文章目录
密码加密
5.3PasswordEncoder详解
Spring security中通过
PasswordEncoder接口定义了密码加密和比对的相关操作:
public interface PasswordEncoder {
// 对明文密码进行加密
String encode(CharSequence rawPassword);
// 进行密码比对
boolean matches(CharSequence rawPassword, String encodedPassword);
// 判断当前密码是否需要升级
default boolean upgradeEncoding(String encodedPassword) {
return false;
}
}
5.3.1PasswordEncoder常见实现类
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-knDpDp98-1646291833010)(en-resource://database/653:1)]@w=900](https://img-blog.csdnimg.cn/a51b34b69c424b4cbcdbf2b4f8c48e7e.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBARWRTaGVlcmFu5LmA,size_20,color_FFFFFF,t_70,g_se,x_16)
5.3.2DelegatingPasswordEncoder
在spring security5.0之后,默认的密码加密方案是
DelegatingPasswordEncoder。它是一个代理类,主要用来代理其他不同的密码加密方案。
先从PasswordEncoderFactories类开始看起,因为正是由它里边的静态方法createDelegatingPasswordEncoder提供了默认的DelegatingPasswordEncoder实例:
public final class PasswordEncoderFactories {
public static PasswordEncoder createDelegatingPasswordEncoder() {
String encodingId = "bcrypt";
// 存储每一种密码加密方案的id和所对应的加密类
Map<String, PasswordEncoder> encoders = new HashMap<>();
encoders.put(encodingId, new BCryptPasswordEncoder());
encoders.put("ldap", new org.springframework.security.crypto.password.LdapShaPasswordEncoder());
encoders.put("MD4", new org.springframework.security.crypto.password.Md4PasswordEncoder());
encoders.put("MD5", new org.springframework.security.crypto.password.MessageDigestPasswordEncoder("MD5"));
encoders.put("noop", org.springframework.security.crypto.password.NoOpPasswordEncoder.getInstance());
encoders.put("pbkdf2", new Pbkdf2PasswordEncoder());
encoders.put("scrypt", new SCryptPasswordEncoder());
encoders.put("SHA-1", new org.springframework.security.crypto.password.MessageDigestPasswordEncoder("SHA-1"));
encoders.put("SHA-256",
new org.springframework.security.crypto.password.MessageDigestPasswordEncoder("SHA-256"));
encoders.put("sha256", new org.springframework.security.crypto.password.StandardPasswordEncoder());
encoders.put("argon2", new Argon2PasswordEncoder());
// 默认值为bcrypt,因此代理类中默认使用的加密方案是BCryptPasswordEncoder
return new DelegatingPasswordEncoder(encodingId, encoders);
}
}
接下来分析
DelegatingPasswordEncoder:
public class DelegatingPasswordEncoder implements PasswordEncoder {
// 用来包裹将来生成的加密方案的id,例如bcrypt
private static final String PREFIX = "{";
private static final String SUFFIX = "}";
// 默认的加密方案id
private final String idForEncode;
// 默认的加密方案(BCryptPasswordEncoder),它的值是根据idForEncode从
// idToPasswordEncoder映射中提取出来的
private final PasswordEncoder passwordEncoderForEncode;
// 保存id和加密方案之间的映射
private final Map<String, PasswordEncoder> idToPasswordEncoder;
// 默认的密码比对器,当根据密码加密方案的id无法找到对应的加密方案时,会使用默认的(直接抛出异常)
private PasswordEncoder defaultPasswordEncoderForMatches = new UnmappedIdPasswordEncoder();
@Override
public String encode(CharSequence rawPassword) {
// 加上前缀{id},用来描述所采用的具体加密方案
return PREFIX + this.idForEncode + SUFFIX + this.passwordEncoderForEncode.encode(rawPassword);
}
@Override
public boolean matches(CharSequence rawPassword, String prefixEncodedPassword) {
if (rawPassword == null && prefixEncodedPassword == null) {
return true;
}
// 提取加密方案id,例如bcrypt
String id = extractId(prefixEncodedPassword);
PasswordEncoder delegate = this.idToPasswordEncoder.get(id);
if (delegate == null) {
return this.defaultPasswordEncoderForMatches.matches(rawPassword, prefixEncodedPassword);
}
// 提取加密后的密码
String encodedPassword = extractEncodedPassword(prefixEncodedPassword);
return delegate.matches(rawPassword, encodedPassword);
}
@Override
public boolean upgradeEncoding(String prefixEncodedPassword) {
String id = extractId(prefixEncodedPassword);
// 如果当前加密字符串所采用的加密方案不是默认的加密方案,就会自动进行密码升级
if (!this.idForEncode.equalsIgnoreCase(id)) {
return true;
}
else {
// 否则调用默认加密方案的upgradeEncoding方法判断密码是否需要升级
String encodedPassword = extractEncodedPassword(prefixEncodedPassword);
return this.idToPasswordEncoder.get(id).upgradeEncoding(encodedPassword);
}
}
}
5.4实战
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
/**
* 由于默认使用的是DelegatingPasswordEncoder,也可以省略掉PasswordEncoder的实例,只在密码前加上前缀,
* 例如:"{bcrypt}$2a$10$Zg.29wwumBjpQk0xTEBnZeTBWIGxVyth4ByXjdGoRo5.qJZlda9Au"(即,123)。
*/
@Bean
PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("javaboy")
.password("$2a$10$Zg.29wwumBjpQk0xTEBnZeTBWIGxVyth4ByXjdGoRo5.qJZlda9Au")
// .password("{bcrypt}$2a$10$Zg.29wwumBjpQk0xTEBnZeTBWIGxVyth4ByXjdGoRo5.qJZlda9Au")
.roles("admin");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.anyRequest().authenticated()
.and()
.formLogin()
.and()
.csrf().disable();
}
}
5.5加密方案自动升级
使用
DelegatingPasswordEncoder的另外一个好处就是会自动进行密码加密方案升级。
@Configuration
public class UserService implements UserDetailsService, UserDetailsPasswordService {
@Autowired
UserMapper userMapper;
@Override
public UserDetails updatePassword(UserDetails user, String newPassword) {
Integer result = userMapper.updatePassword(user.getUsername, newPassword);
if (result == 1) {
((User) user).setPassword(newPassword);
}
return user;
}
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
return userMapper.loadUserByUsername(username);
}
}
例如
DaoAuthenticationProvider中的createSuccessAuthentication方法中就触发了加密方案的自动升级。
5.6是谁的PasswordEncoder
如果开发者向spring容器中注册了一个
PasswordEncoder实例,那么无论是全局的AuthenticationManager还是局部的,都将使用该实例;如果开发者没有提供任何PasswordEncoder实例,那么无论是全局的还是局部的,都将使用DelegatingPasswordEncoder实例。