验证Grails中的加密密码
[英]Validating encrypted passwords in grails
问题描述
In grails I can set the password field to have a minimum size constraint of 5 (arbitrary). 
在grails中,我可以将密码字段设置为最小大小限制为5(任意)。 The problem is that I use spring security service to encode my password and the encoded/encrypted password is much longer than 5 characters almost no matter what value I put in. 问题是我使用Spring Security服务对我的密码进行编码,而无论我输入什么值,编码/加密的密码都远远超过5个字符。
Another forum response suggested doing that validation in the save method. 另一个论坛答复建议在save方法中进行该验证。 Has anyone else tackled this problem and knows a way around it? 还有其他人解决过这个问题,并且知道解决方法吗?
Spring security does not provide a decode method (probably for security purposes)... so I guess one idea would be to get a different password encoder that could decode the password for validation purposes... but my instinct says that spring security leaves this out for a good reason and maybe I should too... Spring Security不提供解码方法(可能出于安全目的)...所以我想一个想法是要获得一个可以对密码进行解码以用于验证目的的不同密码编码器...但是我的直觉是Spring Security会保留这种方法有充分的理由出去,也许我也应该...
static constraints = {
username(blank: false, unique: true)
password(minSize: 5, blank: false, unique: true,
validator: { passwd, user ->
return passwd != user.username
})
passwordRepeat(nullable: false,
validator: { passwd2, user ->
return passwd2 == user.password
})
}
So I'm using the static constraints to validate as most other variables are validated this way. 因此,我使用静态约束进行验证,因为大多数其他变量都是通过这种方式验证的。
My apologies for the unreadable comment. 对于无法阅读的评论,我深表歉意。
Thank you, -Asaf 谢谢-Asaf
Edit: I think a simple fix is as mentioned above, doing the validation in the save method (before encryption), but I just feel like someone somewhere must have had to deal with this issue before. 编辑:我认为一个简单的修复方法如上所述,可以在save方法中进行验证(在加密之前),但我只是觉得某个地方的某个人之前必须先处理此问题。 I mean there's so many websites that require passwords and that yell at you if it's too short, if it doesn't contain both lowercase and uppercase letters, if it doesn't have a symbol... How do all of them do the various validation methods they use? 我的意思是,有太多需要密码的网站,如果密码太短,如果它既不包含小写字母又包含大写字母,没有符号,就会大喊大叫。他们使用的验证方法?
1 个解决方案
解决方案1
1 已采纳 2011-05-19 20:16:23
you can't decode what Spring Security encodes... That's md5 or sha-256 !!! 您无法解码Spring Security编码的内容……是md5或sha-256 !!! That's exactly the purpose of the crypting process. 这正是加密过程的目的。 Then, you can't know what's the password even if the databases files are stolen 然后,即使数据库文件被盗,您也不知道密码是什么
To validate passwords, you need to prompt the user for a clear one, (transmit in https, please) and then encode it with the same algorithm. 要验证密码,您需要提示用户输入一个清晰的密码(请在https中传输),然后使用相同的算法对其进行编码。 Then, you have to compare it to the encoded password you stored 然后,您必须将其与您存储的编码密码进行比较
Use the class DigestUtils to encode your received password with the same algorithm used the first time. 使用DigestUtils类使用首次使用的算法对收到的密码进行编码。 This is a Spring Security Config grails.plugins.springsecurity.password.algorithm 这是一个Spring Security Config grails.plugins.springsecurity.password.algorithm
And yes, you have to validate before saving... For that we have added a metaclass in Bootstrap 是的,您必须在保存之前进行验证...为此,我们在Bootstrap中添加了一个元类
String.metaClass.validateAsPassword
to have a unique point from which validating our passwords before saving them 在保存密码之前有一个独特的验证点
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.