Spring Security 3:Salting密码问题

Question

我有一个简单的应用程序,我可以注册用户并验证它们.我已经使用密码编码并成功验证了它们.我在我的应用程序中使用Spring 3,Spring Security 3和Hibernate 3.

现在我想用他们的用户ID来限制他们的密码,但是我无法实现这个功能.有人可以帮我实现吗？我一直试图这么做但却无法完成它.

这是我用来为用户提供ID并对其进行身份验证的代码.

XYZ-security.xml文件

<http auto-config="true" use-expressions="true">
    <intercept-url pattern="/welcome.do" access="hasRole('ROLE_USER')" /> 
    <form-login login-page="/login.do" authentication-failure-url="/login.do?login_error=1"/>       
    <logout invalidate-session="true" logout-url="/logout" logout-success-url="/"/>
</http>

<beans:bean id="daoAuthenticationProvider"  class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
    <beans:property name="userDetailsService" ref="userDetailsService"/>
</beans:bean>

<beans:bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager">
    <beans:property name="providers">
        <beans:list>
            <beans:ref local="daoAuthenticationProvider" />
        </beans:list>
    </beans:property>
</beans:bean>

<authentication-manager>
    <authentication-provider user-service-ref="userDetailsService">
        <password-encoder ref="passwordEncoder">                
            <salt-source ref="saltSource"/>
            </password-encoder>
    </authentication-provider>
</authentication-manager>

<!-- For hashing and salting user passwords -->
<beans:bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.ShaPasswordEncoder"/>
<beans:bean id="saltSource" class="org.springframework.security.authentication.dao.ReflectionSaltSource"
    p:userPropertyToUse="id"/>

UserDetailsAdapter.java

@Service("userDetailsAdapter")
public class UserDetailsAdapter {   

    private Long id;

    org.springframework.security.core.userdetails.User buildUserFromUserEntity(User userEntity) {
        String username = userEntity.getUsername();
        String password = userEntity.getPassword();
        boolean enabled = userEntity.isEnabled();
        boolean accountNonExpired = true;
        boolean credentialsNonExpired = true;
        boolean accountNonLocked = true;

        Collection<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
        for (String authority: userEntity.getAuthorities()) {

            authorities.add(new GrantedAuthorityImpl(authority));
        }

        this.id = userEntity.getId();

        org.springframework.security.core.userdetails.User user = new org.springframework.security.core.userdetails.User(username, password, enabled, accountNonExpired, credentialsNonExpired, accountNonLocked, authorities);
        return user;
    }

    public Long getId() {
        return id;
    }

}

UserDetailsS​​erviceImpl

@Service("userDetailsService")
public class UserDetailsServiceImpl implements UserDetailsService {

    @Autowired
    private UserDao userDao;

    @Autowired
    private UserDetailsAdapter userDetailsAdapter;

    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException {
        UserDetails userDetails = null;
        User userEntity = userDao.findByUsername(username);

        if (userEntity == null) {
          throw new UsernameNotFoundException("user not found");
        }
        userDetails = userDetailsAdapter.buildUserFromUserEntity(userEntity);

        return userDetails;
    }
}

UserServiceImpl

@Service
public class UserServiceImpl implements UserService {

    @Autowired
    private UserDao userDao;

    @Autowired
    private PasswordEncoder passwordEncoder;

    @Autowired
    private SaltSource saltSource;

    public User getByUsername(String username) {
        return userDao.findByUsername(username);
    }

    public User getByEmail(String email) {
        return userDao.findByEmail(email);
    }

    public void createUser(User user) {
        userDao.create(user);

        UserDetailsAdapter userDetailsAdapter = new UserDetailsAdapter();
        org.springframework.security.core.userdetails.User userDetails =  userDetailsAdapter.buildUserFromUserEntity(user);
        String password = userDetails.getPassword();
        Object salt = saltSource.getSalt(userDetails);
        user.setPassword(passwordEncoder.encodePassword(password, salt));
        userDao.update(user);

    }

    public void updateUser(User user) {
        userDao.update(user);
    }
}

有人能帮助我理解我在这里缺少什么吗？非常感谢.

Answer 1

ReflectionSaltSource从实例中提取盐UserDetails.但是你使用它org.springframework.security.core.userdetails.User作为一个实现UserDetails,它没有一个名为的属性id(而不是你有这个属性UserDetailsAdapter,没有意义,因为UserDetailsAdapter是一个单身).

因此,您需要创建org.springframework.security.core.userdetails.User带id属性的子类,并从您的属性中返回它UserDetailsAdapter.

Answer 2

以下是使其正常工作的更新文件:

UserDetailsAdapter.java

public class UserDetailsAdapter extends org.springframework.security.core.userdetails.User {
    private final Long id;
    public UserDetailsAdapter(User userEntity) {

        super(userEntity.getUsername(), userEntity.getPassword(), userEntity.isEnabled(), true, true, true, toAuthorities(userEntity.getAuthorities()));
        this.id = userEntity.getId();
    }

    private static Collection<GrantedAuthority> toAuthorities(List<String> authorities) {
        Collection<GrantedAuthority> authorityList = new ArrayList<GrantedAuthority>();
        for (String authority: authorities) {
            authorityList.add(new GrantedAuthorityImpl(authority));
        }
        return authorityList;
    }

    public Long getId() {
        return id;
    }

}

UserDetailsS​​erviceImpl.java

@Service("userDetailsService")
public class UserDetailsServiceImpl implements UserDetailsService {

    @Autowired
    private UserDao userDao;

    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException {
        UserDetails userDetails = null;
        User userEntity = userDao.findByUsername(username);

        if (userEntity == null) {
          throw new UsernameNotFoundException("user not found");
        }
        userDetails = new UserDetailsAdapter(userEntity);

        return userDetails;
    }
}

UserServiceImpl.java

@Service
public class UserServiceImpl implements UserService {
...
    public void createUser(User user) {
        userDao.create(user);

        UserDetailsAdapter userDetails = new UserDetailsAdapter(user);
        String password = userDetails.getPassword();
        Object salt = saltSource.getSalt(userDetails);
        user.setPassword(passwordEncoder.encodePassword(password, salt));
        userDao.update(user);

    }
...
}

谢谢 :)