Java 如何使用 ShaPasswordEncoder 正确编码密码?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/18653294/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to correctly encode password using ShaPasswordEncoder?
提问by misco
I want to encode a password using ShaPasswordEncoderin my Springapp.
我想ShaPasswordEncoder在我的Spring应用程序中使用密码编码。
ShaPasswordEncoder sha = new ShaPasswordEncoder(256);
sha.setIterations(1000);
String hash = sha.encodePassword(password, salt);
But I don't what I should put to salt param. Can it be a static phrase (e.g. sT4t1cPhr453), or dynamic string different for every user (e.g. username or user ID)?
但我不知道我应该做什么salt param。它可以是静态短语(例如sT4t1cPhr453),还是每个用户都不同的动态字符串(例如用户名或用户 ID)?
Edit:
编辑:
I user custom AuthenticationProvider, so my security context looks like:
我使用 custom AuthenticationProvider,所以我的安全上下文看起来像:
<authentication-manager>
<authentication-provider ref="customAuthenticationProvider" />
</authentication-manager>
<beans:bean id="customAuthenticationProvider" class="com.app.cloud.auth.CustomAuthenticationProvider">
@Component("customAuthenticationProvider")
public class CustomAuthenticationProvider implements org.springframework.security.authentication.AuthenticationProvider {
@Autowired
private AuthService authService;
@Override
public Authentication authenticate(Authentication authentication)
throws AuthenticationException,BadCredentialsException {
//...
}
@Override
public boolean supports(Class<?> authentication) {
return authentication.equals(UsernamePasswordAuthenticationToken.class);
}
}
采纳答案by Sergi Almar
In case you want to explicitly define the salt you can define the salt source:
如果您想明确定义盐,您可以定义盐源:
Dynamic salt (based on the username property)
动态盐(基于用户名属性)
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="userDetailsService">
<password-encoder hash="sha-256">
<salt-source user-property="username"/>
</password-encoder>
</authentication-provider>
</authentication-manager>
Static salt
静盐
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="userDetailsService">
<password-encoder hash="sha-256">
<salt-source system-wide="MySalt" />
</password-encoder>
</authentication-provider>
</authentication-manager>
Recommended approach
推荐方法
If you are using Spring Security 3.1, the recommended approach would be to go for bcrypt, this automatically generates a salt and concatenates it.
如果您使用的是 Spring Security 3.1,推荐的方法是使用 bcrypt,这会自动生成一个 salt 并将其连接起来。
<beans:bean id='bCryptPasswordEncoder' class='org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder'/>
<authentication-manager>
<authentication-provider user-service-ref="userDetailsService">
<password-encoder ref="bCryptPasswordEncoder"/>
</authentication-provider>
</authentication-manager>
You can generate the user password like this:
您可以像这样生成用户密码:
String password = "p4ssword";
PasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
String encodedPassword = passwordEncoder.encode(password);
回答by Qwerky
The principle behind salting hashes is that you are not vulnerable to rainbow tables. If you use static salt then its possible (but expensive) for someone to build a rainbow table for yoursalt. If the pickings are sweet, someone will do it.
加盐哈希背后的原则是您不易受到彩虹表的影响。如果您使用静态盐,那么有人可能(但昂贵)为您的盐制作彩虹桌。如果采摘是甜的,有人会做的。
Ideally your salt should be random (eg use bytes from a SecureRandom) and should be different for each user. You should store the salt alongside the hashed password, eg if you are using a database table then simply have a salt column.
理想情况下,您的盐应该是随机的(例如使用 a 中的字节SecureRandom)并且每个用户都应该不同。您应该将 salt 与散列密码一起存储,例如,如果您使用的是数据库表,那么只需要有一个 salt 列。
The latest versions of Spring Security (3.1 and later) try to handle salt in an automatic, transparent manner. The password encoder will automatically generate random salt and append it to the hash instead of storing it separately (eg in different columns). Because hashes and the salt have a fixed length it is easy to determine which part of the data is which.
最新版本的 Spring Security(3.1 及更高版本)尝试以自动、透明的方式处理 salt。密码编码器将自动生成随机盐并将其附加到散列而不是单独存储(例如在不同的列中)。因为散列和盐具有固定长度,所以很容易确定数据的哪一部分是哪一部分。
