Spring Security 密碼驗證動態加鹽的驗證處理方法
本文個人博客地址:https://www.leafage.top/posts/detail/21697I2R
最近幾天在改造項目,需要將gateway整合security在一起進行認證和鑒權,之前gateway和auth是兩個服務,auth是shiro寫的一個,一個filter和一個配置,內容很簡單,生成token,驗證token,沒有其他的安全檢查,然後讓對項目進行重構。
先是要整合gateway和shiro,然而因為gateway是webflux,而shiro-spring是webmvc,所以沒搞成功,如果有做過並成功的,請告訴我如何進行整合,非常感謝。
那整合security呢,因為spring cloud gateway基於webflux,所以網上很多教程是用不瞭的,webflux的配置會有一些變化,具體看如下代碼示例:
import io.leafage.gateway.api.HypervisorApi; import io.leafage.gateway.handler.ServerFailureHandler; import io.leafage.gateway.handler.ServerSuccessHandler; import io.leafage.gateway.service.JdbcReactiveUserDetailsService; import org.springframework.context.annotation.Bean; import org.springframework.http.HttpMethod; import org.springframework.http.HttpStatus; import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity; import org.springframework.security.config.web.server.ServerHttpSecurity; import org.springframework.security.core.userdetails.ReactiveUserDetailsService; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.crypto.password.PasswordEncoder; import org.springframework.security.web.server.SecurityWebFilterChain; import org.springframework.security.web.server.authentication.HttpStatusServerEntryPoint; import org.springframework.security.web.server.authentication.ServerAuthenticationFailureHandler; import org.springframework.security.web.server.authentication.ServerAuthenticationSuccessHandler; import org.springframework.security.web.server.authentication.logout.HttpStatusReturningServerLogoutSuccessHandler; import org.springframework.security.web.server.csrf.CookieServerCsrfTokenRepository; /** * spring security config . * * @author liwenqiang 2019/7/12 17:51 */ @EnableWebFluxSecurity public class ServerSecurityConfiguration { // 用於獲取遠程數據 private final HypervisorApi hypervisorApi; public ServerSecurityConfiguration(HypervisorApi hypervisorApi) { this.hypervisorApi = hypervisorApi; } /** * 密碼配置,使用BCryptPasswordEncoder * * @return BCryptPasswordEncoder 加密方式 */ @Bean protected PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); } /** * 用戶數據加載 * * @return JdbcReactiveUserDetailsService 接口 */ @Bean public ReactiveUserDetailsService userDetailsService() { // 自定義的ReactiveUserDetails 實現 return new JdbcReactiveUserDetailsService(hypervisorApi); } /** * 安全配置 */ @Bean SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http.formLogin(f -> f.authenticationSuccessHandler(authenticationSuccessHandler()) .authenticationFailureHandler(authenticationFailureHandler())) .logout(l -> l.logoutSuccessHandler(new HttpStatusReturningServerLogoutSuccessHandler())) .csrf(c -> c.csrfTokenRepository(CookieServerCsrfTokenRepository.withHttpOnlyFalse())) .authorizeExchange(a -> a.pathMatchers(HttpMethod.OPTIONS).permitAll() .anyExchange().authenticated()) .exceptionHandling(e -> e.authenticationEntryPoint(new HttpStatusServerEntryPoint(HttpStatus.UNAUTHORIZED))); return http.build(); } /** * 登陸成功後執行的處理器 */ private ServerAuthenticationSuccessHandler authenticationSuccessHandler() { return new ServerSuccessHandler(); } /** * 登陸失敗後執行的處理器 */ private ServerAuthenticationFailureHandler authenticationFailureHandler() { return new ServerFailureHandler(); } }
上面的示例代碼,是我開源項目中的一段,一般的配置就如上面寫的,就可以使用瞭,但是由於我們之前的項目中的是shiro,然後有一個自定義的加密解密的邏輯。
