Spring Security Note: Encrypt storage login passwords using the bcrypt algorithm

In the previous section, using a database for user authentication (form login using databases), we learned how to store "login account number, password" in the DB, but the passwords are stored in plaintext, obviously not very particular. This section will learn how to use the spring security3 newly added bcrypt algorithm to store login encryption in DB and verify it normally.

First, Bcrypt algorithm

intt =0; String Password="123456"; System. out. println (password +" -"); for(t =1; T <=Ten; t++) {Bcryptpasswordencoder Passwordencoder=NewBcryptpasswordencoder (); String Hashedpassword=passwordencoder.encode (password); System. out. println (Hashedpassword);} Password="MIKE123"; System. out. println (password +" -"); for(t =1; T <=Ten; t++) {Bcryptpasswordencoder Passwordencoder=NewBcryptpasswordencoder (); String Hashedpassword=passwordencoder.encode (password); System. out. println (Hashedpassword);}

The output is as follows:

 123456-2a10$. Cjkvbgr2jzgkag9idbt.oc/SBY7WVQLGAHWS7HCXQCI7ECZKTCLQ 2a10$ocourv0wy7nccnd4lckfmunvewozmoyyu95u5tktrmjqybsjnecek 2a10$ Txttsdzuaeeb2zx6wiwn0eqrekfocdyh81kfa6bgacz2hyqpnc0ra 2A10$FFLX/gxq. fyeobb0nbaveuslhqjassdy7w45i1acl/rcYQMmhaXV2 2A10$JDPXAXMUZ.WTP5GXYIYSEEKRSM/Htfzjjdaccdq4mdhaalmc0sji. 2a10$yvewf2mrwjcyi51rukqqle/Mzb7vwcof6gwp.hdt2zuchlyatj4po 2a10$ffjg2atit7btkfjovl6zmug//8rztoqn7fo.fxozo1ktnnfhwkuca2a10$polmkd13n7i3dtvijleqze1zeurpjtvz5rax1qoapqcqvjgg/d6d. 2a10$fq32i8jsjjmqvrpiesgt3ektktrfxn.jnl69bewex0.ygdx.sex5e 2a10$ 78brjfsdftip0xxyx4rs6ewdu4sissmiby9onclhazwg3gysrgk2m MIKE123-2a10$u6kvh1ngxaigyim4yvgn6oaqt6ayaolkh2lodv16rspks1iqfbr2c 2a10$ T0fleobleb8vwwjvozrrweirv0xyobgm29c0smqfqrk3zbuvhgybs 2A10$QPW6NHNWNHBTTJLQ/Nbzbu2unp8ijwypeux2n2emfwrefezosz5fi 2a10$ltpzoqu0iluagvp3/whwquuv2acdrh2enhaewdquin/spitzye/7q 2a10$qcx7vuudzf7qztjz.qplkoby0txq4j.uqkins1n4/6OD2R2EL0RZW 2a10$yzw7cdq1y9sjx8nzhyynsewjq4jevv76fpmbl.sg2xpvb8cyxd8sq 2a10$ KTmT6BQQE5LyRZ00Qas77.F5kxK0GxsW402ExosQswxmG.eBdgIZW 2a10$srfhdnm.m3qx5y1o7v/Cp.hqqgaxnkzfxbgrhlkaf39bufejuoieu 2a10$sw5w2ktimj5y8unle/5/9olaugyxhcxu3p3gfbdebs9pl8pcl60q2 2A10$0MN8KNAL9GNR0C4K1NR0B.MICBW0QCPHB/f20hgeburfwvgzxt6hg

From the above output, it is found that the bcrypt algorithm and the Md5/sha algorithm have a very big difference, each generated hash value is different, so the violent guess may be more difficult to solve. At the same time, you may also find that the length of the encrypted character is longer, there are 60 bits, so the length of the password field in the user table, if you intend to use bcrypt encrypted storage, the field length must not be less than 60.

Second, Spring-security.xml

<beans:beans xmlns="http://www.springframework.org/schema/security"Xmlns:beans="Http://www.springframework.org/schema/beans"Xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemalocation="Http://www.springframework.org/schema/beanshttp//www.springframework.org/schema/beans/spring-beans-3.0.xsdhttp//www.springframework.org/schema/securityhttp//www.springframework.org/schema/security/spring-security-3.2.xsd ">"true"use-expressions="true"> <intercept-url pattern="/admin**"access="hasrole (' ADMIN ')"/> <!--Access Denied page--<access-denied-handler error-page="/403"/> <form-login login-page="/login" default-target-url="/welcome"Authentication-failure-url="/login?error"Username-parameter="username"Password-parameter="Password"/> <logout logout-success-url="/login?logout"/> <!--enable csrf protection-<csrf/>  fromDatabase-<authentication-manager> <authentication-provider> <password-encoderref="Encoder"/> <jdbc-user-service data-source-ref="DataSource"Users-by-username-query="Select D_username username,d_password password, d_enabled enabled from T_users where d_username=?"authorities-by-username-query="Select D_username Username, d_role role from T_user_roles where d_username=? "/> </authentication-provider> </authentication-manager> <beans:bean id="Encoder"        class="Org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"> <beans:constructor-arg name="Strength"Value="9"/> </beans:bean></beans:beans>

Compare the previous section, just add 23 lines, 30-33 lines

The last thing to do is to change the value of the password in the plaintext of the DB to the Bcrypt encrypted string.

Tips: If you still prefer to use the traditional SHA algorithm to handle passwords, just change the 23 lines to <password-encoder hash= "Sha"/>.

Spring Security Note: Encrypt storage login passwords using the bcrypt algorithm