Spring Security(三十三):10.3 Password Encoding
Spring Security’s PasswordEncoder
interface is used to support the use of passwords which are encoded in some way in persistent storage. You should never store passwords in plain text. Always use a one-way password hashing algorithm such as bcrypt which uses a built-in salt value which is different for each stored password. Do not use a plain hash function such as MD5 or SHA, or even a salted version. Bcrypt is deliberately designed to be slow and to hinder offline password cracking, whereas standard hash algorithms are fast and can easily be used to test thousands of passwords in parallel on custom hardware. You might think this doesn’t apply to you since your password database is secure and offline attacks aren’t a risk.
org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"
is a good choice for security. There are also compatible implementations in other common programming languages so it a good choice for interoperability too.org.springframework.security.authentication.encoding
. The DaoAuthenticationProvider
can be injected with either the new or legacy PasswordEncoder
types.10.3.1 What is a hash?
Password hashing is not unique to Spring Security but is a common source of confusion for users who are not familiar with the concept. A hash (or digest) algorithm is a one-way function which produces a piece of fixed-length output data (the hash) from some input data, such as a password. As an example, the MD5 hash of the string "password" (in hexadecimal) is
5f4dcc3b5aa765d61d8327deb882cf99
A hash is "one-way" in the sense that it is very difficult (effectively impossible) to obtain the original input given the hash value, or indeed any possible input which would produce that hash value. This property makes hash values very useful for authentication purposes. They can be stored in your user database as an alternative to plaintext passwords and even if the values are compromised they do not immediately reveal a password which can be used to login. Note that this also means you have no way of recovering the password once it is encoded.
10.3.2 Adding Salt to a Hash
One potential problem with the use of password hashes that it is relatively easy to get round the one-way property of the hash if a common word is used for the input. People tend to choose similar passwords and huge dictionaries of these from previously hacked sites are available online. For example, if you search for the hash value 5f4dcc3b5aa765d61d8327deb882cf99
using google, you will quickly find the original word "password". In a similar way, an attacker can build a dictionary of hashes from a standard word list and use this to lookup the original password.
The legacy approach to handling salt was to inject a SaltSource
into the DaoAuthenticationProvider
, which would obtain a salt value for a particular user and pass it to the PasswordEncoder
. Using bcrypt means you don’t have worry about the details of salt handling (such as where the value is stored), as it is all done internally. So we’d strongly recommend you use bcrypt unless you already have a system in place which stores the salt separately.
10.3.3 Hashing and Authentication
When an authentication provider (such as Spring Security’s DaoAuthenticationProvider
) needs to check the password in a submitted authentication request against the known value for a user, and the stored password is encoded in some way, then the submitted value must be encoded using exactly the same algorithm. It’s up to you to check that these are compatible as Spring Security has no control over the persistent values. If you add password hashing to your authentication configuration in Spring Security, and your database contains plaintext passwords, then there is no way authentication can succeed. Even if you are aware that your database is using MD5 to encode the passwords, for example, and your application is configured to use Spring Security’s Md5PasswordEncoder
, there are still things that can go wrong.
encode
method on the PasswordEncoder
.Spring Security(三十三):10.3 Password Encoding的更多相关文章
- 使用Spring Security Oauth2完成RESTful服务password认证的过程
摘要:Spring Security与Oauth2整合步骤中详细描述了使用过程,但它对于入门者有些重量级,比如将用户信息.ClientDetails.token存入数据库而非内存.配置 ...
- Spring Security(三) —— 核心配置解读
摘要: 原创出处 https://www.cnkirito.moe/spring-security-3/ 「老徐」欢迎转载,保留摘要,谢谢! 3 核心配置解读 上一篇文章<Spring Secu ...
- Spring Security(十三):5.2 HttpSecurity
Thus far our WebSecurityConfig only contains information about how to authenticate our users. How do ...
- Spring Security三种认证
Spring Security: 1.用户名+密码认证 2.手机号+短信认证 Spring Social: 1.第三方认证, QQ登录等 Spring Security OAuth: 1.把认证之后的 ...
- spring security 学习文档
web service Prepared by: Sea ...
- SpringBoot集成Spring Security入门体验
一.前言 Spring Security 和 Apache Shiro 都是安全框架,为Java应用程序提供身份认证和授权. 二者区别 Spring Security:重量级安全框架 Apache S ...
- Spring Security(七):2.4 Getting Spring Security
You can get hold of Spring Security in several ways. You can download a packaged distribution from t ...
- Spring Security(三十二):10. Core Services
Now that we have a high-level overview of the Spring Security architecture and its core classes, let ...
- Spring Security(三十四):10.4 Jackson Support
Spring Security has added Jackson Support for persisting Spring Security related classes. This can i ...
随机推荐
- Asp.Net SignalR - 持久连接类
持久连接类 通过SignalR持久连接类可以快速的构建一个即时通讯的应用,上篇博文已经我们创建一个owin Startup类和一个持久连接类来完成我们的工作,然后在Startup类的Configura ...
- leetcode — convert-sorted-list-to-binary-search-tree
import java.util.ArrayList; import java.util.Arrays; import java.util.List; /** * Source : https://o ...
- 设计模式总结篇系列:工厂方法模式(Factory Method)
工厂方法模式适合于对实现了同一接口或继承了同一父类的一些类进行实例的创建.一般是通过定义一个工厂类,并在其方法中实现对具有上述特点的类对象的创建. 根据具体产生类对象的方法定义形式,又可以将其分为普通 ...
- Java提高班(四)面试必备—你不知道的数据集合
导读:Map竟然不属于Java集合框架的子集?队列也和List一样属于集合的三大子集之一?更有队列的正确使用姿势,一起来看吧! Java中的集合通常指的是Collection下的三个集合框架List. ...
- springboot+cloud 学习(五)统一配置中心 spring cloud config + cloud bus + WebHooks +RibbitMQ
前言 微服务要实现集中管理微服务配置.不同环境不同配置.运行期间也可动态调整.配置修改后可以自动更新的需求,Spring Cloud Config同时满足了以上要求.Spring Cloud Conf ...
- Using rqt_console and roslaunch
Description: This tutorial introduces ROS using rqt_console and rqt_logger_level for debugging and r ...
- Captcha服务(后续2)— 改造Captcha服务之Asp.Net Core项目中如何集成TypeScript
环境准备 .Net Core 版本:下载安装.Net Core SDK,安装完成之后查看sdk版本 ,查看命令dotnet --version,我的版本是2.2.101 IDE: Visual Stu ...
- .net 发布 web应用程序
第一步:VS2015中发布 https://jingyan.baidu.com/article/7f41ecec58f7eb593c095c69.html (作用:分离开发代码和测试代码) 第二步:发 ...
- 如何去掉C#字符串中的所有空格(转载)
如何去掉C#字符串中的所有空格 来源:https://www.cnblogs.com/donchen/p/8966059.html 字符串行数Trim()可以去掉字符串前后的空格,如: C# Cod ...
- C# 如何在Excel表格中插入、编辑和删除批注
概述 为文档添加必要的批注可以给文档使用者提供重要的提示信息,下面的示例中,将介绍通过C#编程语言来给Excel表格中的指定单元格内容添加批注,此外,对于已有的批注,如果需要修改,我们也可以进行编辑或 ...