Symfony 在 encodePassword 中使用盐
Symfony using salt in encodePassword
我正在使用 Symfony 2.6.6,我目前正在尝试对我的数据库用户使用盐。在注册过程中,我执行以下哈希操作,同时通过 Doctrine 保留用户信息。
src/AppBundle/Form/RegisterFormType.php
<?php
$account->setSalt(base_convert(sha1(uniqid(mt_rand(), true)), 16, 36));
$account->setPassword($this->encodePassword($account, $account->getPlainPassword()));
在同一个文件中我有这个函数:
<?php
private function encodePassword(Account $account, $plainPassword)
{
$encoder = $this->container->get('security.encoder_factory')->getEncoder($account);
return $encoder->encodePassword($plainPassword, $account->getSalt());
}
这是我的 security.yml 文件:
app/config/security.yml
security:
encoders:
AppBundle\Entity\Account: bcrypt
providers:
database_users:
entity: { class: AppBundle:Account }
role_hierarchy:
ROLE_ADMIN: [ROLE_USER, ROLE_ALLOWED_TO_SWITCH]
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
firewalls:
dev:
pattern: ^/(_(profiler|wdt|error)|css|images|js)/
security: false
prod:
pattern: ^/
form_login:
check_path: account_login_check
login_path: account_login
csrf_provider: form.csrf_provider
logout:
path: account_logout
target: home
anonymous: ~
switch_user: ~
remember_me:
key: "%secret%"
access_control:
- { path: ^/account/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/account/register, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/account/logout, roles: IS_AUTHENTICATED_FULLY }
在我的实体中,这些是盐键:
src/AppBundle/Entity/Account.php
<?php // src/AppBundle/Entity/Account.php
namespace AppBundle\Entity;
use Doctrine\ORM\Mapping as ORM;
use Symfony\Component\Security\Core\Role\Role;
use Symfony\Component\Security\Core\User\AdvancedUserInterface;
use Serializable;
use Symfony\Component\Validator\Constraints as Assert;
use Symfony\Bridge\Doctrine\Validator\Constraints\UniqueEntity;
/**
* @ORM\Table(name="accounts")
* @ORM\Entity(repositoryClass="AppBundle\Entity\AccountRepository")
* @UniqueEntity(fields="username", message="That username is taken!")
* @UniqueEntity(fields="email", message="That email is taken!")
*/
class Account implements AdvancedUserInterface, Serializable
{
/**
* @ORM\Column(name="id", type="integer")
* @ORM\Id
* @ORM\GeneratedValue(strategy="AUTO")
*/
private $id;
/**
* @ORM\Column(name="username", type="string", length=30)
* @Assert\NotBlank(message="Give us at least 3 characters")
* @Assert\Length(min=3, minMessage="Give us at least 3 characters!")
*/
private $username;
/**
* @ORM\Column(name="password", type="string", length=255)
*/
private $password;
/**
* @ORM\Column(name="salt", type="string")
*/
private $salt;
/**
* @ORM\Column(type="string", length=120)
* @Assert\NotBlank
* @Assert\Email
*/
private $email;
/**
* @ORM\Column(type="json_array")
*/
private $roles = array();
/**
* @ORM\Column(type="boolean")
*/
private $isActive = false;
/**
* @Assert\NotBlank
* @Assert\Regex(
* pattern="/^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?!.*\s).*$/",
* message="Use 1 upper case letter, 1 lower case letter, and 1 number"
* )
*/
private $plainPassword;
/**
* @return integer
*/
public function getId()
{
return $this->id;
}
/**
* @return string
*/
public function getUsername()
{
return $this->username;
}
/**
* @param string $username
* @return Account
*/
public function setUsername($username)
{
