`
Wind_ZhongGang
  • 浏览: 264741 次
  • 性别: Icon_minigender_1
  • 来自: 成都
社区版块
存档分类
最新评论

Spring security customize password encoder

阅读更多

  Spring security为我们提供了一个接口PasswordEncoder,实现这个接口就可以定义一个自定义的PasswordEncoder,从而加强应用的安全认证和高安全性。

 

  一。CustomizePasswordEncoder.java

 

package com.template.security;

import org.springframework.dao.DataAccessException;
import org.springframework.security.authentication.encoding.PasswordEncoder;

/**
 * Created by IntelliJ IDEA.
 * User: Zhong Gang
 * Date: 11-7-29
 * Time: 下午9:05
 * To change this template use File | Settings | File Templates.
 */
public class CustomizePasswordEncoder implements PasswordEncoder {

    /**
     *
     * @param rawPass  password which need to be encoded
     * @param salt
     * @return  the encoded password
     * @throws DataAccessException
     */
    @Override
    public String encodePassword(String rawPass, Object salt) throws DataAccessException {
        rawPass = "Zhong" + rawPass;
        rawPass = rawPass + "Gang";
        return rawPass;
    }

    /**
     *
     * @param encPass the password encoded
     * @param rawPass the password encoded before
     * @param salt
     * @return  true represents password is valid,false represents password is invalid
     * @throws DataAccessException
     */
    @Override
    public boolean isPasswordValid(String encPass, String rawPass, Object salt) throws DataAccessException {
        rawPass = "Zhong" + rawPass;
        rawPass = rawPass + "Gang";
        return encPass.equals(rawPass);
    }

}

 

  第一个方法将输入的密码进行特殊处理,防止密码轻易被破解,增强应用的安全性,而第二个方法则是判断输入的密码是否与应用中存储的密码相符合。因为应用中存储的密码是由输入的密码经过特殊处理后生成的,所以需要我们自己定义如何判断输入的密码和存储的密码的一致性。在两个方法中我们都可以发现这样一个形式参数salt,意即盐值,用于加密,具体过程就是把密码和盐值指定的内容合并在一起,再使用md5对合并后的内容进行演算,这样演算出来的密码因为攻击者不知道盐值,就很难反算出密码的原文。如果想要使用盐值除了要在自定义passwordEncoder中定义如何利用盐值来进行密码加密外,还要在security.xml中配置使用什么作为盐值。如下示:

 

<password-encoder ref="customizePasswordEncoder">
          <salt-source user-property="username"/>
</password-encoder>

 

  这里表示使用用户的用户名作为盐值。

 

  二。security.xml

 

<?xml version="1.0" encoding="UTF-8"?>  
  
<beans:beans xmlns="http://www.springframework.org/schema/security"  
             xmlns:beans="http://www.springframework.org/schema/beans"  
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"  
             xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd  
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">  

    <beans:import resource="datasource.xml"/>

    <http use-expressions="true">
        <intercept-url pattern="/**" access="isAuthenticated()" requires-channel="http"/>
        <form-login/>
        <remember-me/>

        <session-management>
            <concurrency-control max-sessions="1" error-if-maximum-exceeded="true"/>
        </session-management>

    </http>

    <authentication-manager>
        <authentication-provider>
            <password-encoder ref="customizePasswordEncoder"/>
            <jdbc-user-service data-source-ref="dataSource"
              users-by-username-query="select username,password,enabled as status from user where username=?"
              authorities-by-username-query="select u.username,r.name as authority from user u join authority a on a.userid=u.id join role r on r.id=a.roleid where u.username=?"/>
        </authentication-provider>
    </authentication-manager>

    <beans:bean id="customizePasswordEncoder" class="com.template.security.CustomizePasswordEncoder"/>

</beans:beans>

   在配置文件中通过添加password-encoder元素来配置自定义的passwordEncoder。

2
11
分享到:
评论

相关推荐

    Spring自定义配置文件便签[Maven]工程可运行

    在压缩包`spring-customize-tag`中,我们可能找到以下内容: - `src/main/java`:包含Java源代码,可能有自定义标签的实现类和业务逻辑代码。 - `src/main/resources`:可能包含自定义配置文件和Spring的常规配置...

    Pro Spring MVC With Web Flow

    What you'll learn Key Spring Framework fundamentals How to use the ...customize your website What isand how to use the Spring Web Flow framework How to test your Spring MVC applications How to implement...

    Spring Boot in Action

    Spring expert Craig Walls uses interesting and practical examples to teach you both how to use the default settings effectively and how to override and customize Spring Boot for your unique ...

    spring-boot-reference.pdf

    Spring Boot Documentation 1. About the Documentation 2. Getting Help 3. First Steps 4. Working with Spring Boot 5. Learning about Spring Boot Features 6. Moving to Production 7. Advanced Topics II. ...

    Microsoft Azure Security Center

    Microsoft Azure Security Center (IT Best Practices – Microsoft...Customize and perform operating system security baseline assessments Leverage integrated threat intelligence to identify known bad actors

    Spring Boot in Action(Manning,2015)

    Spring expert Craig Walls uses interesting and practical examples to teach you both how to use the default settings effectively and how to override and customize Spring Boot for your unique ...

    Customize Rules 使用 myrules

    Customize Rules 使用附件中的 myrules 中的内容覆盖 Customize 的内容然后保存

    redis与springcache集成

    spring.redis.password= ``` 或者 ```yaml # application.yml spring: redis: host: localhost port: 6379 password: ``` 然后,定义Redis缓存配置。创建一个`RedisCacheConfig`类,启用Spring Cache,并指定...

    spring boot in action

    Spring expert Craig Walls uses interesting and practical examples to teach you both how to use the default settings effectively and how to override and customize Spring Boot for your unique ...

    customize springboot-starter.rar

    在这个名为"customize springboot-starter.rar"的压缩包中,包含了自定义`spring-boot-starter`的源码和测试文件,我们可以从以下几个方面来理解这个知识点: 1. **Spring Boot Starter 概念**: `spring-boot-...

    前端开源库-customize-engine-handlebars

    《前端开源库 Customize Engine Handlebars 深度解析》 在现代前端开发中,自定义引擎扮演着重要的角色,它们允许开发者根据特定需求定制化处理模板、数据和逻辑。其中,“customize-engine-handlebars”是一个专注...

    Spring-Netty整合

    在 `customize` 方法中,可以创建并配置 `ServerBootstrap`,设置线程池、BossGroup、WorkerGroup、ChannelInitializer 等。 3. **自定义 ChannelHandler** Netty 的核心是 ChannelPipeline,其中包含一系列 ...

    customize-tabwidget.zip

    在压缩包中的`customize-tabwidget`文件可能是项目的主要源代码文件,包含实现上述功能的C++代码。开发者可能使用了Qt Creator作为IDE,编写了`.cpp`和`.h`文件,定义了自定义的`TabWidget`类,并在`main.cpp`中实例...

    Spring Boot容器配置指南.docx

    在Spring Boot 2中,容器配置发生了显著的变化,主要体现在两个方面:一是接口`EmbeddedServletContainerCustomizer`被替换为`WebServerFactoryCustomizer`,二是`ConfigurableEmbeddedServletContainer`类被`...

    解决myeclipse2014版本中不能启动customize perspective的替换补丁

    然而,软件在使用过程中难免会出现一些问题,比如标题所提到的“不能启动Customize Perspective”就是一个常见的故障。本文将详细解析这个问题及其解决方案。 "Customize Perspective"是Eclipse和MyEclipse中的一个...

Global site tag (gtag.js) - Google Analytics