SpringBoot Security密码加盐
2023-02-18 16:41:00 时间
修改加密和验证方法
/**
* 生成BCryptPasswordEncoder密码
*
* @param password 密码
* @param salt 盐值
* @return 加密字符串
*/
public static String encryptPassword(String password,String salt) {
BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
return passwordEncoder.encode(password + salt);
}
/**
* 判断密码是否相同
*
* @param rawPassword 真实密码
* @param encodedPassword 加密后字符
* @param salt 盐值
* @return 结果
*/
public static boolean matchesPassword(String rawPassword, String encodedPassword,String salt) {
BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
return passwordEncoder.matches(rawPassword + salt, encodedPassword);
}
自定义 DaoAuthenticationProvider
import com.maruifu.common.core.domain.model.LoginUser;
import com.maruifu.common.utils.DateUtils;
import com.maruifu.common.utils.SecurityUtils;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.Authentication;
/**
* 身份验证提供者
* @author maruifu
*/
public class JwtAuthenticationProvider extends DaoAuthenticationProvider {
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
// 可以在此处覆写整个登录认证逻辑
return super.authenticate(authentication);
}
/**
* 重写加盐后验证逻辑
* @param userDetails
* @param authentication
* @throws AuthenticationException
*/
@Override
protected void additionalAuthenticationChecks(UserDetails userDetails, UsernamePasswordAuthenticationToken authentication) throws AuthenticationException {
if (authentication.getCredentials() == null) {
this.logger.debug("Failed to authenticate since no credentials provided");
throw new BadCredentialsException(this.messages.getMessage("AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"));
} else {
String presentedPassword = authentication.getCredentials().toString();
LoginUser loginUser = (LoginUser)userDetails ;
if (!SecurityUtils.matchesPassword(presentedPassword, userDetails.getPassword(), DateUtils.parseDateToStr(DateUtils.YYYY_MM_DD_HH_MM_SS,loginUser.getUser().getCreateTime()))) {
this.logger.debug("Failed to authenticate since password does not match stored value");
throw new BadCredentialsException(this.messages.getMessage("AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"));
}
}
}
}
注册到ProciderManager中
import com.maruifu.framework.security.handle.JwtAuthenticationProvider;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.ProviderManager;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.UserDetailsService;
/**
* spring security配置
*
* @author maruifu
*/
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class SecurityConfig1 extends WebSecurityConfigurerAdapter {
/**
* 自定义用户认证逻辑
*/
@Autowired
private UserDetailsService userDetailsService;
/**
* 解决 无法直接注入 AuthenticationManager
* 重写 加盐后验证逻辑
*
* @return
*/
@Bean
@Override
public AuthenticationManager authenticationManagerBean(){
JwtAuthenticationProvider provider=new JwtAuthenticationProvider();
provider.setUserDetailsService(userDetailsService);
ProviderManager manager=new ProviderManager(provider);
return manager;
}
......省略configure方法
}
本文由 小马哥 创作,采用 知识共享署名4.0 国际许可协议进行许可 本站文章除注明转载/出处外,均为本站原创或翻译,转载前请务必署名 最后编辑时间为: 2022/12/25 01:41
相关文章
- WMIC命令的利用技巧
- slowhttptest 慢速攻击工具入门
- 社工工具包 SEToolkit
- TP6.0 框架的下载,优秀扩展包推荐
- 基于白名单的Payload
- ShellCode 最小化编译优化
- 针对Web的信息搜集
- 针对内网的信息搜集
- TP6.0 空控制器: 健壮系统服务
- TP6.0 模型获取器
- 缓冲区溢出与攻防博弈
- ApiPost 快速上手
- 远程缓冲区溢出简单分析
- 本地缓冲区溢出分析
- FlowForward 流量转发工具
- 微信公众号模板消息接口
- 生成带参数的二维码
- VS2013+WDK8.1 驱动开发环境配置
- INTENT2022--一道包含12个反调试反虚拟机操作的ctf题解
- MacBook 高效率软件工具