Spring Security 3.1: StandardPasswordEncoder
DOMANDA:
Come posso criptare le password con Spring Security 3.1?
RISPOSTA:
Per codificare le password in modo sufficientemente sicuro, bisogna seguire i seguenti step:
1. utilizzare un codificatore hash che implementi un buon algoritmo
2. aggiungere il salt
3. concatenare una stringa randomica al salt.
Fortunatamente tutti questi fattori sono facilmente implementabili con Spring Security utilizzando pochi step di configurazione.
Nel nostro esempio utilizzeremo la classe StandardPasswordEncoder. Essa è in grado di codificare la password con l'algoritmo di hashing SHA-256 ed aggiungere, in automatico, un valore di salt randomico di 8 byte. Inoltre, passando una stringa al costruttore (nell'esempio di seguito: "123456"), Spring la concatenerà al salt generato rendendo più robusto il sistema di sicurezza.
Ecco quindi le righe da aggiungere al nostro file di configurazione spring-security.xml:
<authentication-manager>
<authentication-provider>
<password-encoder ref="encoder" />
<user name="blog" password="2b48af6d0dbd0724d27ffc36725d6d3a" authorities="ADMIN" />
</authentication-provider>
</authentication-manager>
Ecco un esempio completo:
Cominciamo con index.jsp:
1. utilizzare un codificatore hash che implementi un buon algoritmo
2. aggiungere il salt
3. concatenare una stringa randomica al salt.
Fortunatamente tutti questi fattori sono facilmente implementabili con Spring Security utilizzando pochi step di configurazione.
Nel nostro esempio utilizzeremo la classe StandardPasswordEncoder. Essa è in grado di codificare la password con l'algoritmo di hashing SHA-256 ed aggiungere, in automatico, un valore di salt randomico di 8 byte. Inoltre, passando una stringa al costruttore (nell'esempio di seguito: "123456"), Spring la concatenerà al salt generato rendendo più robusto il sistema di sicurezza.
Ecco quindi le righe da aggiungere al nostro file di configurazione spring-security.xml:
<beans:bean id="encoder"
class="org.springframework.security.crypto.password.StandardPasswordEncoder">
class="org.springframework.security.crypto.password.StandardPasswordEncoder">
<beans:constructor-arg value="123456"/>
</beans:bean>
<authentication-manager>
<authentication-provider>
<password-encoder ref="encoder" />
<user name="blog" password="2b48af6d0dbd0724d27ffc36725d6d3a" authorities="ADMIN" />
</authentication-provider>
</authentication-manager>
Ecco un esempio completo:
 |
| Schema del progetto HelloHashing |
Cominciamo con index.jsp:
<%@ page language="java" contentType="text/html; charset=ISO-8859-1" pageEncoding="ISO-8859-1"%>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Pagina Iniziale</title>
</head>
<body>
Benvenuto. Accedi al
<a href="jsp/menu.jsp">menu</a>
</body>
</html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Pagina Iniziale</title>
</head>
<body>
Benvenuto. Accedi al
<a href="jsp/menu.jsp">menu</a>
</body>
</html>
La pagina menu.jsp:
<%@ page language="java" contentType="text/html; charset=ISO-8859-1" pageEncoding="ISO-8859-1"%>
<%@ page import="org.springframework.security.core.context.SecurityContextHolder"%>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Menu</title>
</head>
<body>
Benvenuto <b><%=SecurityContextHolder.getContext().getAuthentication().getName()%></b>,
il tuo login è avvenuto utilizzando un alrogitmo di hashing per codificare la tua password.
</body>
</html>
<%@ page import="org.springframework.security.core.context.SecurityContextHolder"%>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Menu</title>
</head>
<body>
Benvenuto <b><%=SecurityContextHolder.getContext().getAuthentication().getName()%></b>,
il tuo login è avvenuto utilizzando un alrogitmo di hashing per codificare la tua password.
</body>
</html>
Il file di configurazione web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web- app_3_0.xsd"
id="WebApp_ID" version="3.0">
<display-name>HelloHashing</display-name>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/spring-security.xml
</param-value>
</context-param>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>
org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
<listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
</web-app>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web- app_3_0.xsd"
id="WebApp_ID" version="3.0">
<display-name>HelloHashing</display-name>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/spring-security.xml
</param-value>
</context-param>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>
org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
<listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
</web-app>
Terminiamo con spring-security.xml (in rosso le aggiunte necessarie):
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/jsp/*" access="isAuthenticated()" />
<form-login />
<logout />
<remember-me />
</http>
<beans:bean id="encoder"
class="org.springframework.security.crypto.password.StandardPasswordEncoder">
<beans:constructor-arg value="123456"/>
</beans:bean>
<authentication-manager>
<authentication-provider>
<password-encoder ref="encoder" />
<user-service>
<user name="giuseppe" password="85ad486b448c7d2115f6b8d86de1474d0a802968ac37bf5de04077d11efc0ee01f13aa2aae5bc9ff" authorities="admin, user"/>
<user name="fabrizio" password="3ac2ca632995dd921d0efad1f56d52abd28d09a9c69dfd4a722f490ac136ff4543bf185aa2d09c54" authorities="autore, user"/>
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/jsp/*" access="isAuthenticated()" />
<form-login />
<logout />
<remember-me />
</http>
<beans:bean id="encoder"
class="org.springframework.security.crypto.password.StandardPasswordEncoder">
<beans:constructor-arg value="123456"/>
</beans:bean>
<authentication-manager>
<authentication-provider>
<password-encoder ref="encoder" />
<user-service>
<user name="giuseppe" password="85ad486b448c7d2115f6b8d86de1474d0a802968ac37bf5de04077d11efc0ee01f13aa2aae5bc9ff" authorities="admin, user"/>
<user name="fabrizio" password="3ac2ca632995dd921d0efad1f56d52abd28d09a9c69dfd4a722f490ac136ff4543bf185aa2d09c54" authorities="autore, user"/>
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
Qualora volessimo verificare i valori delle password inserite, possiamo lanciare HelloHashing.java:
package hello.hashing.test;
import org.springframework.security.crypto.password.StandardPasswordEncoder;
public class HelloHashing {
public static void main(String[] args) {
StandardPasswordEncoder encoder = new StandardPasswordEncoder("123456");
String codedPassword = encoder.encode("password");
System.out.println("password -> " + codedPassword);
codedPassword = encoder.encode("ciao");
System.out.println("ciao -> " + codedPassword);
}
}
import org.springframework.security.crypto.password.StandardPasswordEncoder;
public class HelloHashing {
public static void main(String[] args) {
StandardPasswordEncoder encoder = new StandardPasswordEncoder("123456");
String codedPassword = encoder.encode("password");
System.out.println("password -> " + codedPassword);
codedPassword = encoder.encode("ciao");
System.out.println("ciao -> " + codedPassword);
}
}
Commenti
Posta un commento