Spring Security(三十三):10.3 Password Encoding
Spring Security’s PasswordEncoder
interface is used to support the use of passwords which are encoded in some way in persistent storage. You should never store passwords in plain text. Always use a one-way password hashing algorithm such as bcrypt which uses a built-in salt value which is different for each stored password. Do not use a plain hash function such as MD5 or SHA, or even a salted version. Bcrypt is deliberately designed to be slow and to hinder offline password cracking, whereas standard hash algorithms are fast and can easily be used to test thousands of passwords in parallel on custom hardware. You might think this doesn’t apply to you since your password database is secure and offline attacks aren’t a risk.
org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"
is a good choice for security. There are also compatible implementations in other common programming languages so it a good choice for interoperability too.org.springframework.security.authentication.encoding
. The DaoAuthenticationProvider
can be injected with either the new or legacy PasswordEncoder
types.10.3.1 What is a hash?
Password hashing is not unique to Spring Security but is a common source of confusion for users who are not familiar with the concept. A hash (or digest) algorithm is a one-way function which produces a piece of fixed-length output data (the hash) from some input data, such as a password. As an example, the MD5 hash of the string "password" (in hexadecimal) is
5f4dcc3b5aa765d61d8327deb882cf99
A hash is "one-way" in the sense that it is very difficult (effectively impossible) to obtain the original input given the hash value, or indeed any possible input which would produce that hash value. This property makes hash values very useful for authentication purposes. They can be stored in your user database as an alternative to plaintext passwords and even if the values are compromised they do not immediately reveal a password which can be used to login. Note that this also means you have no way of recovering the password once it is encoded.
10.3.2 Adding Salt to a Hash
One potential problem with the use of password hashes that it is relatively easy to get round the one-way property of the hash if a common word is used for the input. People tend to choose similar passwords and huge dictionaries of these from previously hacked sites are available online. For example, if you search for the hash value 5f4dcc3b5aa765d61d8327deb882cf99
using google, you will quickly find the original word "password". In a similar way, an attacker can build a dictionary of hashes from a standard word list and use this to lookup the original password.
The legacy approach to handling salt was to inject a SaltSource
into the DaoAuthenticationProvider
, which would obtain a salt value for a particular user and pass it to the PasswordEncoder
. Using bcrypt means you don’t have worry about the details of salt handling (such as where the value is stored), as it is all done internally. So we’d strongly recommend you use bcrypt unless you already have a system in place which stores the salt separately.
10.3.3 Hashing and Authentication
When an authentication provider (such as Spring Security’s DaoAuthenticationProvider
) needs to check the password in a submitted authentication request against the known value for a user, and the stored password is encoded in some way, then the submitted value must be encoded using exactly the same algorithm. It’s up to you to check that these are compatible as Spring Security has no control over the persistent values. If you add password hashing to your authentication configuration in Spring Security, and your database contains plaintext passwords, then there is no way authentication can succeed. Even if you are aware that your database is using MD5 to encode the passwords, for example, and your application is configured to use Spring Security’s Md5PasswordEncoder
, there are still things that can go wrong.
encode
method on the PasswordEncoder
.Spring Security(三十三):10.3 Password Encoding的更多相关文章
- 使用Spring Security Oauth2完成RESTful服务password认证的过程
摘要:Spring Security与Oauth2整合步骤中详细描述了使用过程,但它对于入门者有些重量级,比如将用户信息.ClientDetails.token存入数据库而非内存.配置 ...
- Spring Security(三) —— 核心配置解读
摘要: 原创出处 https://www.cnkirito.moe/spring-security-3/ 「老徐」欢迎转载,保留摘要,谢谢! 3 核心配置解读 上一篇文章<Spring Secu ...
- Spring Security(十三):5.2 HttpSecurity
Thus far our WebSecurityConfig only contains information about how to authenticate our users. How do ...
- Spring Security三种认证
Spring Security: 1.用户名+密码认证 2.手机号+短信认证 Spring Social: 1.第三方认证, QQ登录等 Spring Security OAuth: 1.把认证之后的 ...
- spring security 学习文档
web service Prepared by: Sea ...
- SpringBoot集成Spring Security入门体验
一.前言 Spring Security 和 Apache Shiro 都是安全框架,为Java应用程序提供身份认证和授权. 二者区别 Spring Security:重量级安全框架 Apache S ...
- Spring Security(七):2.4 Getting Spring Security
You can get hold of Spring Security in several ways. You can download a packaged distribution from t ...
- Spring Security(三十二):10. Core Services
Now that we have a high-level overview of the Spring Security architecture and its core classes, let ...
- Spring Security(三十四):10.4 Jackson Support
Spring Security has added Jackson Support for persisting Spring Security related classes. This can i ...
随机推荐
- vnc server的安装
vnc是一款使用广泛的服务器管理软件,可以实现图形化管理.我在安装vnc server碰到一些问题,也整理下我的安装步骤,希望对博友们有一些帮助. 1 安装对应的软件包 [root@centos6 ~ ...
- LeetCode专题-Python实现之第20题:Valid Parentheses
导航页-LeetCode专题-Python实现 相关代码已经上传到github:https://github.com/exploitht/leetcode-python 文中代码为了不动官网提供的初始 ...
- 经典面试题|讲一讲JVM的组成
JVM(Java 虚拟机)算是面试必问的问题的了,而但凡问 JVM 一定会问的第一个问题就是:讲一讲 JVM 的组成?那本文就注重讲一下 JVM 的组成. 首先来说 JVM 的组成分为,整体组成部分和 ...
- 痞子衡嵌入式:ARM Cortex-M文件那些事(6)- 可执行文件(.out/.elf)
大家好,我是痞子衡,是正经搞技术的痞子.今天痞子衡给大家讲的是嵌入式开发里的executable文件(elf). 第四.五节课里,痞子衡已经给大家介绍了2种output文件,本文继续给大家讲proje ...
- SpringBoot基础系列-使用Profiles
原创作品,可以转载,但是请标注出处地址:https://www.cnblogs.com/V1haoge/p/9996884.html SpringBoot基础系列-使用Profile 概述 Profi ...
- VS2017安装过程中【工作负载】选择安装
Visual Studio 2017安装和12.13.15安装过程一样的,只是17安装的时候 选择的[工作负载]不同了,小编安装17的目的是为了安装“.Net Core跨平台开发” 这个模块,当然,其 ...
- [React] 从零开始的react
组件 1. 无状态组件 在React中,组件的名字必须用大写字母开头,而包含该组件定义的文件名也应该是大写字母(便于区分,也可以不是). 无状态组件是纯展示组件,仅仅只是用于数据的展示,只根据传入的p ...
- 第26章 联合注销 - Identity Server 4 中文文档(v1.0.0)
联合注销是指用户使用外部身份提供程序登录IdentityServer,然后用户通过IdentityServer未知的工作流程注销该外部身份提供程序的情况.当用户注销时,对IdentityServer进 ...
- html前端优化建议
1. css 尽可能的放到head里面,且避免css表达式 [@media 类似] 2. js 尽可能的放到</body>之前 <script>do something< ...
- WPF 中图片的加载 ,使用统一资源标识符 (URI)
在wpf中,设置图片路径有2种方法: 1.xaml文件中,指定路径 <Button Name=" HorizontalAlignment="Right" Verti ...