Spring Security的密码加密实战

一 参考文章

http://www.spring4all.com/article/421

二 代码位置

https://github.com/cakin24/spring-security-demos/tree/master/01%20-%20%E5%AF%86%E7%A0%81%E5%8A%A0%E5%AF%86%EF%BC%88%E6%95%B0%E6%8D%AE%E5%BA%93%EF%BC%89

三 数据库

1 新建数据库security01

2 新建数据表

DROP TABLE IF EXISTS `user`;
CREATE TABLE `user` (
  `id` bigint(20) NOT NULL AUTO_INCREMENT,
  `username` varchar(255) DEFAULT NULL COMMENT '账号',
  `password` varchar(255) DEFAULT NULL COMMENT '密码',
  `nickname` varchar(255) DEFAULT '' COMMENT '昵称',
  PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;

四 测试

1 启动程序

2 浏览器输入  http://localhost:8080/register

3 注册

用户名	密码	昵称
admin	admin	admin
user	user	user
cakin	cakin	cakin

 

 

 

 

 

4 注册后的数据库

五 核心代码

package com.spring4all.service.impl;


import com.spring4all.entity.UserDO;
import com.spring4all.repository.UserRepository;
import com.spring4all.service.UserService;
import lombok.extern.slf4j.Slf4j;
import org.springframework.context.annotation.Primary;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.crypto.password.Pbkdf2PasswordEncoder;
import org.springframework.security.crypto.password.StandardPasswordEncoder;
import org.springframework.security.crypto.scrypt.SCryptPasswordEncoder;
import org.springframework.stereotype.Service;


import java.util.HashMap;
import java.util.Map;
import java.util.Random;


@Service
@Primary
@Slf4j
public class BaseUserService implements UserService {


    private final static Map ENCODER_TYPE = new HashMap<>();


    private final static Map ENCODER_MAP = new HashMap<>();


    private final static String PASSWORD_FORMAT = "{%s}%s";


    private final UserRepository userRepository;


    public BaseUserService(UserRepository userRepository) {
        this.userRepository = userRepository;
    }


    static {
        ENCODER_TYPE.put(0, "noop");   // 不加密
        // 下面是4种常用的加密算法
        ENCODER_TYPE.put(1, "bcrypt");
        ENCODER_TYPE.put(2, "pbkdf2");
        ENCODER_TYPE.put(3, "scrypt");
        ENCODER_TYPE.put(4, "sha256");
        ENCODER_MAP.put("noop", NoOpPasswordEncoder.getInstance());
        ENCODER_MAP.put("bcrypt", new BCryptPasswordEncoder());
        ENCODER_MAP.put("pbkdf2", new Pbkdf2PasswordEncoder());
        ENCODER_MAP.put("scrypt", new SCryptPasswordEncoder());
        ENCODER_MAP.put("sha256", new StandardPasswordEncoder());
    }


    @Override
    public void insert(UserDO userDO) {
        String username = userDO.getUsername();
        if (exist(username)) {
            throw new RuntimeException("用户名已存在！");
        }
        // 随机使用加密方式
        Random random = new Random();
        int x = random.nextInt(5);
        String encoderType = ENCODER_TYPE.get(x);
        PasswordEncoder passwordEncoder = ENCODER_MAP.get(encoderType);
        userDO.setPassword(String.format(PASSWORD_FORMAT, encoderType, passwordEncoder.encode(userDO.getPassword())));
        userRepository.save(userDO);
    }


    @Override
    public UserDO getByUsername(String username) {
        return userRepository.findByUsername(username);
    }


    /**
     * 判断用户是否存在
     */
    private boolean exist(String username) {
        UserDO userDO = userRepository.findByUsername(username);
        return (userDO != null);
    }
}

这里用到了随机加密方式

六 源码解读

/org/springframework/security/authentication/dao/DaoAuthenticationProvider.java

protected void additionalAuthenticationChecks(UserDetails userDetails,
      UsernamePasswordAuthenticationToken authentication)
      throws AuthenticationException {
   if (authentication.getCredentials() == null) {
      logger.debug("Authentication failed: no credentials provided");


      throw new BadCredentialsException(messages.getMessage(
            "AbstractUserDetailsAuthenticationProvider.badCredentials",
            "Bad credentials"));
   }


   String presentedPassword = authentication.getCredentials().toString();
   // 就是这里对密码进行加密比较的
   if (!passwordEncoder.matches(presentedPassword, userDetails.getPassword())) {
      logger.debug("Authentication failed: password does not match stored value");


      throw new BadCredentialsException(messages.getMessage(
            "AbstractUserDetailsAuthenticationProvider.badCredentials",
            "Bad credentials"));
   }
}

七 调试

用admin用户登录，调试关键步骤如下：