mirror of
https://github.com/spring-projects/spring-security.git
synced 2025-02-13 09:54:57 +00:00
Add hash code support.
This commit is contained in:
parent
8e7c540b16
commit
8c3cc5c67b
core/src/main
java/org/springframework/security/config
resources/org/springframework/security/config
samples/tutorial/src/main/webapp/WEB-INF
@ -6,6 +6,11 @@ import org.springframework.beans.factory.support.RootBeanDefinition;
|
||||
import org.springframework.beans.factory.xml.BeanDefinitionParser;
|
||||
import org.springframework.beans.factory.xml.ParserContext;
|
||||
import org.springframework.security.providers.dao.DaoAuthenticationProvider;
|
||||
import org.springframework.security.providers.encoding.Md4PasswordEncoder;
|
||||
import org.springframework.security.providers.encoding.Md5PasswordEncoder;
|
||||
import org.springframework.security.providers.encoding.PasswordEncoder;
|
||||
import org.springframework.security.providers.encoding.PlaintextPasswordEncoder;
|
||||
import org.springframework.security.providers.encoding.ShaPasswordEncoder;
|
||||
import org.springframework.security.userdetails.jdbc.JdbcUserDetailsManager;
|
||||
import org.springframework.util.StringUtils;
|
||||
import org.springframework.util.xml.DomUtils;
|
||||
@ -21,10 +26,20 @@ import org.w3c.dom.Element;
|
||||
*/
|
||||
class RepositoryBeanDefinitionParser implements BeanDefinitionParser {
|
||||
|
||||
static final String ATT_CREATE_PROVIDER = "createProvider";
|
||||
static final String ATT_DATA_SOURCE = "dataSource";
|
||||
static final String ATT_ID = "id";
|
||||
|
||||
static final String ATT_CREATE_PROVIDER = "createProvider";
|
||||
static final String DEF_CREATE_PROVIDER = "true";
|
||||
|
||||
static final String ATT_HASH = "hash";
|
||||
static final String DEF_HASH_PLAINTEXT = "plaintext";
|
||||
static final String OPT_HASH_SHA_HEX = "sha:hex";
|
||||
static final String OPT_HASH_SHA_BASE64 = "sha:base64";
|
||||
static final String OPT_HASH_MD4_HEX = "md4:hex";
|
||||
static final String OPT_HASH_MD4_BASE64 = "md4:base64";
|
||||
static final String OPT_HASH_MD5_HEX = "md5:hex";
|
||||
static final String OPT_HASH_MD5_BASE64 = "md5:base64";
|
||||
|
||||
public BeanDefinition parse(Element element, ParserContext parserContext) {
|
||||
boolean createProvider = true;
|
||||
@ -43,7 +58,7 @@ class RepositoryBeanDefinitionParser implements BeanDefinitionParser {
|
||||
|
||||
if (userServiceElt != null) {
|
||||
BeanDefinition userDetailsService = new UserServiceBeanDefinitionParser().parse(userServiceElt, parserContext);
|
||||
createDaoAuthenticationProviderIfRequired(createProvider, userDetailsService, parserContext);
|
||||
createDaoAuthenticationProviderIfRequired(createProvider, userServiceElt.getAttribute(ATT_HASH), userDetailsService, parserContext);
|
||||
}
|
||||
|
||||
if (jdbcUserServiceElt != null) {
|
||||
@ -54,22 +69,50 @@ class RepositoryBeanDefinitionParser implements BeanDefinitionParser {
|
||||
// An explicit dataSource was specified, so use it
|
||||
builder.addPropertyReference("dataSource", dataSource);
|
||||
parserContext.getRegistry().registerBeanDefinition(BeanIds.JDBC_USER_DETAILS_MANAGER, builder.getBeanDefinition());
|
||||
createDaoAuthenticationProviderIfRequired(createProvider, builder.getBeanDefinition(), parserContext);
|
||||
createDaoAuthenticationProviderIfRequired(createProvider, jdbcUserServiceElt.getAttribute(ATT_HASH), builder.getBeanDefinition(), parserContext);
|
||||
}
|
||||
|
||||
if (customUserServiceElt != null) {
|
||||
String id = customUserServiceElt.getAttribute(ATT_ID);
|
||||
BeanDefinition userDetailsService = parserContext.getRegistry().getBeanDefinition(id);
|
||||
createDaoAuthenticationProviderIfRequired(createProvider, userDetailsService, parserContext);
|
||||
createDaoAuthenticationProviderIfRequired(createProvider, customUserServiceElt.getAttribute(ATT_HASH), userDetailsService, parserContext);
