SPRING IN ACTION 第4版笔记-第九章Securing web applications-004-对密码加密passwordEncoder

一、

1.Focusing on the authentication query, you can see that user passwords are expected to be stored in the database. The only problem with that is that if the passwords are stored in plain text, they’re subject to the prying eyes of a hacker. But if you encode the password in the database, then authentication will fail because it won’t match the plain text password submitted by the user.

@Override
protected void configure(AuthenticationManagerBuilder auth)
throws Exception {
    auth
        .jdbcAuthentication()
        .dataSource(dataSource)
        .usersByUsernameQuery(
            "select username, password, true " +
            "from Spitter where username=?")
        .authoritiesByUsernameQuery(
            "select username, 'ROLE_USER' from Spitter where username=?")
        .passwordEncoder(new StandardPasswordEncoder("53cr3t"));
}

passwordEncoder方法接收PasswordEncoder接口的实现为参数，Spring提供了有3种实现：BCryptPasswordEncoder , NoOpPasswordEncoder , andStandardPasswordEncoder

接口代码如下：

 

public interface PasswordEncoder {
    String encode(CharSequence rawPassword);
    boolean matches(CharSequence rawPassword, String encodedPassword);
}

 

it’s important to understand that the password in the database is never decoded. Instead, the password that the user enters at login is encoded using the same algorithm and is then compared with the encoded password in the database. That comparison is performed in the PasswordEncoder ’s matches() method.