问题
I'm currently trying to implement BCrypt with LDAP in my Spring Security. The question I have is does LDAP support this, and if so, how do I implement? Looking at the image below, I do not see BCrypt as an option within the Password Editor view in the LDAP perspective. My current Basic authentication works with plain-text passwords; however, I would like to enhance the security.
My current security-context.xml is:
<authentication-manager>
<ldap-authentication-provider
user-search-filter="(uid={0})"
user-search-base="ou=users,${ldap.base}"
group-search-filter="(uniqueMember={0})"
group-search-base="ou=roles,${ldap.base}"
group-role-attribute="cn"
role-prefix="ROLE_">
</ldap-authentication-provider>
</authentication-manager>
How do I implement BCrypt in my case? I read somewhere that we may have to use UserDetailsService?
Any help would be greatly appreciated. Thanks.
回答1:
It sounds like you may be misunderstanding what enabling bcrypt (or any other hash) would actually achieve, and where it would be implemented. It wouldn't make any difference to how basic authentication works, for example. That would still send the password to your application in plain text. The password hashing would then be done on the server side and checked against the stored hashed value. In a non-LDAP app, Spring Security would do this validation, after loading the password hash from a database.
LDAP adds another layer. In this case, Spring Security is a client of the LDAP server and will use the supplied username and password in an LDAP bind operation to attempt to authenticate as the user. Again the password is sent in plaintext, and this time the hashing and comparison is done by the LDAP server.
So if your aim is to secure passwords in transit, hashing is irrelevant. That is why you need to use a secure connection.
In theory, you could use LDAP more like a database, store the passwords in whatever hash format you wish, and have Spring Security read them and do the validation itself. This is possibly the UserDetailsService option you refer to. However that isn't normal practice, it would likely break the use of bind authentication (since the LDAP server itself wouldn't understand the password encoding), and it would require giving read access to the password field, which is usually frowned on.
So as @EJP says, you should probably stick with an SSHA option and use a secure connection to your application, and possibly to your LDAP server as well.
来源:https://stackoverflow.com/questions/25389681/does-ldap-support-bcrypt-trying-to-implement-bcrypt-in-java-spring-security