我已经使用ldap和plaintext成功实现了spring security login . 现在我在ldap中切换到sha-256用于密码哈希 . 我在applicationContext-security.xml中添加了password-encoder . 但是,我无法通过 spring 安全性成功验证 . 我收到“您输入的用户名或密码无效!”
这是我的代码:
的applicationContext-security.xml文件
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<security:http auto-config="true" use-expressions="true" access-denied-page="/user/denied" >
<security:form-login
login-page="/login"
authentication-failure-url="/login?error=true"
default-target-url="/admin/user"/>
<security:logout invalidate-session="true"
logout-success-url="/login"
logout-url="/j_spring_security_logout"/>
</security:http>
<security:authentication-manager>
<security:ldap-authentication-provider user-search-filter="uid={0}" user-search-base="ou=Users">
<security:password-compare>
<security:password-encoder hash="sha-256" />
</security:password-compare>
</security:ldap-authentication-provider>
</security:authentication-manager>
<bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<constructor-arg value="ldap://192.168.1.100:389/dc=openLDAP" />
<property name="userDn" value="cn=admin,dc=openLDAP" />
<property name="password" value="password" />
</bean>
</beans>
登录控制器:
@RequestMapping(value="/login", method=RequestMethod.GET)
public String login(@RequestParam(value="error", required=false) boolean error, ModelMap model, HttpServletRequest request) {
HttpSession session = request.getSession();
if(session.getAttribute("SPRING_SECURITY_CONTEXT" != null) {
return "redirect:/home";
}
if(error) {
model.put("error", "you have entered an invalid username or password!");
}
else {
model.put("error", "");
}
return "login";
}
登录视图:
<form action="j_spring_security_check" method="post" >
username: <input id="j_username" name="j_username" type="text" />
password: <input id="j_password" name="j_password" type="password" />
</form>
1 回答
我认为你的问题是你在客户端散列了passowrd(spring-security),然后OpenLDAP再次对该字符串进行哈希处理,然后将结果与存储的密码哈希进行比较 . 两种组合中的一种应该起作用:
在spring-security中配置散列算法并将密码散列作为纯文本密码类型存储在OpenLDAP中 - >散列密码将发送到LDAP并与存储的散列密码进行比较 .
不要在spring-security中配置散列并将密码作为散列密码类型存储在OpenLDAP中(就像根据您的注释所做的那样) - >明文密码发送到LDAP,由LDAP服务器进行散列,然后进行比较存储的密码哈希 .
我建议2)与LDAP服务器的SSL加密连接相结合,以保护传输中的纯文本密码 . 如果您选择2),则可以使用SMD5密码类型轻松启用密码哈希值 . 1)具有缺点,即每个客户端都需要支持所选择的散列函数 .