$this->username = $username;
return $this;
}
/**
* @return string
*/
public function getEmail()
{
return $this->email;
}
/**
* @param string $email
* @return Account
*/
public function setEmail($email)
{
$this->email = $email;
return $this;
}
/**
* @return string
*/
public function getPassword()
{
return $this->password;
}
/**
* @param string $password
* @return Account
*/
public function setPassword($password)
{
$this->password = $password;
return $this;
}
/**
* @return string
*/
public function getPlainPassword()
{
return $this->plainPassword;
}
/**
* @param $plainPassword
* @return string
*/
public function setPlainPassword($plainPassword)
{
$this->plainPassword = $plainPassword;
return $this;
}
/**
* @return array Role
*/
public function getRoles()
{
$roles = $this->roles;
$roles[] = 'ROLE_USER';
return array_unique($roles);
}
/**
* @param array $roles
* @return Role
*/
public function setRoles(array $roles)
{
$this->roles = $roles;
return $this;
}
/**
* Removes sensitive data from the user
*/
public function eraseCredentials()
{
$this->setPlainPassword(null);
}
/**
* @return string
*/
public function getSalt()
{
return $this->salt;
}
/**
* @param $salt
* @return Account
*/
public function setSalt($salt)
{
$this->salt = $salt;
return $this;
}
/**
* @return boolean
*/
public function getIsActive()
{
return $this->isActive;
}
/**
* @param boolean $isActive
*/
public function setIsActive($isActive)
{
$this->isActive = $isActive;
}
public function isAccountNonExpired()
{
return true;
}
public function isAccountNonLocked()
{
return true;
}
public function isCredentialsNonExpired()
{
return true;
}
public function isEnabled()
{
return $this->getIsActive();
}
public function serialize()
{
return serialize(array(
$this->id,
$this->username,
$this->password,
$this->salt
));
}
public function unserialize($serialized)
{
list (
$this->id,
$this->username,
$this->password,
$this->salt
) = unserialize($serialized);
}
}
当我登录时,它有效,但分析器告诉我 Authenticated?
说不。当我将盐更改为数据库中的不同内容时,用户仍然可以登录。
Symfony 文档中是否缺少某些内容,或者我是否需要更改整个加盐方式?
编辑:很抱歉我没有包括序列化和反序列化 $this->password, $this->salt
。
编辑 2:包含 app/config/security.yml
并按用户 src/AppBundle/Entity/Account.php
的要求发布了完整的 src/AppBundle/Entity/Account.php
文件: 的请求。
感谢您阅读我的问题。
首先,您的 User
对象必须实现 Serializable
接口,并且您必须序列化 id 和 salt。
阅读this。
编辑:您的实体 class 必须是这样的:
<?php // src/AppBundle/Entity/Account.php
namespace AppBundle\Entity;
use Doctrine\ORM\Mapping as ORM;
use Symfony\Component\Security\Core\Role\Role;
use Symfony\Component\Security\Core\User\AdvancedUserInterface;
use Serializable;
use Symfony\Component\Validator\Constraints as Assert;
use Symfony\Bridge\Doctrine\Validator\Constraints\UniqueEntity;
/**
* @ORM\Table(name="accounts")
* @ORM\Entity(repositoryClass="AppBundle\Entity\AccountRepository")
* @UniqueEntity(fields="username", message="That username is taken!")
* @UniqueEntity(fields="email", message="That email is taken!")
*/
class Account implements AdvancedUserInterface, Serializable
{
/**
* @ORM\Column(name="id", type="integer")
* @ORM\Id
* @ORM\GeneratedValue(strategy="AUTO")
*/
private $id;
/**
* @ORM\Column(name="username", type="string", length=30)
* @Assert\NotBlank(message="Give us at least 3 characters")
* @Assert\Length(min=3, minMessage="Give us at least 3 characters!")
