Saturday 15 May 2010

java - Guide to implementing spring security password recovery with dynamic URL sent to email -


I find it hard to recover passwords, because I have never done such a thing before.

So far I have a web app:

Spring Security, where the password has been properly hacked and the user's roles are fully implemented and work correctly.

The strategy searches with the stack overflow:

  1. A user hits the forgotten password button, where he enters his email address.
  2. A dynamic link is sent to the email address
  3. The user opens the link in the email address >
  4. who redirects him to the password reset page

    Is not known:

    • How to link dynamic nature - methods of generation is close to the link - some questions here Met, but often include custom handler or spring security functionality
    • such dynamics The request mapping method to answer the link
    • temporary link collection methods - databases, sessions, etc.?

      As you can see that this list is very serious for any sin, Gle question was then hoping that you could be able to provide guide resources how to do this step Take steps. I was surprised that I could not find a lot on this in the Spring security documentation. Thank you.

      I am a student, so in particular in Java context, there are not really the best practices in the industry, so I really hope that anyone can help you. The problem does not really do much with spring security, provided that you configure the user database structure and password encoder. Know how to use it, it is actually implementing only data access, web controllers and an email sender workflow. The link should contain a random token string (for example, SecureRandom and use a base 64 encoder) and it must be stored in a database with user ID and timestamp (validating that window For which the link is valid). The controller will only remove the token from the incoming request, using the token will load the data from the database. It will check the timestamp and then send the user to the password entry form. Depending on the requirements, you also want them to answer some other security questions. Then you want to validate the passwords and encode it and store it in the reset link table in the account matching the User ID stored in the table. It would also be wise for the batch to remove the link that ends with the database.

      The Grails Spring Security UI plugin already has an option that you can use directly or use as a reference.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)