Spring Security Salt
I\'m trying to add a salt when adding a new user/pwd, but the docs seem to be missing how to do this.
Here\'s a basic example:
-
You don't autowire the
SaltSourcewhen adding user. TheSaltSourceis an abstraction used by Spring to provide the source of the salt for password checking only.To create a properly encoded password hash You just past the salt itself to the
PasswordEncoder- the value ofusernameproperty, not theSaltSource:private PasswordEncoder encoder = new Md5PasswordEncoder(); public User createUser(String username, String plainTextPassword) { User u = new User(); u.setUsername(username); u.setPassword(encoder.encodePassword(plainTextPassword, username)); getEntityManager().persist(u); // optional return u; }
Moreover the autowire of
SaltSourcewon't work until it's defined as an inner bean. You could define theReflectionSaltSourceas top level bean and pass it's ID to thepassword-encoder, i.e.:<bean id="saltSource" class="org.springframework.security.authentication.dao.ReflectionSaltSource" p:userPropertyToUse="username" /> <bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" /> <bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider" p:passwordEncoder-ref="passwordEncoder" p:saltSource-ref="saltSource" p:userDetailsService-ref="userDetailsService" /> <authentication-manager> <authentication-provider ref="daoAuthenticationProvider" /> </authentication-manager>And then:
@Autowired private PasswordEncoder passwordEncoder; @Autowired private SaltSource saltSource; public CustomUserDetails createUser(String username, String plainTextPassword) { CustomUserDetails u = new CustomUserDetails(); u.setUsername(username); u.setPassword(passwordEncoder.encodePassword( plainTextPassword, saltSource.getSalt(u))); getEntityNamager().persist(u); // optional return u; }讨论(0)
加载中...
- 热议问题