个人中心
gpt4 book ai didi

java - Spring MVC : Using User password to create a Java keystore, 和稍后的访问 key

转载 作者:太空宇宙 更新时间:2023-11-04 06:10:26 25 4
gpt4 key购买 nike

  • 我正在开发一个 Spring-MVC 应用程序,其中有一个 Person我使用 BCrypt 将密码存储在数据库中的类格式。现在,我想使用 MD5 和创建一个 Java keystore 用户的明文密码。
    • 但是因为我不知道 Spring-security 如何以及在哪里获取明文密码并对其进行 BCrypt 来检查数据库,所以我无法使用明文密码创建 MD5 和。
    • 我希望在每次用户登录时重复此过程,以便我可以通过编程方式解锁 keystore 并使用 key 名和 MD5 总和作为密码检索 key 。

我正在粘贴我的 Person 模型和 spring-security-application.xml :

 @Entity
@Table(name="person")
public class Person implements UserDetails{

    private static final GrantedAuthority USER_AUTH = new SimpleGrantedAuthority("ROLE_USER");

    private static final String emailRegexp = "^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$";

    @Id
    @Column(name="id")
    @GeneratedValue(strategy = GenerationType.SEQUENCE,generator = "person_seq_gen")
    @SequenceGenerator(name = "person_seq_gen",sequenceName = "person_seq")
    private int id;

    @Valid
    @Email
    @Pattern(regexp = emailRegexp)
    @Column(name = "username")
    private String username;

    @Valid
    @NotEmpty(message = "Password may not be empty")
    @Column(name = "password")
    private String password;


 //getters and setters ommitted

}

PersonServiceImpl:

 @Override
    @Transactional
    public boolean addPerson(Person p) {
        try {
            Thread.sleep(2000);
        } catch (InterruptedException e) {
            e.printStackTrace();
        }
        Person existingUser = personDAO.findPersonByUsername(p.getUsername());
        if(existingUser == null) {
            this.personDAO.addPerson(p);
            p.setAccountstatus(false);
            p.setOnetimeemail(false);
            p.setUsername(p.getUsername().toLowerCase());
            p.setPassword(BCrypt.hashpw(p.getPassword(), BCrypt.gensalt(11)));
            p.setUsername(p.getUsername().toLowerCase());
            this.personDAO.addPerson(p);
            sendAccountActivationEmail(p.getUsername(), p.getFirstName());
            return true;
        } else {
            return  false;
        }
    }

安全-applicationContext.xml:

 <security:global-method-security pre-post-annotations="enabled" />

    <security:http create-session="ifRequired" use-expressions="true" auto-config="true" disable-url-rewriting="true">
        <security:form-login login-page="/login" default-target-url="/canvas/list" always-use-default-target="false" authentication-failure-url="/denied.jsp" />
        <security:remember-me key="_spring_security_remember_me" user-service-ref="userDetailsService" token-validity-seconds="1209600" data-source-ref="dataSource"/>
        <security:logout delete-cookies="JSESSIONID" invalidate-session="true" logout-url="/j_spring_security_logout"/>

<!--        <security:intercept-url pattern="/**" requires-channel="https"/> -->

  <!--  <security:port-mappings>
        <security:port-mapping http="80" https="443"/>
    </security:port-mappings>
-->
    </security:http>




    <!-- queries to be run on data -->
    <beans:bean id="rememberMeAuthenticationProvider" class="org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices">
        <beans:property name="key" value="_spring_security_remember_me" />
        <beans:property name="tokenRepository" ref="jdbcTokenRepository"/>
        <beans:property name="userDetailsService" ref="LoginServiceImpl"/>
    </beans:bean>

    <!--Database management for remember-me -->
    <beans:bean id="jdbcTokenRepository"
                class="org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl">
        <beans:property name="createTableOnStartup" value="false"/>
        <beans:property name="dataSource" ref="dataSource" />
    </beans:bean>

    <!-- Remember me ends here -->
    <security:authentication-manager alias="authenticationManager" erase-credentials="false">
        <security:authentication-provider user-service-ref="LoginServiceImpl">
           <security:password-encoder  ref="encoder"/>
        </security:authentication-provider>
    </security:authentication-manager>

    <beans:bean id="encoder"
                class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder">
        <beans:constructor-arg name="strength" value="11" />
    </beans:bean>

