小贝子编程

弹簧启动安全编码密码容易



>编辑:

我发现的最简单方法:

@SuppressWarnings("deprecation")
@Configuration
@EnableWebMvcSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Autowired
    DataSource dataSource;
    @Autowired
    public void configAuthentication(AuthenticationManagerBuilder auth) throws Exception {
        auth.jdbcAuthentication().dataSource(dataSource)
        .usersByUsernameQuery(
                "SELECT username, password, abilitazione FROM public.utenti WHERE username=?")
        .passwordEncoder(passwordEncoder())
        .authoritiesByUsernameQuery(
                "SELECT username, ruolo FROM public.ruoli_utente WHERE username=?");
    } 
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        //omitted for brevity
    }
    @Bean
    public PasswordEncoder passwordEncoder(){
        PasswordEncoder encoder = new BCryptPasswordEncoder();
        return encoder;
    }

在我的 DAO 类中,我添加了这样的用户:

public void addElement(Utente u) {
    String password = u.getPassword();
    BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
    String hashedPassword = passwordEncoder.encode(password);
    u.setPassword(hashedPassword);
    jdbcTemplate.update("INSERT INTO public.utenti(username, password, abilitazione, email, nome, cognome) VALUES (?, ?, ?, ?, ?, ?)",
    new Object[] {u.getUsername(), u.getPassword(), u.getAbilitazione(), u.getEmail(), u.getNome(), u.getCognome()});
}

我想以一种超级简单的方式加密和解密密码,如果它不是超级安全也没关系,它只是为了我的目的而必须是安全的。因此,在数据库中我添加了加密密码。当用户进行身份验证时,即使我对其进行解码,它也无法识别密码。我是这样做的:

@Configuration
@EnableWebMvcSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Autowired
    DataSource dataSource;
    @Autowired
    public void configAuthentication(AuthenticationManagerBuilder auth) throws Exception {
        auth.jdbcAuthentication().dataSource(dataSource)
        .usersByUsernameQuery(
                "SELECT username, decode(password,'base64'), abilitazione FROM public.utenti WHERE username=?")
        .authoritiesByUsernameQuery(
                "SELECT username, ruolo FROM public.ruoli_utente WHERE username=?");
    } 
}

它可以以类似的方式工作(直接在userByUsernameQuery方法中解码),或者我必须声明一些bean进行解码?

我就是这样做的,看起来很干净,对变化持开放态度。

在应用程序类中:

@Bean
public ApplicationSecurity applicationSecurity() {
    return new ApplicationSecurity();
}

您的应用程序安全类 

public class ApplicationSecurity extends WebSecurityConfigurerAdapter {
    @Autowired
    private UserDetailSecurityService userDetailSecurityService;
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable().authorizeRequests().antMatchers("/ace/**",
                                                            "/app/**",
                                                            "/jquery/**",
                                                            "/bootstrap/**",
                                                            "/font-awesome/**",
                                                            "/jstree/**",
                                                            "/img/**").permitAll().anyRequest()
            .fullyAuthenticated();
        http.csrf().disable().formLogin().loginPage("/login").failureUrl("/login?error=1").permitAll().defaultSuccessUrl("/configurator").and().logout().permitAll();
        http.headers().frameOptions().disable().addHeaderWriter(new StaticHeadersWriter("X-FRAME-OPTIONS", "SAMEORIGIN"));
    }
    @Override
    public void configure(AuthenticationManagerBuilder auth) throws  Exception {
        auth.userDetailsService(userDetailSecurityService).passwordEncoder(passwordEncoder());
    }

     @Bean
     public PasswordEncoder passwordEncoder(){
         return new MD5PasswordEncoder();
     }
}

以及类 MDPasswordEncoder,或者你想使用的任何实现:

public class MD5PasswordEncoder implements PasswordEncoder {
     @Override
     public String encode(CharSequence charSequence) {
         String encPass = "";
        try {
             MessageDigest md = MessageDigest.getInstance("MD5");
             byte[] digest = md.digest(charSequence.toString().getBytes());
             byte[] b64 = Base64.encodeBase64(digest);
             encPass = new String(b64);
             encPass = encPass.replaceAll("=", "");
         }catch(Exception ex){
             logger.error("An exception trying to encode a password", ex);
         }
         return encPass;
     }
     @Override
     public boolean matches(CharSequence charSequence, String s) {
         return encode(charSequence).equals(s);
     }
}
public interface UserDetailsService {
    UserDetails loadUserByUsername(String var1) throws UsernameNotFoundException;
}

@Service
public class UserDetailSecurityService implements UserDetailsService{
    //Here your user service implementation
    @Autowired
    UserService userService;
    //yuou need to oeverride this method name
    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        // you need to create a method in your service to find users by name
        return userService.findByUsername(username);
    }
}

在这种情况下,如果您需要更改为新的编码器方法,则只需要使用适当的系统实现一个新类即可完成

相关内容

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium