在 spring 安全中更改密码时如何匹配旧密码?
How to match old password while changing password in spring security?
我在基于 java 的 Web 应用程序中使用 spring 安全性。我需要创建一个更改密码屏幕,用户必须在其中输入旧密码进行确认。
我需要检查用户输入的旧密码是否与他在数据库中的旧密码匹配。
我如何在 spring 安全中做到这一点。
下面是我的 spring 安全 java 配置。
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailsService userDetailsService;
@Autowired
private AccessDecisionManager accessDecisionManager;
@Bean
@Autowired
public AccessDecisionManager accessDecisionManager(AccessDecisionVoterImpl accessDecisionVoter) {
List<AccessDecisionVoter<?>> accessDecisionVoters = new ArrayList<AccessDecisionVoter<?>>();
accessDecisionVoters.add(new WebExpressionVoter());
accessDecisionVoters.add(new AuthenticatedVoter());
accessDecisionVoters.add(accessDecisionVoter);
UnanimousBased accessDecisionManager = new UnanimousBased(accessDecisionVoters);
return accessDecisionManager;
}
@Override
@Autowired
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
}
@Bean
public PasswordEncoder passwordEncoder(){
PasswordEncoder passwordEncoder = new PasswordEncoder();
passwordEncoder.setStringDigester(stringDigester());
return passwordEncoder;
}
@Bean
public PooledStringDigester stringDigester() {
PooledStringDigester psd = new PooledStringDigester();
psd.setPoolSize(2);
psd.setAlgorithm("SHA-256");
psd.setIterations(1000);
psd.setSaltSizeBytes(16);
psd.setSaltGenerator(randomSaltGenerator());
return psd;
}
@Bean
public RandomSaltGenerator randomSaltGenerator() {
RandomSaltGenerator randomSaltGenerator = new RandomSaltGenerator();
return randomSaltGenerator;
}
此外,当创建新用户时,我将他的密码设置如下。
user.setPassword(passwordUtils.encryptUserPassword(user.getPassword()));
@Component("passwordUtil")
public class PasswordUtils {
@Autowired
private PooledStringDigester _stringDigester;
public String encryptUserPassword(String originalPassword) {
String encryptedPassword = _stringDigester.digest(originalPassword);
return encryptedPassword;
}
}
使用Username/Email/User Id 查询存储在数据库中的密码,最后在PasswordUtils
中使用PooledStringDigester.matches
编写一个函数
public boolean isPasswordsMatch(String newPassword, String passwordFromDb) {
return _stringDigester.matches(newPassword, passwordFromDb);
}
我在基于 java 的 Web 应用程序中使用 spring 安全性。我需要创建一个更改密码屏幕,用户必须在其中输入旧密码进行确认。
我需要检查用户输入的旧密码是否与他在数据库中的旧密码匹配。
我如何在 spring 安全中做到这一点。
下面是我的 spring 安全 java 配置。
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailsService userDetailsService;
@Autowired
private AccessDecisionManager accessDecisionManager;
@Bean
@Autowired
public AccessDecisionManager accessDecisionManager(AccessDecisionVoterImpl accessDecisionVoter) {
List<AccessDecisionVoter<?>> accessDecisionVoters = new ArrayList<AccessDecisionVoter<?>>();
accessDecisionVoters.add(new WebExpressionVoter());
accessDecisionVoters.add(new AuthenticatedVoter());
accessDecisionVoters.add(accessDecisionVoter);
UnanimousBased accessDecisionManager = new UnanimousBased(accessDecisionVoters);
return accessDecisionManager;
}
@Override
@Autowired
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
}
@Bean
public PasswordEncoder passwordEncoder(){
PasswordEncoder passwordEncoder = new PasswordEncoder();
passwordEncoder.setStringDigester(stringDigester());
return passwordEncoder;
}
@Bean
public PooledStringDigester stringDigester() {
PooledStringDigester psd = new PooledStringDigester();
psd.setPoolSize(2);
psd.setAlgorithm("SHA-256");
psd.setIterations(1000);
psd.setSaltSizeBytes(16);
psd.setSaltGenerator(randomSaltGenerator());
return psd;
}
@Bean
public RandomSaltGenerator randomSaltGenerator() {
RandomSaltGenerator randomSaltGenerator = new RandomSaltGenerator();
return randomSaltGenerator;
}
此外,当创建新用户时,我将他的密码设置如下。
user.setPassword(passwordUtils.encryptUserPassword(user.getPassword()));
@Component("passwordUtil")
public class PasswordUtils {
@Autowired
private PooledStringDigester _stringDigester;
public String encryptUserPassword(String originalPassword) {
String encryptedPassword = _stringDigester.digest(originalPassword);
return encryptedPassword;
}
}
使用Username/Email/User Id 查询存储在数据库中的密码,最后在PasswordUtils
中使用PooledStringDigester.matches
public boolean isPasswordsMatch(String newPassword, String passwordFromDb) {
return _stringDigester.matches(newPassword, passwordFromDb);
}