SPRING IN ACTION 第4版笔记-第九章Securing web applications-004-对密码加密passwordEncoder

一、

1.Focusing on the authentication query, you can see that user passwords are expected to be stored in the database. The only problem with that is that if the passwords are stored in plain text, they’re subject to the prying eyes of a hacker. But if you encode the password in the database, then authentication will fail because it won’t match the plain text password submitted by the user.

 1 @Override
 2 protected void configure(AuthenticationManagerBuilder auth)
 3 throws Exception {
 4     auth
 5         .jdbcAuthentication()
 6         .dataSource(dataSource)
 7         .usersByUsernameQuery(
 8             "select username, password, true " +
 9             "from Spitter where username=?")
10         .authoritiesByUsernameQuery(
11             "select username, ‘ROLE_USER‘ from Spitter where username=?")
12         .passwordEncoder(new StandardPasswordEncoder("53cr3t"));
13 }

passwordEncoder方法接收PasswordEncoder接口的实现为参数,Spring提供了有3种实现:BCryptPasswordEncoder , NoOpPasswordEncoder , andStandardPasswordEncoder

接口代码如下:

public interface PasswordEncoder {
    String encode(CharSequence rawPassword);
    boolean matches(CharSequence rawPassword, String encodedPassword);
}

it’s important to understand that the password in the database is never decoded. Instead, the password that the user enters at login is encoded using the same algorithm and is then compared with the encoded password in the database. That comparison is performed in the PasswordEncoder ’s matches() method.

时间: 2024-10-23 17:28:03

SPRING IN ACTION 第4版笔记-第九章Securing web applications-004-对密码加密passwordEncoder的相关文章

SPRING IN ACTION 第4版笔记-第九章Securing web applications-001-SpringSecurity简介(DelegatingFilterProxy、AbstractSecurityWebApplicationInitializer、WebSecurityConfigurerAdapter、@EnableWebSecurity、@EnableWebMvcS)

一.SpringSecurity的模块 At the least, you’ll want to include the Core and Configuration modules in your application’s classpath. Spring Security is often used to secure web applications, and that’s certainly the case with the Spittr application, so you’l

SPRING IN ACTION 第4版笔记-第九章Securing web applications-008-使用非关系型数据库时如何验证用户(自定义UserService)

一. 1.定义接口 Suppose that you need to authenticate against users in a non-relational database suchas Mongo or Neo4j. In that case, you’ll need to implement a custom implementationof the UserDetailsService interface. 1 public interface UserDetailsService

SPRING IN ACTION 第4版笔记-第九章Securing web applications-003-把用户数据存在数据库

一. 1.It’s quite common for user data to be stored in a relational database, accessed via JDBC . To configure Spring Security to authenticate against a JDBC -backed user store,you can use the jdbcAuthentication() method. The minimal configuration requ

SPRING IN ACTION 第4版笔记-第九章Securing web applications-002-把用户数据存在memory里(AuthenticationManagerBuilder、 UserDetailsManagerConfigurer.UserDetailsBuilder)

Spring Security is extremely flexible and is capable of authenticating users against virtually any data store. Several common user store situations—such as in-memory, relational database, and LDAP —are provided out of the box. But you can also create

SPRING IN ACTION 第4版笔记-第九章Securing web applications-011-把敏感信息请求转为https(requiresChannel())

1.把包含敏感信息的请求转为https请求,则较为安全,但如何只把有需要安全的请求转为https,而不是不加分辩就把所有请求都转为https呢?可以用requiresChannel() 1 @Override 2 protected void configure(HttpSecurity http) throws Exception { 3 http 4 .authorizeRequests() 5 .antMatchers("/spitter/me").hasRole("S

SPRING IN ACTION 第4版笔记-第二章WIRING BEANS-007-以set方法注入<property>\p-namespace\util-space

一.注入简单属性 1 package soundsystem.properties; 2 import org.springframework.beans.factory.annotation.Autowired; 3 4 import soundsystem.CompactDisc; 5 import soundsystem.MediaPlayer; 6 7 public class CDPlayer implements MediaPlayer { 8 private CompactDisc

SPRING IN ACTION 第4版笔记-第二章Wiring Beans-005-<constructor-arg>和c-namespace

1. 1 package soundsystem; 2 3 public class SgtPeppers implements CompactDisc { 4 5 private String title = "Sgt. Pepper's Lonely Hearts Club Band"; 6 private String artist = "The Beatles"; 7 8 public void play() { 9 System.out.println(&

SPRING IN ACTION 第4版笔记-第二章[email protected]、@Autowired的用法

一.@ComponentScan 1. @Configuration //说明此类是配置文件 @ComponentScan //开启扫描,会扫描当前类的包及其子包 public class CDPlayerConfig { } 2. @ComponentScan(basePackages={"soundsystem", "video"})//扫描多个包 public class CDPlayerConfig { } 3. @ComponentScan(basePac

SPRING IN ACTION 第4版笔记-第八章Advanced Spring MVC-003-Pizza例子的基本流程

一. 1. 2.pizza-flow.xml 1 <?xml version="1.0" encoding="UTF-8"?> 2 <flow xmlns="http://www.springframework.org/schema/webflow" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="h