我已經實現了彈簧引導安全性的安全層和我已經使用MD5加密機制來編碼如預期的那樣呈現password.It的完美工作,但我需要得到用戶名和密碼的原始用戶在DAO已經進入或服務layer.Following是代碼我已經使用如何獲得用戶名和輸入的密碼不編碼與春天啓動安全
@Autowired
UserDao userDao;
@Autowired
@Qualifier("userDetailsService")
UserDetailsService userDetailsService;
@Autowired
private RESTAuthenticationEntryPoint authenticationEntryPoint;
@Autowired
private RESTAuthenticationFailureHandler authenticationFailureHandler;
@Autowired
private RESTAuthenticationSuccessHandler authenticationSuccessHandler;
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/css/**", "/fonts/**", "/images/**");
}
/**
* Security implementation to access the services
*/
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/", "/index.html","/home.html","/page/*","/home/*", "/login.html","/login","/cms/createPhoneNo").permitAll();
http.authorizeRequests().anyRequest().fullyAuthenticated().and().httpBasic().and().csrf().disable();
http.exceptionHandling().authenticationEntryPoint(authenticationEntryPoint);
http.formLogin().loginProcessingUrl("/login/authenticate").successHandler(authenticationSuccessHandler);
http.formLogin().failureHandler(authenticationFailureHandler);
http.logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout")).invalidateHttpSession(true);
http.exceptionHandling().accessDeniedHandler(accessDeniedHandler());
// CSRF tokens handling
http.addFilterAfter(new CsrfTokenResponseHeaderBindingFilter(), CsrfFilter.class);
}
/**
* Configures the authentication manager bean which processes authentication
* requests.
*/
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
// Dao based authentication
auth.userDetailsService(userDetailsService).passwordEncoder(new Md5PasswordEncoder());
}
private AccessDeniedHandler accessDeniedHandler() {
return new AccessDeniedHandler() {
@Override
public void handle(HttpServletRequest request, HttpServletResponse response,
AccessDeniedException accessDeniedException) throws IOException, ServletException {
response.getWriter().append("Access denied");
response.setStatus(403);
}
};
}
/**
* This bean is load the user specific data when form login is used.
*/
@Bean
public UserDetailsService userDetailsService() {
return new MyCustomUserDetailsService(userDao);
}
}
有誰請幫助我實現這個方案?
感謝,
您無法「解碼」md5。 Md5是一個(非常弱)單向散列。我可以問爲什麼你想要原始密碼?散列點就是沒有這個。另外,考慮使用至少sha-256或者bcrypt或者scrypt,md5非常弱,對於校驗和以外的任何事情都不適合。 – Taylor
@Taylor其實,我需要檢查與基於用戶type.In1分貝我已經編碼與用戶類型的用戶的密碼如果輸入的用戶沒有找到該用戶的類型我需要切換兩個數據庫中的用戶身份驗證到另一個數據庫,我有密碼作爲原始密碼,所以我需要輸入原始密碼。你有什麼想法嗎? – DIVA
您不需要原始密碼。您只需使用與前端相同的方法從數據庫中散列密碼並比較散列。 – dunni