Spring Security password hashing example
来源:互联网 发布:人工智能 听诊器 编辑:程序博客网 时间:2024/05/01 07:12
In this tutorial, we will show you how to use BCryptPasswordEncoder
to hash a password and perform a login authentication in Spring Security.
In the old days, normally, we used MD5 Md5PasswordEncoder
or SHA ShaPasswordEncoder
hashing algorithm to encode a password… you are still allowed to use whatever encoder you like, but Spring recommends to use BCrypt BCryptPasswordEncoder
, a stronger hashing algorithm with randomly generated salt.
Technologies used :
- Spring 3.2.8.RELEASE
- Spring Security 3.2.3.RELEASE
- Spring JDBC 3.2.3.RELEASE
- MySQL Server 5.6
1. Review PasswordEncoder
The familiar old authentication PasswordEncoder
interface is deprecated…
package org.springframework.security.authentication.encoding;//Implementation : Md5PasswordEncoder and ShaPasswordEncoder@Deprecatedpublic interface PasswordEncoder {
Instead, you should use this new crypto PasswordEncoder
interface.
package org.springframework.security.crypto.password;//Implementation : BCryptPasswordEncoderpublic interface PasswordEncoder {
2. Generate a BCrypt Password
First, hash a password and put it into a database, for login authentication later. This example uses BCryptPasswordEncoder
to hash a password “123456
”.
PasswordEncoderGenerator.java
package com.mkyong.web.controller;import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;public class PasswordEncoderGenerator { public static void main(String[] args) { int i = 0; while (i < 10) { String password = "123456"; BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder(); String hashedPassword = passwordEncoder.encode(password); System.out.println(hashedPassword); i++; } }}
In BCrypt hashing algorithm, each time, a different hash value of length 60 is generated.
$2a$10$EblZqNptyYvcLm/VwDCVAuBjzZOI7khzdyGPBr08PpIi0na624b8.$2a$10$trT3.R/Nfey62eczbKEnueTcIbJXW.u1ffAo/XfyLpofwNDbEB86O$2a$10$teJrCEnsxNT49ZpXU7n22O27aCGbVYYe/RG6/XxdWPJbOLZubLIi2$2a$10$BHG59UT6p7bgT6U2fQ/9wOyTIdejh4Rk1vWilvl4b6ysNPdhnViUS$2a$10$W9oRWeFmOT0bByL5fmAceucetmEYFg2yzq3e50mcu.CO7rUDb/poG$2a$10$HApapHvDStTEwjjneMCvxuqUKVyycXZRfXMwjU0rRmaWMsjWQp/Zu$2a$10$GYCkBzp2NlpGS/qjp5f6NOWHeF56ENAlHNuSssSJpE1MMYJevHBWO$2a$10$gwbTCaIR/qE1uYhvEY6GG.bNDQcZuYQX9tkVwaK/aD7ZLPptC.7QC$2a$10$5uKS72xK2ArGDgb2CwjYnOzQcOmB7CPxK6fz2MGcDBM9vJ4rUql36$2a$10$6TajU85/gVrGUm5fv5Z8beVF37rlENohyLk3BEpZJFi6Av9JNkw9O
It’s normal to get a different value each time you hash a value with BCrypt, because salt is generated randomly. In this tutorial, we get the first output and inserts it into the database.
3. Database
Create tables and insert a user “mkyong” for testing.
CREATE TABLE users ( username VARCHAR(45) NOT NULL , password VARCHAR(60) NOT NULL , enabled TINYINT NOT NULL DEFAULT 1 , PRIMARY KEY (username));CREATE TABLE user_roles ( user_role_id int(11) NOT NULL AUTO_INCREMENT, username varchar(45) NOT NULL, role varchar(45) NOT NULL, PRIMARY KEY (user_role_id), UNIQUE KEY uni_username_role (role,username), KEY fk_username_idx (username), CONSTRAINT fk_username FOREIGN KEY (username) REFERENCES users (username));INSERT INTO users(username,password,enabled)VALUES ('mkyong','$2a$10$EblZqNptyYvcLm/VwDCVAuBjzZOI7khzdyGPBr08PpIi0na624b8.', true);INSERT INTO user_roles (username, role)VALUES ('mkyong', 'ROLE_USER');INSERT INTO user_roles (username, role)VALUES ('mkyong', 'ROLE_ADMIN');
4. Enable Password Encoder
A few ways to enable the password encoder in XML configuration.
4.1 Using the default BCryptPasswordEncoder
.
spring-security.xml
<authentication-manager> <authentication-provider> <password-encoder hash="bcrypt" /> </authentication-provider> </authentication-manager>
4.2 Pass a “strength” parameter to the BCryptPasswordEncoder.
spring-security.xml
<authentication-manager> <authentication-provider> <password-encoder ref="encoder" /> </authentication-provider> </authentication-manager> <beans:bean id="encoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"> <beans:constructor-arg name="strength" value="11" /> </beans:bean>
4.3 Pass an encoder to DaoAuthenticationProvider
.
spring-security.xml
<bean id="authProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider"> <property name="userDetailsService" ref="customUserService" /> <property name="passwordEncoder" ref="encoder" /> </bean> <bean id="encoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>
4.4 Annotation example.
@Configuration@EnableWebSecuritypublic class SecurityConfig extends WebSecurityConfigurerAdapter { @Autowired DataSource dataSource; @Autowired public void configAuthentication(AuthenticationManagerBuilder auth) throws Exception { auth.jdbcAuthentication().dataSource(dataSource) .passwordEncoder(passwordEncoder()) .usersByUsernameQuery("sql...") .authoritiesByUsernameQuery("sql..."); } @Bean public PasswordEncoder passwordEncoder(){ PasswordEncoder encoder = new BCryptPasswordEncoder(); return encoder; }
5. Project Demo
Access a password protected page : localhost:8080/spring-security-password-hashing/admin, a login page is displayed. Enter a password “123456”, Spring Security will hash the password and compare it with the hashed password from database.
User and password in Database.
- Spring Security password hashing example
- Spring Security 4 Mybatis Password Encoder Bcrypt Example(7)
- Spring MVC password example
- Spring MVC password example
- Spring Security hello world example
- Spring Security hello world example
- Spring Security Remember Me Example
- Spring Security + Hibernate XML Example
- Spring Security + Hibernate Annotation Example
- Spring Security hello world example
- Spring Security hello world example
- Spring Security hello world example
- Spring Security Hello World Annotation Example
- Spring Security Custom Login Form Example
- Spring Security Custom Login Form Annotation Example
- Spring Security : limit login attempts example
- Spring Security 4 Security View Fragments Example(3)
- 006.PHP Password Hashing
- 常用正则表达式大全
- Android:禁止ScrollView在子控件的布局改变时自动滚动的的方法
- 一个程序员的自白
- iPhone UI笔试
- cocos3.0+ shader
- Spring Security password hashing example
- 如何将Mac OS X10.10.3下的Python2.7.6升级到最新的Python3.4
- 黑马学习笔记_java基础知识总结
- Android中dp,px,sp概念梳理以及如何做到屏幕适配
- centos7下使用gitlab+redmine+jenkins
- AdapterView(ListView)
- JAVA获取系统当前时间
- Android开发之AlarmManager的用法详解
- 2015——VLC编译