Spring Boot安全编码密码轻松

Question

编辑：

我找到的最简单的方法是：

@SuppressWarnings("deprecation")
@Configuration
@EnableWebMvcSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    DataSource dataSource;

    @Autowired
    public void configAuthentication(AuthenticationManagerBuilder auth) throws Exception {
        auth.jdbcAuthentication().dataSource(dataSource)
        .usersByUsernameQuery(
                "SELECT username, password, abilitazione FROM public.utenti WHERE username=?")
        .passwordEncoder(passwordEncoder())
        .authoritiesByUsernameQuery(
                "SELECT username, ruolo FROM public.ruoli_utente WHERE username=?");
    } 

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        //omitted for brevity
    }

    @Bean
    public PasswordEncoder passwordEncoder(){
        PasswordEncoder encoder = new BCryptPasswordEncoder();
        return encoder;
    }

在我的dao类中，我像这样添加用户：

public void addElement(Utente u) {
    String password = u.getPassword();
    BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
    String hashedPassword = passwordEncoder.encode(password);
    u.setPassword(hashedPassword);
    jdbcTemplate.update("INSERT INTO public.utenti(username, password, abilitazione, email, nome, cognome) VALUES (?, ?, ?, ?, ?, ?)",
    new Object[] {u.getUsername(), u.getPassword(), u.getAbilitazione(), u.getEmail(), u.getNome(), u.getCognome()});

}

---

我想以一种超级简单的方式来加密和解密密码，如果它不是超级安全的话也没关系，只是出于我的目的而必须是安全的。 因此，我在数据库中添加了加密密码。 用户进行身份验证时，即使我将其解码也无法识别密码。 我这样做是这样的：

@Configuration
@EnableWebMvcSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    DataSource dataSource;

    @Autowired
    public void configAuthentication(AuthenticationManagerBuilder auth) throws Exception {
        auth.jdbcAuthentication().dataSource(dataSource)
        .usersByUsernameQuery(
                "SELECT username, decode(password,'base64'), abilitazione FROM public.utenti WHERE username=?")
        .authoritiesByUsernameQuery(
                "SELECT username, ruolo FROM public.ruoli_utente WHERE username=?");
    } 
}

它可以以类似的方式工作（直接在usersByUsernameQuery方法中解码），或者我必须声明一些用于解码的bean？

Answer 1

我是用这种方式做到的，而且看起来很干净而且可以接受更改。

在您的应用程序类中：

@Bean
public ApplicationSecurity applicationSecurity() {
    return new ApplicationSecurity();
}  

您的应用程序安全等级

public class ApplicationSecurity extends WebSecurityConfigurerAdapter {

    @Autowired
    private UserDetailSecurityService userDetailSecurityService;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable().authorizeRequests().antMatchers("/ace/**",
                                                            "/app/**",
                                                            "/jquery/**",
                                                            "/bootstrap/**",
                                                            "/font-awesome/**",
                                                            "/jstree/**",
                                                            "/img/**").permitAll().anyRequest()
            .fullyAuthenticated();

        http.csrf().disable().formLogin().loginPage("/login").failureUrl("/login?error=1").permitAll().defaultSuccessUrl("/configurator").and().logout().permitAll();

        http.headers().frameOptions().disable().addHeaderWriter(new StaticHeadersWriter("X-FRAME-OPTIONS", "SAMEORIGIN"));
    }

    @Override
    public void configure(AuthenticationManagerBuilder auth) throws  Exception {
        auth.userDetailsService(userDetailSecurityService).passwordEncoder(passwordEncoder());
    }


     @Bean
     public PasswordEncoder passwordEncoder(){
         return new MD5PasswordEncoder();
     }

}

以及类MDPasswordEncoder或您要使用的任何实现：

public class MD5PasswordEncoder implements PasswordEncoder {

     @Override
     public String encode(CharSequence charSequence) {
         String encPass = "";
        try {
             MessageDigest md = MessageDigest.getInstance("MD5");
             byte[] digest = md.digest(charSequence.toString().getBytes());
             byte[] b64 = Base64.encodeBase64(digest);
             encPass = new String(b64);
             encPass = encPass.replaceAll("=", "");
         }catch(Exception ex){
             logger.error("An exception trying to encode a password", ex);
         }
         return encPass;
     }

     @Override
     public boolean matches(CharSequence charSequence, String s) {
         return encode(charSequence).equals(s);
     }
}

public interface UserDetailsService {
    UserDetails loadUserByUsername(String var1) throws UsernameNotFoundException;
}


@Service
public class UserDetailSecurityService implements UserDetailsService{

    //Here your user service implementation
    @Autowired
    UserService userService;

    //yuou need to oeverride this method name
    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        // you need to create a method in your service to find users by name
        return userService.findByUsername(username);
    }
}

在这种情况下，如果您需要更改为新的编码器方法，则只需使用适当的系统来实现新类即可，