1. 首頁
  2. 問答
  3. 春天開機安全編碼密碼容易

春天開機安全編碼密碼容易

2017-01-17 35 views
0

編輯:春天開機安全編碼密碼容易

,我發現最簡單的方法:

@SuppressWarnings("deprecation") 
@Configuration 
@EnableWebMvcSecurity 
public class SecurityConfig extends WebSecurityConfigurerAdapter { 

    @Autowired 
    DataSource dataSource; 

    @Autowired 
    public void configAuthentication(AuthenticationManagerBuilder auth) throws Exception { 
     auth.jdbcAuthentication().dataSource(dataSource) 
     .usersByUsernameQuery(
       "SELECT username, password, abilitazione FROM public.utenti WHERE username=?") 
     .passwordEncoder(passwordEncoder()) 
     .authoritiesByUsernameQuery(
       "SELECT username, ruolo FROM public.ruoli_utente WHERE username=?"); 
    } 

    @Override 
    protected void configure(HttpSecurity http) throws Exception { 
     //omitted for brevity 
    } 

    @Bean 
    public PasswordEncoder passwordEncoder(){ 
     PasswordEncoder encoder = new BCryptPasswordEncoder(); 
     return encoder; 
    }
在我的DAO類

我添加用戶是這樣的:

public void addElement(Utente u) { 
    String password = u.getPassword(); 
    BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder(); 
    String hashedPassword = passwordEncoder.encode(password); 
    u.setPassword(hashedPassword); 
    jdbcTemplate.update("INSERT INTO public.utenti(username, password, abilitazione, email, nome, cognome) VALUES (?, ?, ?, ?, ?, ?)", 
    new Object[] {u.getUsername(), u.getPassword(), u.getAbilitazione(), u.getEmail(), u.getNome(), u.getCognome()}); 

}

我想以超級簡單的方式加密和解密密碼,如果不是,不要緊超級安全,它只是爲了我的目的安全。 因此,在數據庫中我添加了加密密碼。 當用戶進行身份驗證時,即使我解碼它也不能識別密碼。我這樣做是這樣的:

@Configuration 
@EnableWebMvcSecurity 
public class SecurityConfig extends WebSecurityConfigurerAdapter { 

    @Autowired 
    DataSource dataSource; 

    @Autowired 
    public void configAuthentication(AuthenticationManagerBuilder auth) throws Exception { 
     auth.jdbcAuthentication().dataSource(dataSource) 
     .usersByUsernameQuery(
       "SELECT username, decode(password,'base64'), abilitazione FROM public.utenti WHERE username=?") 
     .authoritiesByUsernameQuery(
       "SELECT username, ruolo FROM public.ruoli_utente WHERE username=?"); 
    } 
}

它可以工作在類似的方式(在usersByUsernameQuery方法直接解碼),或者我必須聲明一些豆類解碼?

來源

2017-01-17 tina

回答

1

我是這樣做的,看起來很乾淨,可以隨時更改。

在您的應用程序類:

@Bean 
public ApplicationSecurity applicationSecurity() { 
    return new ApplicationSecurity(); 
}

您的應用程序安全類

public class ApplicationSecurity extends WebSecurityConfigurerAdapter { 

    @Autowired 
    private UserDetailSecurityService userDetailSecurityService; 

    @Override 
    protected void configure(HttpSecurity http) throws Exception { 
     http.csrf().disable().authorizeRequests().antMatchers("/ace/**", 
                  "/app/**", 
                  "/jquery/**", 
                  "/bootstrap/**", 
                  "/font-awesome/**", 
                  "/jstree/**", 
                  "/img/**").permitAll().anyRequest() 
      .fullyAuthenticated(); 

     http.csrf().disable().formLogin().loginPage("/login").failureUrl("/login?error=1").permitAll().defaultSuccessUrl("/configurator").and().logout().permitAll(); 

     http.headers().frameOptions().disable().addHeaderWriter(new StaticHeadersWriter("X-FRAME-OPTIONS", "SAMEORIGIN")); 
    } 

    @Override 
    public void configure(AuthenticationManagerBuilder auth) throws Exception { 
     auth.userDetailsService(userDetailSecurityService).passwordEncoder(passwordEncoder()); 
    } 


    @Bean 
    public PasswordEncoder passwordEncoder(){ 
     return new MD5PasswordEncoder(); 
    } 

}

和類MDPasswordEncoder,或者你要使用的任何執行:

public class MD5PasswordEncoder implements PasswordEncoder { 

    @Override 
    public String encode(CharSequence charSequence) { 
     String encPass = ""; 
     try { 
      MessageDigest md = MessageDigest.getInstance("MD5"); 
      byte[] digest = md.digest(charSequence.toString().getBytes()); 
      byte[] b64 = Base64.encodeBase64(digest); 
      encPass = new String(b64); 
      encPass = encPass.replaceAll("=", ""); 
     }catch(Exception ex){ 
      logger.error("An exception trying to encode a password", ex); 
     } 
     return encPass; 
    } 

    @Override 
    public boolean matches(CharSequence charSequence, String s) { 
     return encode(charSequence).equals(s); 
    } 
} 

public interface UserDetailsService { 
    UserDetails loadUserByUsername(String var1) throws UsernameNotFoundException; 
} 


@Service 
public class UserDetailSecurityService implements UserDetailsService{ 

    //Here your user service implementation 
    @Autowired 
    UserService userService; 

    //yuou need to oeverride this method name 
    @Override 
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { 
     // you need to create a method in your service to find users by name 
     return userService.findByUsername(username); 
    } 
}

在這種情況下,如果你需要改變一個新的編碼器方法,你只需要用p實現一個新的類羅珀系統,將完成

來源

2017-01-17 15:03:41 cralfaro

+0

你是怎麼做你的類UserDetailSecurityService? – tina

+0

@tina添加了2個類 – cralfaro

+0

我在試着理解爲什麼我沒有工作。你寫了一個類用戶服務(肯定使用userdao類),它執行我的類中的configAuthentication方法。那麼,爲什麼如果我在我的SQL中使用解碼功能在我的數據庫而不是在項目中?爲什麼你必須使用一種方法來對sql查詢中的密碼進行編碼和解碼? – tina

相關問題

 相關問題