|
||||
}
|
||||
|
||||
return null;
|
||||
}
|
||||
|
||||
private void createDaoAuthenticationProviderIfRequired(boolean createProvider, BeanDefinition userDetailsService, ParserContext parserContext) {
|
||||
private void createDaoAuthenticationProviderIfRequired(boolean createProvider, String hash, BeanDefinition userDetailsService, ParserContext parserContext) {
|
||||
if (createProvider) {
|
||||
if (!StringUtils.hasText(hash)) {
|
||||
hash = DEF_HASH_PLAINTEXT;
|
||||
}
|
||||
RootBeanDefinition authProvider = new RootBeanDefinition(DaoAuthenticationProvider.class);
|
||||
authProvider.getPropertyValues().addPropertyValue("userDetailsService", userDetailsService);
|
||||
|
||||
PasswordEncoder pwdEnc = null;
|
||||
if (OPT_HASH_MD4_HEX.equals(hash)) {
|
||||
pwdEnc = new Md4PasswordEncoder();
|
||||
((Md4PasswordEncoder)pwdEnc).setEncodeHashAsBase64(false);
|
||||
} else if (OPT_HASH_MD4_BASE64.equals(hash)) {
|
||||
pwdEnc = new Md4PasswordEncoder();
|
||||
((Md4PasswordEncoder)pwdEnc).setEncodeHashAsBase64(true);
|
||||
} else if (OPT_HASH_MD5_HEX.equals(hash)) {
|
||||
pwdEnc = new Md5PasswordEncoder();
|
||||
((Md5PasswordEncoder)pwdEnc).setEncodeHashAsBase64(false);
|
||||
} else if (OPT_HASH_MD5_BASE64.equals(hash)) {
|
||||
pwdEnc = new Md5PasswordEncoder();
|
||||
((Md5PasswordEncoder)pwdEnc).setEncodeHashAsBase64(true);
|
||||
} else if (OPT_HASH_SHA_HEX.equals(hash)) {
|
||||
pwdEnc = new ShaPasswordEncoder();
|
||||
((ShaPasswordEncoder)pwdEnc).setEncodeHashAsBase64(false);
|
||||
} else if (OPT_HASH_SHA_BASE64.equals(hash)) {
|
||||
pwdEnc = new ShaPasswordEncoder();
|
||||
((ShaPasswordEncoder)pwdEnc).setEncodeHashAsBase64(true);
|
||||
} else {
|
||||
pwdEnc = new PlaintextPasswordEncoder();
|
||||
}
|
||||
authProvider.getPropertyValues().addPropertyValue("passwordEncoder", pwdEnc);
|
||||
|
||||
ConfigUtils.getRegisteredProviders(parserContext).add(authProvider);
|
||||
}
|
||||
}
|
||||
|
@ -10,6 +10,10 @@ start = http | ldap | repository
|
||||
|
||||
# targetNamespace="http://www.springframework.org/schema/security"
|
||||
|
||||
hash =
|
||||
## Defines the type of hashing used on user passwords. If unspecified, "plaintext" is nominated, which indicates that the passwords are not hashed. We recommend strongly against using MD4, as it is a very weak hashing algorithm.
|
||||
attribute hash {"plaintext" | "sha:hex" | "sha:base64" | "md5:hex" | "md5:base64" | "md4:hex" | "md4:base64"}
|
||||
|
||||
pathType =
|
||||
## Defines the type of pattern used to specify URL paths (either JDK 1.4-compatible regular expressions, or Apache Ant expressions). Defaults to "ant" if unspecified.
|
||||
attribute pathType {"ant" | "regex"}
|
||||
@ -174,27 +178,38 @@ repository.attlist &=
|
||||
|
||||
user-service =
|
||||
element user-service {user-service.attlist, (user*)}
|
||||
user-service.attlist &=
|
||||
hash?
|
||||
user-service.attlist &=
|
||||
attribute properties {xsd:string}*
|
||||
|
||||
user =
|
||||
## Represents a user in the application.
|
||||
element user {user.attlist, empty}
|
||||
user.attlist &=
|
||||
## The username assigned to the user.
|
||||
attribute name {xsd:string}
|
||||
user.attlist &=
|
||||
## The password assigned to the user. This may be hashed if the corresponding authentication provider supports hashing (remember to set the "hash" attribute of the "user-service" element).
|
||||
attribute password {xsd:string}
|
||||
user.attlist &=
|
||||
## One of more authorities granted to the user. Separate authorities with a comma (but no space). For example, "ROLE_USER,ROLE_ADMINISTRATOR"
|
||||
attribute authorities {xsd:string}
|
||||
|
||||
jdbc-user-service =
|
||||
## Causes creation of a JDBC-based UserDetailsService.
|
||||
element jdbc-user-service {jdbc-user-service.attlist}
|
||||
jdbc-user-service.attlist &=
|
||||
hash?
