问题
I am using the Spring Roo framework which uses Spring Security as security framework. I configured it the following way:
<authentication-manager alias="authenticationManager">
<!-- SHA-256 values can be produced using 'echo -n your_desired_password | sha256sum' (using normal *nix environments) -->
<authentication-provider>
<password-encoder hash="sha-256">
<!-- <salt-source user-property="login"/> -->
</password-encoder>
<jdbc-user-service data-source-ref="dataSource"
users-by-username-query="
SELECT login, password, enabled
FROM user WHERE login = ?"
authorities-by-username-query="
SELECT u.login, r.authority
FROM user u, rol r,
usuer_role ur
WHERE u.login = ur.usuarer
AND r.roleId = ur.role
AND u.login = ?"
/>
<user-service>
<user name="admin" password="8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918" authorities="ROLE_ADMIN" />
<user name="user" password="04f8996da763b7a969b1028ee3007569eaf3a635486ddab211d512c85b9df8fb" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
In order to make the passwords match I edited the UserController create method so the password is stored applying a SHA-256 hash, the same that was configured in applicationContext-security.xml which is the security configuration file.
This is how I do it:
public String create(@Valid User user, BindingResult bindingResult, Model uiModel, HttpServletRequest httpServletRequest) throws NoSuchAlgorithmException, UnsupportedEncodingException {
if (bindingResult.hasErrors()) {
populateEditForm(uiModel, usuario);
return "security/users/create";
}
MessageDigest md = MessageDigest.getInstance("SHA-256");
md.update(user.getPassword().getBytes("UTF-8"));
byte[] digest = md.digest();
usuario.setPassword( new String(digest, "UTF-8"));
uiModel.asMap().clear();
user.persist();
return "redirect:/security/users/" + encodeUrlPathSegment(usuario.getId().toString(), httpServletRequest);
}
I tried setting the password to admin which is the same provided for the default user: admin, password: admin by the configuration file in order to check that the password generated by my create method matches.
However, the hashed password in the configuration file is 8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918 but the one stored in the database is a weird set of characters when I inspect my mysql database via console or ivAMgsKo*H when displayed in a page.
Any help?
回答1:
Finally I came up with this solution, thank to @Oleg Estekhin comment:
public String sha256(String original) throws NoSuchAlgorithmException {
MessageDigest md = MessageDigest.getInstance("SHA-256");
md.update(original.getBytes());
byte[] digest = md.digest();
return new String(Hex.encodeHexString(digest));
}
回答2:
However, the hashed password in the configuration file is 8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918 but the one stored in the > database is a weird set of characters when I inspect my mysql database via console or ivAMgsKo*H when displayed in a page.
8c6976e5b541041...
looks like a Base64 encoded data.
While
ivAMgsKo*H
and your code
new String(digest, "UTF-8")
tells me, that your digest is not encoded but stored as a UTF-8 string.
A hash value can contain not printable byte values, so it is common to encode the value. For example with Base64.
来源:https://stackoverflow.com/questions/23756832/cant-get-to-have-sha-256-hash-working-with-my-spring-security