*/
private $username;
/**
* @ORM\Column(name="password", type="string", length=255)
*/
private $password;
/**
* @ORM\Column(name="salt", type="string")
*/
private $salt;
/**
* @ORM\Column(type="string", length=120)
* @Assert\NotBlank
* @Assert\Email
*/
private $email;
/**
* @ORM\Column(type="json_array")
*/
private $roles = array();
/**
* @ORM\Column(type="boolean")
*/
private $isActive = false;
/**
* @Assert\NotBlank
* @Assert\Regex(
* pattern="/^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?!.*\s).*$/",
* message="Use 1 upper case letter, 1 lower case letter, and 1 number"
* )
*/
private $plainPassword;
/**
* @return integer
*/
public function getId()
{
return $this->id;
}
/**
* @return string
*/
public function getUsername()
{
return $this->username;
}
/**
* @param string $username
* @return Account
*/
public function setUsername($username)
{
$this->username = $username;
return $this;
}
/**
* @return string
*/
public function getEmail()
{
return $this->email;
}
/**
* @param string $email
* @return Account
*/
public function setEmail($email)
{
$this->email = $email;
return $this;
}
/**
* @return string
*/
public function getPassword()
{
return $this->password;
}
/**
* @param string $password
* @return Account
*/
public function setPassword($password)
{
$this->password = $password;
return $this;
}
/**
* @return string
*/
public function getPlainPassword()
{
return $this->plainPassword;
}
/**
* @param $plainPassword
* @return string
*/
public function setPlainPassword($plainPassword)
{
$this->plainPassword = $plainPassword;
return $this;
}
/**
* @return array Role
*/
public function getRoles()
{
$roles = $this->roles;
$roles[] = 'ROLE_USER';
return array_unique($roles);
}
/**
* @param array $roles
* @return Role
*/
public function setRoles(array $roles)
{
$this->roles = $roles;
return $this;
}
/**
* Removes sensitive data from the user
*/
public function eraseCredentials()
{
$this->setPlainPassword(null);
}
/**
* @return string
*/
public function getSalt()
{
return null;
}
/**
* @param $salt
* @return Account
*/
public function setSalt($salt)
{
$this->salt = $salt;
return $this;
}
/**
* @return boolean
*/
public function getIsActive()
{
return $this->isActive;
}
/**
* @param boolean $isActive
*/
public function setIsActive($isActive)
{
$this->isActive = $isActive;
}
public function isAccountNonExpired()
{
return true;
}
public function isAccountNonLocked()
{
return true;
}
public function isCredentialsNonExpired()
{
return true;
}
public function isEnabled()
{
return $this->getIsActive();
}
public function serialize()
{
return serialize(array(
$this->id,
$this->username,
$this->password,
$this->salt,
$this->isActive
));
}
public function unserialize($serialized)
{
list (
$this->id,
$this->username,
$this->password,
$this->salt,
$this->isActive
) = unserialize($serialized);
}
}
您需要使用 Serializable 接口并实现其称为 serializable 和 unserializable 的方法。在两个函数中定义你的盐变量。
我正在使用 Symfony 2.6.6,我目前正在尝试对我的数据库用户使用盐。在注册过程中,我执行以下哈希操作,同时通过 Doctrine 保留用户信息。
src/AppBundle/Form/RegisterFormType.php
<?php
$account->setSalt(base_convert(sha1(uniqid(mt_rand(), true)), 16, 36));
$account->setPassword($this->encodePassword($account, $account->getPlainPassword()));
在同一个文件中我有这个函数:
<?php
private function encodePassword(Account $account, $plainPassword)
{
$encoder = $this->container->get('security.encoder_factory')->getEncoder($account);
return $encoder->encodePassword($plainPassword, $account->getSalt());
}
这是我的 security.yml 文件:
app/config/security.yml
security:
encoders:
AppBundle\Entity\Account: bcrypt
providers:
database_users:
entity: { class: AppBundle:Account }
role_hierarchy:
ROLE_ADMIN: [ROLE_USER, ROLE_ALLOWED_TO_SWITCH]
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
firewalls:
dev:
pattern: ^/(_(profiler|wdt|error)|css|images|js)/
security: false
prod:
pattern: ^/
form_login:
check_path: account_login_check
login_path: account_login
csrf_provider: form.csrf_provider
logout:
path: account_logout
target: home
anonymous: ~
switch_user: ~
remember_me:
key: "%secret%"
access_control:
- { path: ^/account/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/account/register, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/account/logout, roles: IS_AUTHENTICATED_FULLY }
在我的实体中,这些是盐键:
src/AppBundle/Entity/Account.php
<?php // src/AppBundle/Entity/Account.php
namespace AppBundle\Entity;
use Doctrine\ORM\Mapping as ORM;
use Symfony\Component\Security\Core\Role\Role;
use Symfony\Component\Security\Core\User\AdvancedUserInterface;
use Serializable;
use Symfony\Component\Validator\Constraints as Assert;
use Symfony\Bridge\Doctrine\Validator\Constraints\UniqueEntity;
/**
* @ORM\Table(name="accounts")
* @ORM\Entity(repositoryClass="AppBundle\Entity\AccountRepository")
* @UniqueEntity(fields="username", message="That username is taken!")
