Spring Security 4.x 启用BCrypt加密

曾经终败给现在 2022-07-12 19:41 192阅读 0赞

## 10.3 Password Encoding ##

Spring Security’s `PasswordEncoder` interface is used to support the use of passwords which are encoded in some way in persistent storage. You should never store passwords in plain text. Always use a one-way password hashing algorithm such as bcrypt which uses a built-in salt value which is different for each stored password. Do not use a plain hash function such as MD5 or SHA, or even a salted version. Bcrypt is deliberately designed to be slow and to hinder offline password cracking, whereas standard hash algorithms are fast and can easily be used to test thousands of passwords in parallel on custom hardware. You might think this doesn’t apply to you since your password database is secure and offline attacks aren’t a risk. If so, do some research and read up on all the high-profile sites which have been compromised in this way and have been pilloried for storing their passwords insecurely. It’s best to be on the safe side. Using`org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"` is a good choice for security. There are also compatible implementations in other common programming languages so it a good choice for interoperability too.

译：Spring Security的`PasswordEncoder`接口用于支持使用以某种方式在持久存储中编码的密码。您不应该以纯文本格式存储密码。始终使用单向密码散列算法，例如bcrypt，它使用对每个存储的密码不同的内置盐值。不要使用平滑哈希函数，如MD5或SHA，甚至是盐化版本。 Bcrypt被故意设计为缓慢并阻止离线密码破解，而标准哈希算法是快速的，并且可以容易地用于在定制硬件上并行地测试数千个密码。您可能认为这不适用于您，因为您的密码数据库是安全的，脱机攻击不是风险。如果是这样，请做一些研究，并阅读所有的高调的网站，已经被这种方式受到损害，并被嘲笑存储他们的密码不安全。最好是在安全的一面。使用org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder“是安全的好选择。在其他通用编程语言中还有兼容的实现，因此它也是互操作性的好选择。

If you are using a legacy system which already has hashed passwords, then you will need to use an encoder which matches your current algorithm, at least until you can migrate your users to a more secure scheme (usually this will involve asking the user to set a new password, since hashes are irreversible). Spring Security has a package containing legacy password encoding implementation, namely, `org.springframework.security.authentication.encoding` . The `DaoAuthenticationProvider`can be injected with either the new or legacy `PasswordEncoder` types.

译：如果您使用的是已经具有哈希密码的旧系统，则需要使用与当前算法匹配的编码器，至少可以将用户迁移到更安全的方案（通常这将涉及请求用户设置一个新的密码，因为哈希是不可逆的）。 Spring Security有一个包含旧密码编码实现的包，即org.springframework.security.authentication.encoding。 DaoAuthenticationProvider可以注入新的或传统的PasswordEncoder类型。

#### Adding a Password Encoder ####

Passwords should always be encoded using a secure hashing algorithm designed for the purpose (not a standard algorithm like SHA or MD5). This is supported by the`<password-encoder>` element. With bcrypt encoded passwords, the original authentication provider configuration would look like this:

译:密码应始终使用为此目的设计的安全散列算法（不是像SHA或MD5这样的标准算法）进行编码。 这由`<password-encoder>`元素支持。 使用bcrypt编码的密码，原始验证提供程序配置将如下所示：

<beans:bean name="bcryptEncoder"class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>
    
    <authentication-manager>
      <authentication-provider>
    	<password-encoder ref="bcryptEncoder"/>
    	  <user-service>
    	    <user name="jimi" password="d7e6351eaa13189a5a3641bab846c8e8c69ba39f"authorities="ROLE_USER, ROLE_ADMIN" />
    	    <user name="bob" password="4e7421b1b8765d8f9406d87e7cc6aa784c4ab97f"authorities="ROLE_USER" />
    	  </user-service>
      </authentication-provider>
    </authentication-manager>

bcrypt is a good choice for most cases, unless you have a legacy system which forces you to use a different algorithm. If you are using a simple hashing algorithm or, even worse, storing plain text passwords, then you should consider migrating to a more secure option like bcrypt.

译:bcrypt是大多数情况下的一个不错的选择，除非你有一个旧系统，迫使你使用不同的算法。 如果您使用简单的哈希算法，或者更糟的是存储纯文本密码，那么您应该考虑迁移到更安全的选项，如bcrypt。