没有使用自定义密码编码器。
So, how would I wire the Salt in when adding a new user/pwd? I'd assume it would be something along the lines of:
那么,在添加新用户/密码时如何连接 Salt 呢?我认为这将是类似的东西:
@Autowired SaltSource saltSource;
protected void foo(final CustomUser user) {
final PasswordEncoder encoder = new Md5PasswordEncoder();
user.setPassword(encoder.encodePassword(user.getPassword(), saltSource));
}
However, since I am using the default salt/password encoders and I don't have a custom salt bean the autowire would fail.
但是,由于我使用的是默认的盐/密码编码器并且我没有自定义盐豆,因此自动装配会失败。
Any clue how to make this work?
任何线索如何使这项工作?
回答by Roadrunner
You don't autowire the SaltSourcewhen adding user. The SaltSourceis an abstraction used by Spring to provide the source of the salt for password checking only.
SaltSource添加用户时,您不会自动装配。这SaltSource是 Spring 使用的一个抽象,用于提供仅用于密码检查的盐源。
To create a properly encoded password hash You just past the salt itself to the PasswordEncoder- the value of usernameproperty, not the SaltSource:
要创建正确编码的密码哈希,您只需将盐本身传递给PasswordEncoder-username属性的值,而不是SaltSource:
private PasswordEncoder encoder = new Md5PasswordEncoder();
public User createUser(String username, String plainTextPassword) {
User u = new User();
u.setUsername(username);
u.setPassword(encoder.encodePassword(plainTextPassword, username));
getEntityManager().persist(u); // optional
return u;
}
Moreover the autowire of SaltSourcewon't work until it's defined as an inner bean. You could define the ReflectionSaltSourceas top level bean and pass it's ID to the password-encoder, i.e.:
此外,SaltSource除非将其定义为内部 bean ,否则autowire将无法工作。您可以定义ReflectionSaltSourceas 顶级 bean 并将其 ID 传递给password-encoder,即:
<bean id="saltSource"
class="org.springframework.security.authentication.dao.ReflectionSaltSource"
p:userPropertyToUse="username" />
<bean id="passwordEncoder"
class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" />
<bean id="daoAuthenticationProvider"
class="org.springframework.security.authentication.dao.DaoAuthenticationProvider"
p:passwordEncoder-ref="passwordEncoder"
p:saltSource-ref="saltSource"
p:userDetailsService-ref="userDetailsService" />
<authentication-manager>
<authentication-provider ref="daoAuthenticationProvider" />
</authentication-manager>
And then:
进而:
@Autowired private PasswordEncoder passwordEncoder;
@Autowired private SaltSource saltSource;
public CustomUserDetails createUser(String username, String plainTextPassword) {
CustomUserDetails u = new CustomUserDetails();
u.setUsername(username);
u.setPassword(passwordEncoder.encodePassword(
plainTextPassword, saltSource.getSalt(u)));
getEntityNamager().persist(u); // optional
return u;
}