首先說明一下情況,之前那一套加密(前端MD5,不加鹽,然後數據庫存儲的是加鹽後的數據和對應的鹽(每個賬號一個),要登錄比較之前對密碼要獲取動態的鹽,然後加鹽進行MD5,再進行對比,但是在配置的時候是沒法獲取某一用戶的鹽值)
所以上面的一版配置是沒法通過驗證的,必須在驗證之前,給請求的密碼混合該賬號對應的鹽進行二次加密後在對比,但是這裡就有問題瞭:
- security 框架提供的幾個加密\解密工具沒有MD5的方式;
- security 配置加密\解密方式的時候,無法填入動態的賬號的加密鹽;
對於第一個問題還好處理,解決方式是:自定義加密\解密方式,然後註入到配置類中,示例如下:
import cn.hutool.crypto.SecureUtil; import com.ichinae.imis.gateway.utils.SaltUtil; import org.springframework.security.crypto.codec.Utf8; import org.springframework.security.crypto.password.PasswordEncoder; import java.security.MessageDigest; /** * 自定義加密解密 */ public class MD5PasswordEncoder implements PasswordEncoder { @Override public String encode(CharSequence charSequence) { String salt = SaltUtil.generateSalt(); return SecureUtil.md5(SecureUtil.md5(charSequence.toString()) + salt); } @Override public boolean matches(CharSequence charSequence, String encodedPassword) { byte[] expectedBytes = bytesUtf8(charSequence.toString()); byte[] actualBytes = bytesUtf8(charSequence.toString()); return MessageDigest.isEqual(expectedBytes, actualBytes); } private static byte[] bytesUtf8(String s) { // need to check if Utf8.encode() runs in constant time (probably not). // This may leak length of string. return (s != null) ? Utf8.encode(s) : null; } }
第二個問題的解決辦法,找瞭很多資料,也沒有找到,後來查看security的源碼發現,可以在UserDetailsService接口的findByUsername()方法中,在返回UserDetails實現的時候,使用默認實現User的UserBuilder內部類來解決這個問題,因為UserBuilder類中有一個屬性,passwordEncoder屬性,它是Fucntion<String, String>類型的,默認實現是 password -> password,即對密碼不做任何處理,先看下它的源碼:
再看下解決問題之前的findByUsername()方法:
@Service public class UserDetailsServiceImpl implements ReactiveUserDetailsService { @Resource private RemoteService remoteService; @Override public Mono<UserDetails> findByUsername(String username) { return remoteService.getUser(username).map(userBO -> User.builder() .username(username) .password(userBO.getPassword()) .authorities(grantedAuthorities(userBO.getAuthorities())) .build()); } private Set<GrantedAuthority> grantedAuthorities(Set<String> authorities) { return authorities.stream().map(SimpleGrantedAuthority::new).collect(Collectors.toSet()); } }
那找到瞭問題的解決方法,就來改代碼瞭,如下所示:
新增一個代碼處理方法
private Function<String, String> passwordEncoder(String salt) { return rawPassword -> SecureUtil.md5(rawPassword + salt); }
然後添加builder鏈
@Service public class UserDetailsServiceImpl implements ReactiveUserDetailsService { @Resource private RemoteService remoteService; @Override public Mono<UserDetails> findByUsername(String username) { return remoteService.getUser(username).map(userBO -> User.builder() .passwordEncoder(passwordEncoder(userBO.getSalt())) //在這裡設置動態的鹽 .username(username) .password(userBO.getPassword()) .authorities(grantedAuthorities(userBO.getAuthorities())) .build()); } private Set<GrantedAuthority> grantedAuthorities(Set<String> authorities) { return authorities.stream().map(SimpleGrantedAuthority::new).collect(Collectors.toSet()); } private Function<String, String> passwordEncoder(String salt) { return rawPassword -> SecureUtil.md5(rawPassword + salt); } }
然後跑一下代碼,請求登錄接口,就登陸成功瞭。
以上就是Spring Security 密碼驗證動態加鹽的驗證處理的詳細內容,更多關於Spring Security密碼驗證的資料請關註WalkonNet其它相關文章!
推薦閱讀:
- Spring Security密碼解析器PasswordEncoder自定義登錄邏輯
- Spring boot整合security詳解
- 一文詳解Spring Security的基本用法
- 解決Spring Security 用戶帳號已被鎖定問題
- springSecurity實現簡單的登錄功能