堆栈内存溢出
  简体   繁体   English

升级 Spring 安全密码编码器

[英]Upgrading Spring Security PasswordEncoder

 原文  2021-06-14 09:05:02       java/ spring/ spring-security

问题描述

Upgrading from:升级自:

import org.springframework.security.authentication.encoding.PasswordEncoder;

    @Override
    public String encodePassword(String plainPassword, Object salt) {
        final String finalSalt = salt != null ? salt.toString() : "";
        return DigestUtils.md5Hex(finalSalt + plainPassword);
    }

    @Override
    public boolean isPasswordValid(String encodedPassword, String plainPassword, Object salt) {
        final String enteredPassword = encodePassword(plainPassword, salt);
        return encodedPassword.equals(enteredPassword);
    }

To:至:

import org.springframework.security.crypto.password.PasswordEncoder;

    @Override
    public String encode(CharSequence rawPassword) {
      final String finalSalt = salt != null ? salt.toString() : "";
      return DigestUtils.md5Hex(finalSalt + plainPassword);
    }

    @Override
    public boolean matches(CharSequence rawPassword, String encodedPassword) {
       final String enteredPassword = encodePassword(plainPassword, salt);
       return encodedPassword.equals(enteredPassword);
    }
  1. Not sure what to do about salt ?不知道如何处理salt
  2. Not sure if I can just convert rawPassword to String to replace plainPassword ?不确定我是否可以将rawPassword转换为String来替换plainPassword

1 个解决方案

解决方案1
 0  2021-06-14 09:44:22

The new methods expect that salt is part of the encoded password.新方法期望盐是编码密码的一部分。 As per PasswordEncoder.encoder() javadoc :根据PasswordEncoder.encoder() javadoc

Encode the raw password.对原始密码进行编码。 Generally, a good encoding algorithm applies a SHA-1 or greater hash combined with an 8-byte or greater randomly generated salt.通常,一个好的编码算法应用 SHA-1 或更大的 hash 结合 8 字节或更大的随机生成的盐。

If you look at this answer it shows how BCryptPasswordEncoder encodes salt in the encoded password.如果您查看此答案,它会显示BCryptPasswordEncoder如何在编码密码中编码盐。 The actual BCrypt encoded password format is explained here .此处解释了实际的 BCrypt 编码密码格式。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Spring Security,PasswordEncoder问题 - Spring Security, Problem with PasswordEncoder Java Spring Security PasswordEncoder - Java Spring Security PasswordEncoder 从Spring Security使用PasswordEncoder - Using PasswordEncoder from Spring Security Spring Boot Security 4自定义PasswordEncoder - Spring Boot Security 4 custom PasswordEncoder Spring Security AuthenticationManager 设置一个 PasswordEncoder - Spring Security AuthenticationManager set a PasswordEncoder JUnit 5 Spring Security WebMvcTest 没有 PasswordEncoder 类型的 bean - JUnit 5 Spring Security WebMvcTest no bean of type PasswordEncoder Spring Security> 5.0.0删除了Md5PasswordEncoder - Spring Security >5.0.0 removed Md5PasswordEncoder Spring Security无法使用userDetailService和passwordEncoder登录 - Spring Security unable to log using userDetailService and passwordEncoder 如何在Spring Security中将PasswordEncoder添加到JdbcUserDetailsManager中? - How to add PasswordEncoder into JdbcUserDetailsManager in Spring Security? 绕过 Spring 中的 PasswordEncoder 已加密密码的安全性 - Bypass PasswordEncoder in Spring Security for already encrypted passwords
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM