Spring Security--PasswordEncoder详解 - michizong9406的博客 - CSDN博客

安宇雨 - 随手采集
2019-10-23 16:15:45
随手采集
0000-未整理-等待研究

Becoming Involved

Spring Security封装了如bcrypt, PBKDF2, scrypt, Argon2等主流适应性单向加密方法（ adaptive one-way functions），用以进行密码存储和校验。单向校验安全性高，但开销很大，单次密码校验耗时可能高达1秒，故针对高并发性能要求较强的大型信息系统，Spring Security更推荐选择如：session, OAuth，Token等开销很小的短期加密策略（short term credential）实现系统信息安全。

Delegating PasswordEncoder

使用PasswordEncoderFactories创建需要的Encoder，Spring Security集成的PasswordEncoder的id如下：

PasswordEncoder passwordEncoder = PasswordEncoderFactories.createDelegatingPasswordEncoder();

//或自定义创建PasswordEncoder
String idForEncode = "bcrypt";
Map encoders = new HashMap<>();
encoders.put(idForEncode, new BCryptPasswordEncoder());
encoders.put("noop", NoOpPasswordEncoder.getInstance());

PasswordEncoder passwordEncoder = new DelegatingPasswordEncoder(idForEncode, encoders);

function

bcrypt

BCryptPasswordEncoder (Also used for encoding)

ldap

LdapShaPasswordEncoder

MD4

Md4PasswordEncoder

MD5

new MessageDigestPasswordEncoder(“MD5”)

noop

NoOpPasswordEncoder

pbkdf2

Pbkdf2PasswordEncoder

scrypt

SCryptPasswordEncoder

SHA-1

new MessageDigestPasswordEncoder(“SHA-1”)

SHA-256

new MessageDigestPasswordEncoder(“SHA-256”)

sha256

StandardPasswordEncoder

通常，可以使用{id}+原始密文的格式，告诉Spring Seurity委派哪个PasswordEncoder校验，{id}为密码前缀，如：

{bcrypt}$2a$10$dXJ3SW6G7P50lGmMkkmwe.20cQQubK3.HZWzG3YB1tlRy.fqvM/BG
{noop}password

User user = User.withDefaultPasswordEncoder().username("user").password("password").roles("user").build();
System.out.println(user.getPassword());
// {bcrypt}$2a$10$dXJ3SW6G7P50lGmMkkmwe.20cQQubK3.HZWzG3YB1tlRy.fqvM/BG

//或
User user = User.withUsername("user").password("{bcrypt}password").roles("user").build();

注意：