我已经实现了具有spring boot安全性的安全层,并且我已经使用MD5加密机制对所呈现的密码进行编码。它按预期完美地工作但我需要获得用户在DAO中输入的用户名和原始密码或服务层。以下是我使用的代码
@Autowired
UserDao userDao;
@Autowired
@Qualifier("userDetailsService")
UserDetailsService userDetailsService;
@Autowired
private RESTAuthenticationEntryPoint authenticationEntryPoint;
@Autowired
private RESTAuthenticationFailureHandler authenticationFailureHandler;
@Autowired
private RESTAuthenticationSuccessHandler authenticationSuccessHandler;
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/css/**", "/fonts/**", "/images/**");
}
/**
* Security implementation to access the services
*/
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/", "/index.html","/home.html","/page/*","/home/*", "/login.html","/login","/cms/createPhoneNo").permitAll();
http.authorizeRequests().anyRequest().fullyAuthenticated().and().httpBasic().and().csrf().disable();
http.exceptionHandling().authenticationEntryPoint(authenticationEntryPoint);
http.formLogin().loginProcessingUrl("/login/authenticate").successHandler(authenticationSuccessHandler);
http.formLogin().failureHandler(authenticationFailureHandler);
http.logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout")).invalidateHttpSession(true);
http.exceptionHandling().accessDeniedHandler(accessDeniedHandler());
// CSRF tokens handling
http.addFilterAfter(new CsrfTokenResponseHeaderBindingFilter(), CsrfFilter.class);
}
/**
* Configures the authentication manager bean which processes authentication
* requests.
*/
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
// Dao based authentication
auth.userDetailsService(userDetailsService).passwordEncoder(new Md5PasswordEncoder());
}
private AccessDeniedHandler accessDeniedHandler() {
return new AccessDeniedHandler() {
@Override
public void handle(HttpServletRequest request, HttpServletResponse response,
AccessDeniedException accessDeniedException) throws IOException, ServletException {
response.getWriter().append("Access denied");
response.setStatus(403);
}
};
}
/**
* This bean is load the user specific data when form login is used.
*/
@Bean
public UserDetailsService userDetailsService() {
return new MyCustomUserDetailsService(userDao);
}
}
有人可以帮助我实现这种情况吗?
谢谢,
答案 0 :(得分:1)
添加到您的auth.eraseCredentials(false);
方法:
String username = SecurityContextHolder.getContext().getAuthentication().getName();
Object rawPassword = SecurityContextHolder.getContext().getAuthentication().getCredentials();
然后,您可以使用
获取当前用户的用户名和密码body.dynamic = true
答案 1 :(得分:1)
在我提供答案之前,必须发出警告:
以明文形式存储用户密码极具风险。无论谁 有权访问db有权访问用户的密码,这意味着他们可以 在您的应用程序中模拟用户。用户也倾向于重用 密码,因此您将该用户暴露给其他系统上的风险(他们的 电子邮件,他们的Facebook等...)。
把它排除在外,哦等一下,再来一次:
MD5是一种极弱的单向哈希。它受rainbow tables的约束 生成给定哈希的纯文本很容易被发现。 考虑切换到更强大的东西,比如SHA-256,Scrypt, Bcrypt或PBKDF2。
好的,完成了。使用org.springframework.security.authentication.encoding.PlaintextPasswordEncoder并在DAO中按需应用MD5(或更好,轻推nudge)哈希。