Spring Security(三十三):10.3 Password Encoding
Spring Security’s PasswordEncoder
interface is used to support the use of passwords which are encoded in some way in persistent storage. You should never store passwords in plain text. Always use a one-way password hashing algorithm such as bcrypt which uses a built-in salt value which is different for each stored password. Do not use a plain hash function such as MD5 or SHA, or even a salted version. Bcrypt is deliberately designed to be slow and to hinder offline password cracking, whereas standard hash algorithms are fast and can easily be used to test thousands of passwords in parallel on custom hardware. You might think this doesn’t apply to you since your password database is secure and offline attacks aren’t a risk.
org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"
is a good choice for security. There are also compatible implementations in other common programming languages so it a good choice for interoperability too.org.springframework.security.authentication.encoding
. The DaoAuthenticationProvider
can be injected with either the new or legacy PasswordEncoder
types.10.3.1 What is a hash?
Password hashing is not unique to Spring Security but is a common source of confusion for users who are not familiar with the concept. A hash (or digest) algorithm is a one-way function which produces a piece of fixed-length output data (the hash) from some input data, such as a password. As an example, the MD5 hash of the string "password" (in hexadecimal) is
5f4dcc3b5aa765d61d8327deb882cf99
A hash is "one-way" in the sense that it is very difficult (effectively impossible) to obtain the original input given the hash value, or indeed any possible input which would produce that hash value. This property makes hash values very useful for authentication purposes. They can be stored in your user database as an alternative to plaintext passwords and even if the values are compromised they do not immediately reveal a password which can be used to login. Note that this also means you have no way of recovering the password once it is encoded.
10.3.2 Adding Salt to a Hash
One potential problem with the use of password hashes that it is relatively easy to get round the one-way property of the hash if a common word is used for the input. People tend to choose similar passwords and huge dictionaries of these from previously hacked sites are available online. For example, if you search for the hash value 5f4dcc3b5aa765d61d8327deb882cf99
using google, you will quickly find the original word "password". In a similar way, an attacker can build a dictionary of hashes from a standard word list and use this to lookup the original password.
The legacy approach to handling salt was to inject a SaltSource
into the DaoAuthenticationProvider
, which would obtain a salt value for a particular user and pass it to the PasswordEncoder
. Using bcrypt means you don’t have worry about the details of salt handling (such as where the value is stored), as it is all done internally. So we’d strongly recommend you use bcrypt unless you already have a system in place which stores the salt separately.
10.3.3 Hashing and Authentication
When an authentication provider (such as Spring Security’s DaoAuthenticationProvider
) needs to check the password in a submitted authentication request against the known value for a user, and the stored password is encoded in some way, then the submitted value must be encoded using exactly the same algorithm. It’s up to you to check that these are compatible as Spring Security has no control over the persistent values. If you add password hashing to your authentication configuration in Spring Security, and your database contains plaintext passwords, then there is no way authentication can succeed. Even if you are aware that your database is using MD5 to encode the passwords, for example, and your application is configured to use Spring Security’s Md5PasswordEncoder
, there are still things that can go wrong.
encode
method on the PasswordEncoder
.最新文章
- 事务复制5: Transaction and Command
- 佳能6d 魔灯
- Angualr2 - 使用 VS2015
- CSS计数器
- 控件(弹出类): ToolTip, Popup, PopupMenu
- Android源代码编译——编译
- Android(java)学习笔记195:三重for循环的优化(Java面试题)
- -AC自动机-题表
- Windows下Nginx的安装与使用(一):配置端口转发
- python导入不同目录下模块的方法
- Apache Solr vs Elasticsearch
- Deployment Characteristics of ";The Edge"; in Mobile Edge Computing
- 分布式系统监视zabbix讲解七之分布式监控--技术流ken
- WebService 及 CXF 的进阶讲解
- POJ 1733 Parity game(种类并查集)
- Tomcat专题
- Ansible 如何查看模块文档
- 关于STM32外接4—16MHz晶振主频处理方法
- C++ 11可变参数接口设计在模板编程中应用的一点点总结
- Linux操作系统(三)