我的客户端使用基本身份验证进行身份验证。我以这种形式存储他们的密码-sha256(明文密码+salt),“salt”值存储在数据库中每个用户的单独列中。客户端以明文形式向控制器发送密码。这意味着,应该按如下方式检查密码:我从basicauth头中提取cleartext_密码,从数据库中获取该用户的salt值,并执行这样的转换-sha256(cleartext_密码+salt),然后检查结果字符串和存储在数据库中的字符串是否匹配。问题是,在spring security将传入密码与userdetailsservice返回的密码(来自数据库的密码)进行比较之前,如何将传入密码(basicauth)转换为-sha256(明文密码+salt)格式?
以下是我当前的securityconfig和CustomUserDetails服务:
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
private final UserDetailsService customUserDetailsService;
public SecurityConfig(UserDetailsService customUserDetailsService) {
this.customUserDetailsService = customUserDetailsService;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll()
.anyRequest().authenticated()
.and().httpBasic();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(customUserDetailsService)
.passwordEncoder(PasswordEncoderFactories.createDelegatingPasswordEncoder());
}
}
@Component
public class CustomUserDetailsService implements UserDetailsService {
private final UserRepository userRepository;
public CustomUserDetailsService(UserRepository userRepository) {
this.userRepository = userRepository;
}
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
User user = userRepository.findByUserName(username);
if (user != null){
return org.springframework.security.core.userdetails.
User.withUsername(username)
.password(PasswordEncoderFactories.createDelegatingPasswordEncoder().encode(user.getPassword()))
.roles("USER")
.build();
}
throw new IllegalArgumentException();
}
}
暂无答案!
目前还没有任何答案,快来回答吧!