Shulou(Shulou.com)06/02 Report--

In this issue, the editor will bring you about how to use MD5 encrypted passwords in SpringSecurity. The article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

First, why to use encryption

Let's first talk about the password processing process after using encryption. Why do we use ciphertext? What about the encrypted password? If the password written by a user when registering on the site is 123456, what is stored in the database is 123456 if it is not encrypted? what's wrong with that? The answer is yes, consider that the disclosure of 12306 passwords leads to the disclosure of all user information, is the user's password not complex enough? Maybe? But the main reason is that if plaintext is used in the database, hackers can easily crack it, and once they crack a password, they may get a set of data, in order to facilitate everyone's understanding, draw a sketch: and there are definitely not two users with a password of 123456 in the database. Can you imagine how terrible the consequences are? no, no, no.

II. MD5+salt

In fact, on this issue can be collected online, here no longer elaborate, we Baidu concept is good, we are mainly talking about the use of MD5 in SpringSecurity, we know that simple MD5 encryption is not secure, and if we use MD5 with salt to encrypt the password, then the difficulty coefficient will be multiplied if we want to crack, it is basically impossible to crack. Everyone knows that MD5 is irreversible, which means that encrypted passwords cannot be decrypted, otherwise how could they be secure? So let's take a look at what it would be like for a hacker to get a password if MD5 encryption is used. It's better to draw a sketch for everyone to understand as above.

Although both Zhang San and Li Si used 123456 as their password when they registered. But before saving to the database, we first carried out the MD5+salt operation, and there were obviously two different ciphertexts in the database. At this time, the hacker got the ciphertext and cracked it. After cracking it, he went to log in, and found that only Zhang San could log in, while Li Si's could not log in. Why then? Because when logging in, we will encrypt the plaintext entered by the user to get a ciphertext again with the previous encryption, and then compare this ciphertext with the ciphertext previously saved in the database, and it will be released only if it is the same. Obviously, Zhang San's ciphertext is different from Li Si's ciphertext, so even if Zhang San's password is deciphered, Li Si's 123456 password is still secure. The old rule is to draw a sketch. This diagram is the process of comparing passwords by SpringSecurity.

In this way, the password can be well protected, so let's take a look at how to use it in the project.

III. Custom PasswordEncoder

In SpringSecurity, you want to use custom password encryption. First new a xxxPasswordEncoder, and then SpringSecurity will use the Encoder you define to compare passwords. First we'll write a class to implement the PasswordEncoder interface, and let's take a look at what methods are available in PasswordEncoder.

One is that the encode method is used to encrypt plaintext passwords, that is, after rewriting PasswordEncoder, our custom encryption method is written in encode.

The other is that matches is obviously a method of matching passwords, the first parameter is the password to match, and the second parameter is the encrypted encode ciphertext. Our decryption method (which is actually encrypted again with the same encryption and then compared) is written here. Let's take a look at my custom MD5PasswordEncoder:

Public class MD5PasswordEncoder implements PasswordEncoder {@ Override public String encode (CharSequence rawPassword) {return MD5Util2.encode ((String) rawPassword);} @ Override public boolean matches (CharSequence rawPassword, String encodedPassword) {return encodedPassword.equals (MD5Util2.encode ((String) rawPassword));}}

MD5 encryption utility class:

Import java.security.MessageDigest;//md5 encryption utility class public class MD5Util2 {private static final String SALT = "lwz"; public static String encode (String password) {password = password + SALT; MessageDigest md5 = null; try {md5 = MessageDigest.getInstance ("MD5");} catch (Exception e) {throw new RuntimeException (e);} char [] charArray = password.toCharArray () Byte [] byteArray = new byte [charArray.length]

For (int I = 0; I < charArray.length; I +) byteArray [I] = (byte) charArray [I]; byte [] md5Bytes = md5.digest (byteArray); StringBuffer hexValue = new StringBuffer (); for (int I = 0; I < md5Bytes.length; I +) {int val = ((int) md5Bytes [I]) & 0xff If (val < 16) {hexValue.append ("0");} hexValue.append (Integer.toHexString (val));} return hexValue.toString ();}}

You can see that when matching, the original password is encrypted in the same way as adding salt, and then the previously saved ciphertext is compared.

4. SpringSecurity deals with MD5

In fact, this is very simple, that is, before you save the data, call the encryption method, that is, the above custom encoder. Then fill in the plaintext password of the user you got. Instead of talking about SpringSecurity processing, or using the UserDetails implementation class we mentioned in the previous article, you just need to read the password from the database and pass it to SpingSecurity when the User object is returned, and it will automatically match the matches method for comparison. So our code goes like this:

@ Componentpublic class CustomUserService implements UserDetailsService {@ Autowired AdminService adminService; @ Override public UserDetails loadUserByUsername (String username) throws UsernameNotFoundException {Admin admin= adminService.findAdminByUsername (username); if (admin==null) {throw new UsernameNotFoundException ("username does not exist");} List authorities = new ArrayList (); / / permissions used to add users. Just add user rights to authorities and everything will be fine. / / A user can correspond to multiple roles for (Role role: admin.getRoles ()) {authorities.add (new SimpleGrantedAuthority (role.getName ();} return new User (admin.getUsername (), admin.getPassword (), true,true,true,true,authorities);}}

Then pass the password directly in: you can rewrite the User object to return its own calling logic, which is directly returned to User here, as mentioned in the previous article.

Then the processing is very simple, we just need to tell SpringSecurity our PasswordEncoder in the form of Bean, which can be understood as: tell SpringSecurity that I want to use my custom Encoder to process the password, and you call it. So let's just register a bean in LoginSecurityConfig (the method where you implemented the WebSecurityConfigurerAdapter abstract class), as follows:

/ / tell SpringSecurity that I want to use my custom Encoder to process the password @ Bean public PasswordEncoder passwordEncoder () {return new MD5PasswordEncoder ();}

Certification:

/ / Authentication / / password coding: PasswordEncoder / / A lot of encryption methods have been added to Spring Security 5.0 + ~ @ Override protected void configure (AuthenticationManagerBuilder auth) throws Exception {/ / verify the account password from the database auth.userDetailsService (customUserService ());}

This is how to use MD5 encryption password in the SpringSecurity shared by Xiaobian. If you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.