SPRING IN ACTION 第4版笔记-第九章Securing web applications-004-对密码加密passwordEncoder

Posted shamgod

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了SPRING IN ACTION 第4版笔记-第九章Securing web applications-004-对密码加密passwordEncoder相关的知识,希望对你有一定的参考价值。

一、

1.Focusing on the authentication query, you can see that user passwords are expected to be stored in the database. The only problem with that is that if the passwords are stored in plain text, they’re subject to the prying eyes of a hacker. But if you encode the password in the database, then authentication will fail because it won’t match the plain text password submitted by the user.

 1 @Override
 2 protected void configure(AuthenticationManagerBuilder auth)
 3 throws Exception {
 4     auth
 5         .jdbcAuthentication()
 6         .dataSource(dataSource)
 7         .usersByUsernameQuery(
 8             "select username, password, true " +
 9             "from Spitter where username=?")
10         .authoritiesByUsernameQuery(
11             "select username, ‘ROLE_USER‘ from Spitter where username=?")
12         .passwordEncoder(new StandardPasswordEncoder("53cr3t"));
13 }

passwordEncoder方法接收PasswordEncoder接口的实现为参数,Spring提供了有3种实现:BCryptPasswordEncoder , NoOpPasswordEncoder , andStandardPasswordEncoder

接口代码如下:

 

public interface PasswordEncoder {
    String encode(CharSequence rawPassword);
    boolean matches(CharSequence rawPassword, String encodedPassword);
}

 

it’s important to understand that the password in the database is never decoded. Instead, the password that the user enters at login is encoded using the same algorithm and is then compared with the encoded password in the database. That comparison is performed in the PasswordEncoder ’s matches() method.

以上是关于SPRING IN ACTION 第4版笔记-第九章Securing web applications-004-对密码加密passwordEncoder的主要内容,如果未能解决你的问题,请参考以下文章

SPRING IN ACTION 第4版笔记-第九章Securing web applications-003-把用户数据存在数据库

SPRING IN ACTION 第4版笔记-第九章Securing web applications-002-把用户数据存在memory里(AuthenticationManagerBuilder(

SPRING IN ACTION 第4版笔记-第九章Securing web applications-008-使用非关系型数据库时如何验证用户(自定义UserService)

SPRING IN ACTION 第4版笔记-第三章ADVANCING WIRING-008-SpEL介绍

SPRING IN ACTION 第4版笔记-第三章ADVANCING WIRING-005-Bean的作用域@ScopeProxyMode

SPRING IN ACTION 第4版笔记-第四章ASPECT-ORIENTED SPRING-011-注入AspectJ Aspect