    <beans:bean id="daoAuthenticationProvider"
                class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
                <beans:property name="userDetailsService" ref="LoginServiceImpl"/>
<security:global-method-security pre-post-annotations="enabled" />

<security:http create-session="ifRequired" use-expressions="true" auto-config="true" disable-url-rewriting="true">
    <security:form-login login-page="/login" default-target-url="/canvas/list" always-use-default-target="false" authentication-failure-url="/denied.jsp" />
    <security:remember-me key="_spring_security_remember_me" user-service-ref="userDetailsService" token-validity-seconds="1209600" data-source-ref="dataSource"/>
    <security:logout delete-cookies="JSESSIONID" invalidate-session="true" logout-url="/j_spring_security_logout"/>
</security:http>

<beans:bean id="rememberMeAuthenticationProvider" class="org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices">
    <beans:property name="key" value="_spring_security_remember_me" />
    <beans:property name="tokenRepository" ref="jdbcTokenRepository"/>
    <beans:property name="userDetailsService" ref="LoginServiceImpl"/>
</beans:bean>
<beans:bean id="jdbcTokenRepository"
            class="org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl">
    <beans:property name="createTableOnStartup" value="false"/>
    <beans:property name="dataSource" ref="dataSource" />
</beans:bean>
<security:authentication-manager alias="authenticationManager" erase-credentials="false">
    <security:authentication-provider user-service-ref="LoginServiceImpl">
       <security:password-encoder  ref="encoder"/>
    </security:authentication-provider>
</security:authentication-manager>

<beans:bean id="encoder"
            class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder">
    <beans:constructor-arg name="strength" value="11" />
</beans:bean>

<beans:bean id="daoAuthenticationProvider"
            class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
            <beans:property name="userDetailsService" ref="LoginServiceImpl"/>
           <beans:property name="passwordEncoder" ref="encoder"/>
</beans:bean>
            <beans:property name="passwordEncoder" ref="encoder"/>
    </beans:bean>

登录服务Impl:

@Transactional
@Service("userDetailsService")
public class LoginServiceImpl implements UserDetailsService{

    @Autowired private PersonDAO personDAO;
    @Autowired private Assembler assembler;


    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException,DataAccessException {
        Person person = personDAO.findPersonByUsername(username.toLowerCase());
            if(person == null) { throw new UsernameNotFoundException("Wrong username or password");} //Never specify which one was it exactly
        return assembler.buildUserFromUserEntity(person);
    }

    public LoginServiceImpl() {
    }
}

汇编器:

@Service("assembler")
public class Assembler {
    @Transactional(readOnly = true)
    User buildUserFromUserEntity(Person userEntity){
        String username = userEntity.getUsername().toLowerCase();
        String password = userEntity.getPassword();

        boolean enabled = userEntity.isEnabled();
        boolean accountNonExpired = userEntity.isAccountNonExpired();
        boolean credentialsNonExpired = userEntity.isCredentialsNonExpired();
        boolean accountNonLocked = userEntity.isAccountNonLocked();

        Collection<GrantedAuthority> authorities = new ArrayList<>();
        authorities.add(new SimpleGrantedAuthority("ROLE_USER"));

        return new User(username,password,enabled,accountNonExpired,credentialsNonExpired,accountNonLocked,authorities);
        }
}

我希望我说的很清楚,如果有任何疑问,请告诉我..任何帮助都会很好。非常感谢...:-)

最佳答案

您可以让 Spring Security 在 session 中保留密码:

<authentication-manager alias="authenticationManager" erase-credentials="false">
  <!-- authentication provider(s) -->
</authentication-manager>

然后您可以使用以下方式找回密码:

Authentication currentAuth = ...;
String pwd = currentAuth.getCredentials().toString();

要捕获用户登录的时间,您可以 listen for AuthenticationSuccessEvent .

关于java - Spring MVC : Using User password to create a Java keystore, 和稍后的访问 key ,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/28812227/

25 4 0
文章推荐: java - Spring 安全。 protected 注释不起作用
文章推荐: python - scikit-learn CountVectorizer 中的类型错误
文章推荐: python - 将 numpy 数组与 scipy odeint 一起使用
文章推荐: java - Spring:确保初始化顺序没有 'depends-on'
太空宇宙
个人简介

我是一名优秀的程序员,十分优秀!

滴滴打车优惠券免费领取
滴滴打车优惠券
全站热门文章
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com