* @UniqueEntity(fields="email", message="That email is taken!")
*/
class Account implements AdvancedUserInterface, Serializable
{
/**
* @ORM\Column(name="id", type="integer")
* @ORM\Id
* @ORM\GeneratedValue(strategy="AUTO")
*/
private $id;
/**
* @ORM\Column(name="username", type="string", length=30)
* @Assert\NotBlank(message="Give us at least 3 characters")
* @Assert\Length(min=3, minMessage="Give us at least 3 characters!")
*/
private $username;
/**
* @ORM\Column(name="password", type="string", length=255)
*/
private $password;
/**
* @ORM\Column(name="salt", type="string")
*/
private $salt;
/**
* @ORM\Column(type="string", length=120)
* @Assert\NotBlank
* @Assert\Email
*/
private $email;
/**
* @ORM\Column(type="json_array")
*/
private $roles = array();
/**
* @ORM\Column(type="boolean")
*/
private $isActive = false;
/**
* @Assert\NotBlank
* @Assert\Regex(
* pattern="/^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?!.*\s).*$/",
* message="Use 1 upper case letter, 1 lower case letter, and 1 number"
* )
*/
private $plainPassword;
/**
* @return integer
*/
public function getId()
{
return $this->id;
}
/**
* @return string
*/
public function getUsername()
{
return $this->username;
}
/**
* @param string $username
* @return Account
*/
public function setUsername($username)
{
$this->username = $username;
return $this;
}
/**
* @return string
*/
public function getEmail()
{
return $this->email;
}
/**
* @param string $email
* @return Account
*/
public function setEmail($email)
{
$this->email = $email;
return $this;
}
/**
* @return string
*/
public function getPassword()
{
return $this->password;
}
/**
* @param string $password
* @return Account
*/
public function setPassword($password)
{
$this->password = $password;
return $this;
}
/**
* @return string
*/
public function getPlainPassword()
{
return $this->plainPassword;
}
/**
* @param $plainPassword
* @return string
*/
public function setPlainPassword($plainPassword)
{
$this->plainPassword = $plainPassword;
return $this;
}
/**
* @return array Role
*/
public function getRoles()
{
$roles = $this->roles;
$roles[] = 'ROLE_USER';
return array_unique($roles);
}
/**
* @param array $roles
* @return Role
*/
public function setRoles(array $roles)
{
$this->roles = $roles;
return $this;
}
/**
* Removes sensitive data from the user
*/
public function eraseCredentials()
{
$this->setPlainPassword(null);
}
/**
* @return string
*/
public function getSalt()
{
return $this->salt;
}
/**
* @param $salt
* @return Account
*/
public function setSalt($salt)
{
$this->salt = $salt;
return $this;
}
/**
* @return boolean
*/
public function getIsActive()
{
return $this->isActive;
}
/**
* @param boolean $isActive
*/
public function setIsActive($isActive)
{
$this->isActive = $isActive;
}
public function isAccountNonExpired()
{
return true;
}
public function isAccountNonLocked()
{
return true;
}
public function isCredentialsNonExpired()
{
return true;
}
public function isEnabled()
{
return $this->getIsActive();
}
public function serialize()
{
return serialize(array(
$this->id,
$this->username,
$this->password,
$this->salt
));
}
public function unserialize($serialized)
{
list (
$this->id,
$this->username,
$this->password,
$this->salt
) = unserialize($serialized);
}
}
当我登录时,它有效,但分析器告诉我 Authenticated?
说不。当我将盐更改为数据库中的不同内容时,用户仍然可以登录。
Symfony 文档中是否缺少某些内容,或者我是否需要更改整个加盐方式?
