piaoyi's blog - 站在煩惱裡仰望幸福

Main | Next page »

http://www.javaworld.com.tw/roller/piaoyi/date/20080731 Thursday July 31, 2008

Acegisecurity Memo-9, Login Password with PasswordEncoder(SHA,MD5...)


一堆事,雜事、正事、亂七八糟的事,不爽的事 = =,摸了許久....hmm.....繼續分享 acegi 的心得吧..

Table of Content

摘要

一般在設計權限的系統,在儲存使用者的密碼時,通常都會是存加密過後的密碼字串,而不是直接存原始的密碼進儲存庫,所以在使用者 key in 密碼登入時,我們要做的比對,應該是先把使用者 key in 的密碼加密過後,再和儲存庫中的資料做比對,才會正確的判斷。
很幸運的, acegi 已經考慮到這一段,也幫我們做好了,我們只要設定要使用的 PasswordEncoder 傳給 AuthenticationProvider 即可,acegi 會自動加密後再比對判斷。

PasswordEncoder

class 說明
org.acegisecurity.providers.encoding.PlaintextPasswordEncoder 如果 AuthenticationProvider 有傳入 SaltSource,則此加密就是原 password + "{" + aSaltSource.toString() + "}",若無 SaltSource,則即原 password。
org.acegisecurity.providers.ldap.authenticator.LdapShaPasswordEncoder 一般 LDAP 內建的加密方式,有{SHA}, {SSHA} 二種。
org.acegisecurity.providers.encoding.Md5PasswordEncoder MD5 加密演算法。
org.acegisecurity.providers.encoding.ShaPasswordEncoder SHA 加密演算法,建構子可傳入 key 長度,預設是 SHA-1 演算法。
org.acegisecurity.providers.encoding.MessageDigestPasswordEncoder Md5PasswordEncoder 和 ShaPasswordEncoder 的父類別,但可以直接使用,不過必須在建構子傳入演算法名稱。

設定方式

在設定  AuthenticationProvider 時,傳入選擇的 PasswordEncoder 實例進  passwordEncoder 參數。 
<bean id="authenticationProvider"
	class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">
	<property name="userDetailsService">		
		<ref bean="inMemoryDaoImpl" />
	</property>
	<property name="passwordEncoder">
		<bean class="org.acegisecurity.providers.encoding.ShaPasswordEncoder"/>
	</property>
</bean>

Sample

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:aop="http://www.springframework.org/schema/aop"
    xmlns:tx="http://www.springframework.org/schema/tx"
    xsi:schemaLocation="
    http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
    http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-2.0.xsd
    http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-2.0.xsd">

	<bean id="authenticationProvider"
		class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">
		<property name="userDetailsService">		
			<ref bean="inMemoryDaoImpl" />
		</property>
		<property name="passwordEncoder">
			<bean class="org.acegisecurity.providers.encoding.ShaPasswordEncoder"/>
		</property>		
	</bean>		
	<bean id="inMemoryDaoImpl" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl">
		<property name="userMap">
		<!--
				admin=1234,ROLE_admin,ROLE_USER,ROLE_other
				piaoyi=1234,ROLE_admin,ROLE_USER,ROLE_other
				readonly=readonly,ROLE_USER,ROLE_readonly
				密碼加密 SHA-1 後如下
		-->
			<value>
				admin=7110eda4d09e062aa5e4a390b0a572ac0d2c0220,ROLE_admin,ROLE_USER,ROLE_other
				piaoyi=7110eda4d09e062aa5e4a390b0a572ac0d2c0220,ROLE_admin,ROLE_USER,ROLE_other
				readonly=9a27718297218c3757c365d357d13f49d0fa3065,ROLE_USER,ROLE_readonly
			</value>
		</property>
	</bean>	
</beans>

Download

  1. Download [AcegisecurityMemo9.zip]
    Contains:
    • acegi-authentication-passwordEncoder.xml

Reference

http://www.acegisecurity.org/
http://forum.springframework.org/forumdisplay.php?f=33

Navigation:

Index: Acegisecurity Memo, Table of Contents
Previous: Acegisecurity Memo-8, Login Page & Logout URL
Next:

Posted at 2008-07-31 01:29 by Piaoyi Kao in Acegisecurity  |  Permalink  |  Comments[4]

http://www.javaworld.com.tw/roller/piaoyi/date/20080703 Thursday July 03, 2008

Acegisecurity Memo, Table of Contents

Acegisecurity Contents

Navigation:

Next: Acegisecurity Memo-1, Overview


Posted at 2008-07-03 16:53 by Piaoyi Kao in Acegisecurity  |  Permalink  |  Comments[1]


Main | Next page »