问题
I have a java web application using spring framework and spring security for its login. In my database I have my passwords encrypted to MD5 before being saved. I added in my application-config.xml this codes
<security:authentication-provider>
<security:password-encoder hash="md5"/>
<security:jdbc-user-service
data-source-ref="dataSource"
users-by-username-query="select user_name username, user_password password, 1 enabled from users where user_name=?"
authorities-by-username-query="select username, authority from authorities where username=?" />
</security:authentication-provider>
At first It worked when the password in the db were not encrypted. But when I encrypted it and added this snippet in my application config
<security:password-encoder hash="md5"/>
I am not able to login.
回答1:
How are you creating your MD5 hashes? Something like the following works well in Java:
MessageDigest messageDigest = MessageDigest.getInstance("MD5");
messageDigest.update(user.getPassword().getBytes(),0, user.getPassword().length());
String hashedPass = new BigInteger(1,messageDigest.digest()).toString(16);
if (hashedPass.length() < 32) {
hashedPass = "0" + hashedPass;
}
When you encode "koala" do you get "a564de63c2d0da68cf47586ee05984d7"?
回答2:
I realize this is a little late, but Spring has built-in classes that make this a lot easier.
@Test
public void testSpringEncoder() {
PasswordEncoder encoder = new Md5PasswordEncoder();
String hashedPass = encoder.encodePassword("koala", null);
assertEquals("a564de63c2d0da68cf47586ee05984d7", hashedPass);
}
This is a unit test that I wrote using the built in Spring Security code, it is a lot smaller than the MessageDigest code and since you are using Spring Security already, you should have the classes in your classpath already.
回答3:
Have you read 6.3.3 Hashing and Authentication section from Spring Security reference manual? It mentioned some possible issues that you might encounter in using password hashing.
Some possibilities it listed:
- Database password hash might be in Base64, while the result from MD5PasswordEncoder is in hexadecimal strings
- Your password hash might be in upper-case, while the result from the encoder is in lower case strings
来源:https://stackoverflow.com/questions/1821082/spring-security-encrypt-md5