编辑:很抱歉我没有包括序列化和反序列化 $this->password, $this->salt
。
编辑 2:包含 app/config/security.yml
并按用户 src/AppBundle/Entity/Account.php
的要求发布了完整的 src/AppBundle/Entity/Account.php
文件:
感谢您阅读我的问题。
首先,您的 User
对象必须实现 Serializable
接口,并且您必须序列化 id 和 salt。
阅读this。
编辑:您的实体 class 必须是这样的:
<?php // src/AppBundle/Entity/Account.php
namespace AppBundle\Entity;
use Doctrine\ORM\Mapping as ORM;
use Symfony\Component\Security\Core\Role\Role;
use Symfony\Component\Security\Core\User\AdvancedUserInterface;
use Serializable;
use Symfony\Component\Validator\Constraints as Assert;
use Symfony\Bridge\Doctrine\Validator\Constraints\UniqueEntity;
/**
* @ORM\Table(name="accounts")
* @ORM\Entity(repositoryClass="AppBundle\Entity\AccountRepository")
* @UniqueEntity(fields="username", message="That username is taken!")
* @UniqueEntity(fields="email", message="That email is taken!")
*/
class Account implements AdvancedUserInterface, Serializable
{
/**
* @ORM\Column(name="id", type="integer")
* @ORM\Id
* @ORM\GeneratedValue(strategy="AUTO")
*/
private $id;
/**
* @ORM\Column(name="username", type="string", length=30)
* @Assert\NotBlank(message="Give us at least 3 characters")
* @Assert\Length(min=3, minMessage="Give us at least 3 characters!")
*/
private $username;
/**
* @ORM\Column(name="password", type="string", length=255)
*/
private $password;
/**
* @ORM\Column(name="salt", type="string")
*/
private $salt;
/**
* @ORM\Column(type="string", length=120)
* @Assert\NotBlank
* @Assert\Email
*/
private $email;
/**
* @ORM\Column(type="json_array")
*/
private $roles = array();
/**
* @ORM\Column(type="boolean")
*/
private $isActive = false;
/**
* @Assert\NotBlank
* @Assert\Regex(
* pattern="/^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?!.*\s).*$/",
* message="Use 1 upper case letter, 1 lower case letter, and 1 number"
* )
*/
private $plainPassword;
/**
* @return integer
*/
public function getId()
{
return $this->id;
}
/**
* @return string
*/
public function getUsername()
{
return $this->username;
}
/**
* @param string $username
* @return Account
*/
public function setUsername($username)
{
$this->username = $username;
return $this;
}
/**
* @return string
*/
public function getEmail()
{
return $this->email;
}
/**
* @param string $email
* @return Account
*/
public function setEmail($email)
{
$this->email = $email;
return $this;
}
/**
* @return string
*/
public function getPassword()
{
return $this->password;
}
/**
* @param string $password
* @return Account
*/
public function setPassword($password)
{
$this->password = $password;
return $this;
}
/**
* @return string
*/
public function getPlainPassword()
{
return $this->plainPassword;
}
/**
* @param $plainPassword
* @return string
*/
public function setPlainPassword($plainPassword)
{
$this->plainPassword = $plainPassword;
return $this;
}
/**
* @return array Role
*/
public function getRoles()
{
$roles = $this->roles;
$roles[] = 'ROLE_USER';
return array_unique($roles);
}
/**
* @param array $roles
* @return Role
*/
public function setRoles(array $roles)
{
$this->roles = $roles;
return $this;
}
/**
* Removes sensitive data from the user
*/
public function eraseCredentials()
{
$this->setPlainPassword(null);
}
/**
* @return string
*/
public function getSalt()
{
return null;
}
/**
* @param $salt
* @return Account
*/
public function setSalt($salt)
{
$this->salt = $salt;
return $this;
}
/**
* @return boolean
*/
public function getIsActive()
{
return $this->isActive;
}
/**
* @param boolean $isActive
*/
public function setIsActive($isActive)
{
$this->isActive = $isActive;
}
public function isAccountNonExpired()
{
return true;
}
public function isAccountNonLocked()
{
return true;
}
public function isCredentialsNonExpired()
{
return true;
}
public function isEnabled()
{
return $this->getIsActive();
}
public function serialize()
{
return serialize(array(
$this->id,
$this->username,
$this->password,
$this->salt,
$this->isActive
));
}
public function unserialize($serialized)
{
list (
$this->id,
$this->username,
$this->password,
$this->salt,
$this->isActive
) = unserialize($serialized);
}
}
您需要使用 Serializable 接口并实现其称为 serializable 和 unserializable 的方法。在两个函数中定义你的盐变量。