1

我正在开发一个使用 Java EE、Spring 安全框架和 Oracle 11g 数据库的应用程序。我需要在 Spring 安全性中添加一个 MD5 哈希,但我没有成功。

到目前为止我做了什么:

1-在最初的几周里,我尝试将 md5 哈希添加到我的应用程序中,而不向 springsecuritycontext.xml 添加任何代码,我成功了。

这就是我所做的:

在名为 ma.dyaralmansour.zkgui.policy 的包中有两个类。第一个名为 PolicyManager,该类实现了 spring-security UserDetailService。第二个称为 LoginLoggingPolicyService,这个类作为一个方面从 Spring AOP 调用,用于记录。

所以这就是我所做的:

       *** I added an MD5Password class to the ma.dyaralmansour.zkgui.policy and I added some code to the PolicyManager class to activate the hash and it's working.

我现在的问题是:

我所有的密码都使用 MD5 哈希值进行哈希处理,但是当我使用普通密码时,我无法再访问该应用程序。

现在我有 2 个选项,但我不知道如何实现它们:

1- 在 MD5password 类中有一个名为 testPassword(String clearTextTestPassword,String encodedActualPassword) 的方法

它将普通密码与存储在数据库中的散列密码进行比较,但我不明白如何将其添加到我的 policymanager 类中。

2 - 完全删除我所做的一切,只关注 Spring 安全性的配置,以便在我使用普通密码时对密码进行哈希处理并访问应用程序。

还是有其他解决方案?

http://www.mediafire.com/download/gxgda63wyhkpehn/DamPromoZK4.rar

<!-- Spring namespace-based configuration -->

<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:zksp="http://www.zkoss.org/2008/zkspring"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:aop="http://www.springframework.org/schema/aop"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
                    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.1.xsd
                    http://www.springframework.org/schema/aop   
                    http://www.springframework.org/schema/aop/spring-aop-2.0.xsd">



<!-- Enable the @Secured annotation to secure service layer methods -->
<global-method-security secured-annotations="enabled" />

<http auto-config="true">

    <!-- ###  If we have our own LoginPage. So we must    ### -->
    <!-- ###     tell Spring the name and the place.      ### -->
    <!-- ###     In our case we take the same page        ### -->
    <!-- ###     for a error message by a failure.        ### -->
    <!-- ### Further the page after a successfully login. ### -->
    <form-login login-page="/index.zul" 

        authentication-failure-url="/index.zul?login_error=1"
        default-target-url="/AccueilIntranet.zul" />

    <!-- ###   Tell Spring where it goes after logout.    ### -->
    <!-- ###          logout-url is a action url.         ### -->
    <logout logout-url="/j_spring_logout" logout-success-url="/index.zul" />

    <!-- ### Define the pages that are to be intercepted  ### -->
    <!-- ### It is parsed from top to bottom. Means that  ### -->
    <!-- ### the most specific pattern is standing on TOP ### -->
    <!-- ###         and the CATCH ALL is on BOTTOM!      ### -->
    <intercept-url pattern="/pages/**" access="IS_AUTHENTICATED_REMEMBERED" filters="none" />
    <intercept-url pattern="/WEB-INF/pages/**" access="IS_AUTHENTICATED_REMEMBERED" filters="none"/>

    <!-- ### The root page is accessible by everyone but  ### -->
    <!-- ###    internally spring makes a login and       ### -->
    <!-- ###     this user becames a UserDetails          ### -->
    <!-- ###   (in there are the ip-address and others)   ### -->
    <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" filters="none"/>

    <!-- ###           Per user one session !!            ### -->
    <concurrent-session-control max-sessions="1" />
</http>

<!-- ###   We define the kind of authentification with a  ### -->
<!-- ###          so called authentication-provider       ### -->
<!-- ###   So we have our users stored in a DB we use     ### -->
<!-- ###   our own user-service class and point to her.   ### -->
<authentication-provider user-service-ref="myUserDetailsService">
</authentication-provider>




<!-- ###   The Implementation of the Interface            ### -->
<!-- ###      UserDetailService for the logged in         ### -->
<!-- ###              user and his rights                 ### -->
<beans:bean id="myUserDetailsService" class="ma.dyaralmansour.zkgui.policy.PolicyManager">
    <beans:property name="userService" ref="userService" />
</beans:bean>



<authentication-provider user-service-ref="myUserDetailsService">
<password-encoder hash="md5"/>
</authentication-provider>




    <!-- ###   This aspect call automatically the methode     ### -->
    <!-- ###   'loginLogging' which is for writing a log for  ### -->
    <!-- ###   all successfully and failed logins, if a       ### -->
    <!-- ###   methode is called that handles the             ### -->
    <!-- ###    Authentication.                               ### -->
    <beans:bean id="LoginLoggingPolicyService"
        class="ma.dyaralmansour.zkgui.policy.LoginLoggingPolicyService">
        <beans:property name="loginLoggingService" ref="loginLoggingService" />
    </beans:bean>






    <aop:config>
        <aop:aspect id="LoginLoggingAspect" ref="LoginLoggingPolicyService">
            <aop:pointcut id="authPointcut"
                expression="execution(public org.springframework.security.Authentication org.springframework.security.providers.AuthenticationProvider.authenticate(org.springframework.security.Authentication))" />
            <aop:around pointcut-ref="authPointcut" method="loginLogging" />
        </aop:aspect>
    </aop:config>

</beans:beans>
4

2 回答 2

3

你为什么要重新发明轮子?Spring Security 支持开箱即用的密码哈希,这只是一个配置问题。您的自定义实现UserDetailService必须简单地返回为用户名找到的用户(不检查密码或其他什么)。然后 Spring Security 将使用配置的哈希检查密码。

只需通过向您的<authentication-provider .. >元素添加密码编码器来适当地配置 Spring Security

<authentication-provider user-service-ref="myUserDetailsService">
    <password-encoder hash="md5"/>
</authentication-provider>

您可能还想查看Spring Security 文档

另一个改进建议是不要使用 AOP 进行日志记录(假设这是您唯一要做的事情)实现ApplicationListener并监听AbstractAuthenticationEvent。您可能需要检查默认LoggerListener以获得简单的工作示例。

于 2013-09-03T14:19:05.167 回答
3

使用新的 BCryptPasswordEncoder:

http://static.springsource.org/spring-security/site/docs/3.1.x/apidocs/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.html

它会自动为您添加密码。

我推荐 BCrypt,因为它很强大,速度很慢,并且没有已知的弱点。“慢”实际上是散列算法中你想要的一个特性,因为这意味着如果有人窃取了你的密码,它需要更长的时间来破解。

SHA 256 被削弱。MD5肯定坏了。

于 2013-09-03T17:59:34.263 回答