我已经使用jpa的安全性实现了basic auth。现在,我所有的rest -端点都可以验证客户机请求的Authorization标头。密码的验证由框架完成。现在我需要能够用存储的密码哈希来验证密码。
默认配置下,用户密码以散列形式存储,功能为BcryptUtil.bcryptHash(String password)。我怎样才能查到如果给定的密码字符串匹配存储的bcrypt哈希值?
- 来源:https://quarkus.io/guides/security-jpa
我编写了一个小的实用程序类,它使用脚本密码散列作为密码字符串进行验证。
import org.wildfly.security.password.Password;
import org.wildfly.security.password.PasswordFactory;
import org.wildfly.security.password.WildFlyElytronPasswordProvider;
import org.wildfly.security.password.interfaces.BCryptPassword;
import org.wildfly.security.password.util.ModularCrypt;
import io.quarkus.elytron.security.common.BcryptUtil;
public class SecurityUtil {
public static void main(String[] args) throws Exception {
String bCryptPasswordHash = BcryptUtil.bcryptHash("Password_1");
String passwordToVerify = "Password_1";
System.out.println(verifyBCryptPassword(bCryptPasswordHash, passwordToVerify)); // -> true
System.out.println(verifyBCryptPassword(bCryptPasswordHash, "NotPassword_1")); // --> false
}
public static boolean verifyBCryptPassword(String bCryptPasswordHash, String passwordToVerify) throws Exception {
WildFlyElytronPasswordProvider provider = new WildFlyElytronPasswordProvider();
// 1. Create a BCrypt Password Factory
PasswordFactory passwordFactory = PasswordFactory.getInstance(BCryptPassword.ALGORITHM_BCRYPT, provider);
// 2. Decode the hashed user password
Password userPasswordDecoded = ModularCrypt.decode(bCryptPasswordHash);
// 3. Translate the decoded user password object to one which is consumable by this factory.
Password userPasswordRestored = passwordFactory.translate(userPasswordDecoded);
// Verify existing user password you want to verify
return passwordFactory.verify(userPasswordRestored, passwordToVerify.toCharArray());
}
}