3

我正在使用 Spring 3 并从 MySQL 数据库中获取用户。

现在,在测试中,我有一个使用 MD5 密码的用户。我可以使用它进行身份验证。

但是,我们希望在散列密码的方式上更加安全。我们想:

MD5(username + salt + password)

salt 是存储在用户记录中的随机字符串。但我似乎无法弄清楚在哪里/如何做到这一点。这是我到目前为止所拥有的:

用户道

public class UserDao {

    public static Users findUserByUsername(String paUsername) {
        String hql = "from Users where username = :username";

        List<Users> list = null;
        Users user = null;

        try {
            IO io = new IO("web");   // custom Hibernate framework
            IOQuery query = new IOQuery();
            query.setStatement(hql);
            query.setParameter(new IOParameter("username", paUsername));

            list = io.runQuery(query);

            if (list.isEmpty()) {
                return null;
            }

            return list.get(0);

        } catch (Exception ex) {
            return null;
        }
    }
}

UserDetailsS​​erviceImpl

@Service("userDetailsService")
public class UserDetailsServiceImpl implements UserDetailsService {

    @Autowired
    private UserDao userDao;

    @Override
    public UserDetails loadUserByUsername(String paUsername) throws UsernameNotFoundException {
        Users user = userDao.findUserByUsername(paUsername);

        if(user == null) {
            throw new UsernameNotFoundException("User not found");
        }

        return new User(
                user.getUsername(),
                user.getPassword(),
                user.getEnabled(),
                true,
                true,
                true,
                getAuthorities(Enums.UserRoles.IT));
    }

    private Collection<? extends GrantedAuthority> getAuthorities(Enums.UserRoles paRole) {
        List<GrantedAuthority> authList = getGrantedAuthorities(getRoles(paRole));
        return authList;
    }

    private List<String> getRoles(Enums.UserRoles paRole) {
        List<String> roles = new ArrayList<>();

        if (paRole.equals(Enums.UserRoles.USER)) {
            roles.add(Enums.UserRoles.USER.name());
        } else if (paRole.equals(Enums.UserRoles.IT)) {
            roles.add(Enums.UserRoles.USER.name());
            roles.add(Enums.UserRoles.IT.name());
        }

        return roles;
    }

    private static List<GrantedAuthority> getGrantedAuthorities(List<String> paRoles) {
        List<GrantedAuthority> authorities = new ArrayList<>();
        for (String role : paRoles) {
            authorities.add(new SimpleGrantedAuthority(role));
        }
        return authorities;
    }
}

用户详情服务

public class UserDetailService implements UserDetailsService {

    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        return new UserDetailsServiceImpl().loadUserByUsername(username);        
    }
}

安全应用上下文

<beans:bean id="loginSuccessHandler" class="com.myapp.security.LoginSuccessHandler" />
<beans:bean id="loginFailureHandler" class="com.myapp.security.LoginFailureHandler" />
<beans:bean id="detailsService" class="com.myapp.security.UserDetailService" />

关于我需要做什么的任何想法?

谢谢

4

2 回答 2

1

这是我的应用程序用来设置密码编码的安全配置片段:

<sec:authentication-manager alias="authenticationManager">
    <sec:authentication-provider ref="authenticationProvider" />
</sec:authentication-manager>


<bean id="authenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
    <property name="userDetailsService" ref="userDetailsServiceImpl"/>
    <property name="passwordEncoder" ref="cryptoPasswordEncoder" />
</bean>


<bean id="cryptoPasswordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />

我们不需要在DaoAuthenticationProvider中设置 Salt 源,因为BCryptPasswordEncoder使用它自己的。

于 2012-06-08T15:25:15.290 回答
0

采用 :

public class PasswordEncoder extends org.springframework.security.authentication.encoding.MessageDigestPasswordEncoder{             

    public PasswordEncoder() {
        super("MD5");
    }

    @Override
    public String encodePassword(String originalPassword, Object salt) {
            // here supply salt = username + saltString
        String encryptedPassword =  super.encodePassword(originalPassword, salt);           
        return encryptedPassword;
    }

}
于 2012-06-08T15:27:28.007 回答