我使用Spring Security在应用程序中处理授权。在我的配置中,我有以下内容:
<security:authentication-manager>
<security:authentication-provider>
<security:password-encoder hash="md5"/>
<security:jdbc-user-service id="userService"
data-source-ref="dataSource"
users-by-username-query="select phone, password, true from users where phone=?"
authorities-by-username-query="select phone,'ROLE_USER' from users where phone=?" />
</security:authentication-provider>
</security:authentication-manager>
当我删除<security:password-encoder hash="md5"/>行并将其存储在DB RAW密码中时,授权正常。但是,当我尝试存储DB哈希密码并使用此行时,授权会失败。我做错了吗?
P.S。DB中的密码哈希是100%正确的。202cb962ac59075b964b07152d234b70用于123密码。
我可以建议您创建测试类,并在那里创建哈希。
import org.springframework.security.authentication.encoding.Md5PasswordEncoder;
public class Test {
public static void main(String[] args) {
Md5PasswordEncoder encoderMD5 = new Md5PasswordEncoder();
String securePass = encoderMD5.encodePassword("admin", null);
System.out.println(encoderMD5.isPasswordValid(securePass,"admin", null));
}
}
在XML中使用
<bean name="md5" class="org.springframework.security.authentication.encoding.Md5PasswordEncoder"/>
<security:password-encoder ref="md5"/>
当然,在数据库中检查您的哈希密码值
我建议使用 bcrypt
在xml
中<bean name="bcryptEncode" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder">
<constructor-arg value="12"></constructor-arg>
</bean>
<security:password-encoder ref="bcryptEncode"/>
编码密码,您可以通过这种方式:
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
public class PrintBCryptString {
public static void main(String[] args) {
PasswordEncoder encoder = new BCryptPasswordEncoder(12);
System.out.println(encoder.matches("type here some string", encoder.encode("type here some string")));
System.out.println(encoder.encode("type here some string"));
}
}
也许是对bcrypt的小解释