Spring security customize password encoder

　　Spring security为我们提供了一个接口PasswordEncoder，实现这个接口就可以定义一个自定义的PasswordEncoder，从而加强应用的安全认证和高安全性。

 

　　一。CustomizePasswordEncoder.java

 

package com.template.security;

import org.springframework.dao.DataAccessException;
import org.springframework.security.authentication.encoding.PasswordEncoder;

/**
 * Created by IntelliJ IDEA.
 * User: Zhong Gang
 * Date: 11-7-29
 * Time: 下午9:05
 * To change this template use File | Settings | File Templates.
 */
public class CustomizePasswordEncoder implements PasswordEncoder {

    /**
     *
     * @param rawPass  password which need to be encoded
     * @param salt
     * @return  the encoded password
     * @throws DataAccessException
     */
    @Override
    public String encodePassword(String rawPass, Object salt) throws DataAccessException {
        rawPass = "Zhong" + rawPass;
        rawPass = rawPass + "Gang";
        return rawPass;
    }

    /**
     *
     * @param encPass the password encoded
     * @param rawPass the password encoded before
     * @param salt
     * @return  true represents password is valid,false represents password is invalid
     * @throws DataAccessException
     */
    @Override
    public boolean isPasswordValid(String encPass, String rawPass, Object salt) throws DataAccessException {
        rawPass = "Zhong" + rawPass;
        rawPass = rawPass + "Gang";
        return encPass.equals(rawPass);
    }

}

 

　　第一个方法将输入的密码进行特殊处理，防止密码轻易被破解，增强应用的安全性，而第二个方法则是判断输入的密码是否与应用中存储的密码相符合。因为应用中存储的密码是由输入的密码经过特殊处理后生成的，所以需要我们自己定义如何判断输入的密码和存储的密码的一致性。在两个方法中我们都可以发现这样一个形式参数salt，意即盐值，用于加密，具体过程就是把密码和盐值指定的内容合并在一起，再使用md5对合并后的内容进行演算，这样演算出来的密码因为攻击者不知道盐值，就很难反算出密码的原文。如果想要使用盐值除了要在自定义passwordEncoder中定义如何利用盐值来进行密码加密外，还要在security.xml中配置使用什么作为盐值。如下示：

 

<password-encoder ref="customizePasswordEncoder">
          <salt-source user-property="username"/>
</password-encoder>

 

　　这里表示使用用户的用户名作为盐值。

 

　　二。security.xml

 

<?xml version="1.0" encoding="UTF-8"?>  
  
<beans:beans xmlns="http://www.springframework.org/schema/security"  
             xmlns:beans="http://www.springframework.org/schema/beans"  
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"  
             xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd  
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">  

    <beans:import resource="datasource.xml"/>

    <http use-expressions="true">
        <intercept-url pattern="/**" access="isAuthenticated()" requires-channel="http"/>
        <form-login/>
        <remember-me/>

        <session-management>
            <concurrency-control max-sessions="1" error-if-maximum-exceeded="true"/>
        </session-management>

    </http>

    <authentication-manager>
        <authentication-provider>
            <password-encoder ref="customizePasswordEncoder"/>
            <jdbc-user-service data-source-ref="dataSource"
              users-by-username-query="select username,password,enabled as status from user where username=?"
              authorities-by-username-query="select u.username,r.name as authority from user u join authority a on a.userid=u.id join role r on r.id=a.roleid where u.username=?"/>
        </authentication-provider>
    </authentication-manager>

    <beans:bean id="customizePasswordEncoder" class="com.template.security.CustomizePasswordEncoder"/>

</beans:beans>

 　　在配置文件中通过添加password-encoder元素来配置自定义的passwordEncoder。