Today I'm working on 3.1.4 from 3.1.3 to Spring Security version of the application, and I Then I started doing new I've been doing this work and I am able to enter a new user registers and their application, but, as I feared, I'm not able to login using Was generated password with ShaPasswordEncoder and your custom salt Since I have a database with many users already registered, what should I do to make the old encoded password switch without invalid implementation? Is this possible? Also see: If you have a more secure password encoding system, so I would recommend you use I'll use this way to migrate your users: You can migrate the proportion of users through the format of password fields. BCrypt wire has a specific syntax beginning with a One of the other answers explains that this code can accidentally update more than one password at the same time. Questions have said was being used a custom salt, so that London was chosen randomly so negligible probability of collision, but it may not always be the case. If two passwords were updated, what would be the problem? It would then be possible to find out that accounts have the same password from the betrotype hashese. Anyway, this is the case because it requires that the SHA hash is similar to the update. If you think this may be a problem (for example, using a bad salt preference or unsalted hash), then it will be equivalent to modifying the SQL to change it and different updates are different from the BCrypt Hash does with value. See a counter notification on org.springframework.security.authentication.encoding.ShaPasswordEncoder class. org.springframework.security.crypto. Password.StandardPasswordEncoder implementation.
// old PasswordEncoder interface public square MigrateUsersPasswordEncoder apply Does PasswordEncoder {@Autowired ShaPasswordEncoder legacyEncoder apply; @ Etowwire jdbc template template; BCryptPasswordEncoder bcryptEncoder = New BCryptPasswordEncoder (); @ Override public string encoded password (string crude, object salt) {return bcryptEncoder.encode (rawPass); } @Override public boolean isPasswordValid (string encPass, string rawPass, salt object) {if (legacyEncoder.isPasswordValid (encPass, rawPass, salt)) {template.update ( "update users set password =? Where password =?", BcryptEncoder. Transcript (raw papas), encapsa); Back true; } Return bcryptEncoder.matches (rawPass, encPass); }} $ sign.
No comments:
Post a Comment