Guide to implementing spring security password recovery with dynamic URL sent to email

怎甘沉沦 提交于 2019-12-20 09:38:14

问题


I found it very difficult to do password recovery, since I've never done it before.

So far I have web app which has:

Spring Security, where password is properly hashed and user roles implemented and work correctly.

The strategy hints research from stackoverflow:

  1. User hits forgot-password button, where he enters his email address.
  2. Dynamic link is sent to email address
  3. User opens link in email address
  4. Which redirects him to password reset page

What is not known:

  • How to give link dynamic nature - methods of generations
  • Link has a timeout - some questions were found here, but often involve custom handler or extension to spring security functionality
  • A request mapping methods to respond to such dynamic link
  • Temporary link storage methods - database, session etc. ?

As you can see the list is quite severe for a single question. So was hoping you might be able to provide guide resources to how to do it step by step. I was a little surprised I could not find much on this in Spring Security documentation. Thanks.

I am student so don't know really industry best practices for doing so especially in the context of Java, so I really hope anyone will be able to help.


回答1:


The problem doesn't really have much to do with Spring Security. Provided you know the structure of the user database and the password encoder used, it's really just implementing a workflow involving data access, web controllers and sending an email. The link should contain a random token string (use SecureRandom and a base64 encoder, for example) and it should be stored in a database with the userId and a timestamp (for validating the window within which the link is valid). The controller would simply extract the token from the incoming request, load the data from the database using the token. It would check the timestamp and then forward the user to a password entry form. Depending on requirements, you might also want them to answer some other security questions too. You'd then validate and encode the password and store it in the account matching the userId stored in the reset link table. It would also make sense to have a batch job running to remove expired links from the database.

The Grails Spring Security UI plugin already has a forgot password option which you can either use directly or use as a reference.




回答2:


I have implemented a JAVA project for this use case. It is on GitHub, open source.

There are explanation for everything (and if something is missing - let me know...)


Have a look: https://github.com/OhadR/Authentication-Flows

This is the client web-app that uses the auth-flows, with the README with all explanations. it directs you the implementation: https://github.com/OhadR/oAuth2-sample/tree/master/authentication-flows



来源:https://stackoverflow.com/questions/17219917/guide-to-implementing-spring-security-password-recovery-with-dynamic-url-sent-to

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!