如何使用 Spring 验证密码
[英]How to verify password with Spring
问题描述
I have found out how to hash the password of some one and persist it in the database with SpringMVC:
我已经找到了如何散列某个人的密码并使用 SpringMVC 将其保存在数据库中:
BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
String pw = passwordEncoder.encode("test");
Now the question is, how I can verify the password coming from the request to let the user login my web app?现在的问题是,如何验证来自请求的密码以让用户登录我的 Web 应用程序? After some research I saw, that there are a lot of ways to do this.经过一些研究,我发现有很多方法可以做到这一点。 Some solutions works with user roles.一些解决方案适用于用户角色。
What my webapps should do is to offer my users a login page where they can register (here I would persist the password with the code shown above).我的 webapps 应该做的是为我的用户提供一个登录页面,他们可以在其中注册(在这里我将使用上面显示的代码保存密码)。 After registering they should be able to login, which means I need to verify the password from the login form.注册后他们应该可以登录,这意味着我需要验证登录表单中的密码。 Is there any state of the art example out there?有没有最先进的例子?
4 个解决方案
解决方案1
25 2015-08-20 00:52:32
This is how a raw password can be matched to an encoded one:这是原始密码与编码密码匹配的方式:
passwordEncoder.matches("rawPassword", user.getPassword()),
But as others say, coding Security on your own is cumbersome, and so I'd recommend using Spring Security instead.但正如其他人所说,自己编写 Security 代码很麻烦,因此我建议改用 Spring Security。 Yes, it does take effort to learn, but you can find good tutorials on it.是的,学习确实需要付出努力,但是您可以找到关于它的很好的教程。 Here is a unique tutorial on it (disclaimer: I'm the author).这是一个关于它的独特教程(免责声明:我是作者)。
解决方案2
1 2020-12-07 15:22:35
This is what i use when i implement my own change password functionality in spring这是我在 spring 中实现自己的更改密码功能时使用的
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.stereotype.Service;
@Service
public class Utility {
private static BCryptPasswordEncoder passwordEcorder = new BCryptPasswordEncoder();
public String bcryptEncryptor(String plainText) {
return passwordEcorder.encode(plainText);
}
public Boolean doPasswordsMatch(String rawPassword,String encodedPassword) {
return passwordEcorder.matches(rawPassword, encodedPassword);
}
}
then in code to match two password ie rawPassword = password1234 and encodedPassword = $2a$10$zxvEq8XzYEYtNjbkRsJEbukHeRx3XS6MDXHMu8cNuNsRfZJWwswDy然后在代码中匹配两个密码,即 rawPassword = password1234 和 encodingPassword = $2a$10$zxvEq8XzYEYtNjbkRsJEbukHeRx3XS6MDXHMu8cNuNsRfZJWwswDy
the code would be like (called on some autowired object of Utility class):代码类似于(在 Utility 类的某个自动装配对象上调用):
doPasswordsMatch( rawPassword, encodedPassword );
this will return TRUE if passwords match, otherwise it will be FALSE如果密码匹配,这将返回 TRUE,否则将返回 FALSE
解决方案3
0 2015-08-19 21:38:52
要验证用户输入的密码是否正确,请对他们输入的值使用相同的单向哈希,然后将其与之前的哈希值进行比较 - 如果它们相同,则输入的密码是正确的。
解决方案4
0 2015-08-19 22:15:24
Authentication and authorization are not simple objectives in web apps.身份验证和授权不是 Web 应用程序中的简单目标。
Spring does have a security framework to help with this, however it is not simple to use. Spring 确实有一个安全框架来帮助解决这个问题,但是它使用起来并不简单。
I recommend that you evaluate the Apache Shiro security frame work (available through the ASF website) which does the best job so far of simplifying security for Spring and Java EE.我建议您评估 Apache Shiro 安全框架(可通过 ASF 网站获得),它在简化 Spring 和 Java EE 的安全性方面做得最好。
http://shiro.apache.org/ http://shiro.apache.org/
It has abstractions that enable you to authenticate from a custom store of user info.它具有使您能够从用户信息的自定义存储进行身份验证的抽象。 There are a number of online short authentication tutorials using Shiro that will help you out.有许多使用 Shiro 的在线简短身份验证教程可以帮助您。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.