|
||||
jdbc-user-service.attlist &=
|
||||
## The bean ID of the DataSource which provides the required tables.
|
||||
attribute dataSource {xsd:string}
|
||||
|
||||
custom-user-service =
|
||||
## Represents a UserDetailsService implementation that has been provided by you. Registration here will automate the creation of a DaoAuthenticationProvider that delegates to your UserDetailsService implementation.
|
||||
element custom-user-service {custom-user-service.attlist}
|
||||
custom-user-service.attlist &=
|
||||
hash?
|
||||
custom-user-service.attlist &=
|
||||
## The bean ID of your custom UserDetailsService implementation.
|
||||
attribute id {xsd:string}
|
||||
|
@ -1,6 +1,24 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" targetNamespace="http://www.springframework.org/schema/security" xmlns:security="http://www.springframework.org/schema/security">
|
||||
<!-- targetNamespace="http://www.springframework.org/schema/security" -->
|
||||
<xs:attributeGroup name="hash">
|
||||
<xs:attribute name="hash" use="required">
|
||||
<xs:annotation>
|
||||
<xs:documentation>Defines the type of hashing used on user passwords. If unspecified, "plaintext" is nominated, which indicates that the passwords are not hashed. We recommend strongly against using MD4, as it is a very weak hashing algorithm.</xs:documentation>
|
||||
</xs:annotation>
|
||||
<xs:simpleType>
|
||||
<xs:restriction base="xs:token">
|
||||
<xs:enumeration value="plaintext"/>
|
||||
<xs:enumeration value="sha:hex"/>
|
||||
<xs:enumeration value="sha:base64"/>
|
||||
<xs:enumeration value="md5:hex"/>
|
||||
<xs:enumeration value="md5:base64"/>
|
||||
<xs:enumeration value="md4:hex"/>
|
||||
<xs:enumeration value="md4:base64"/>
|
||||
</xs:restriction>
|
||||
</xs:simpleType>
|
||||
</xs:attribute>
|
||||
</xs:attributeGroup>
|
||||
<xs:attributeGroup name="pathType">
|
||||
<xs:attribute name="pathType" use="required">
|
||||
<xs:annotation>
|
||||
@ -378,17 +396,48 @@
|
||||
</xs:complexType>
|
||||
</xs:element>
|
||||
<xs:attributeGroup name="user-service.attlist">
|
||||
<xs:attribute name="hash">
|
||||
<xs:annotation>
|
||||
<xs:documentation>Defines the type of hashing used on user passwords. If unspecified, "plaintext" is nominated, which indicates that the passwords are not hashed. We recommend strongly against using MD4, as it is a very weak hashing algorithm.</xs:documentation>
|
||||
</xs:annotation>
|
||||
<xs:simpleType>
|
||||
<xs:restriction base="xs:token">
|
||||
<xs:enumeration value="plaintext"/>
|
||||
<xs:enumeration value="sha:hex"/>
|
||||
<xs:enumeration value="sha:base64"/>
|
||||
<xs:enumeration value="md5:hex"/>
|
||||
<xs:enumeration value="md5:base64"/>
|
||||
<xs:enumeration value="md4:hex"/>
|
||||
<xs:enumeration value="md4:base64"/>
|
||||
</xs:restriction>
|
||||
</xs:simpleType>
|
||||
</xs:attribute>
|
||||
<xs:attribute name="properties" type="xs:string"/>
|
||||
</xs:attributeGroup>
|
||||
<xs:element name="user">
|
||||
<xs:annotation>
|
||||
<xs:documentation>Represents a user in the application.</xs:documentation>
|
||||
</xs:annotation>
|
||||
<xs:complexType>
|
||||
<xs:attributeGroup ref="security:user.attlist"/>
|
||||
</xs:complexType>
|
||||
</xs:element>
|
||||
<xs:attributeGroup name="user.attlist">
|
||||
<xs:attribute name="name" use="required" type="xs:string"/>
|
||||
<xs:attribute name="password" use="required" type="xs:string"/>
|
||||
<xs:attribute name="authorities" use="required" type="xs:string"/>
|
||||
<xs:attribute name="name" use="required" type="xs:string">
|
||||
<xs:annotation>
|
||||
<xs:documentation>The username assigned to the user.</xs:documentation>
|
||||
</xs:annotation>
|
||||
</xs:attribute>
|
||||
<xs:attribute name="password" use="required" type="xs:string">
|
||||
<xs:annotation>
|
||||
<xs:documentation>The password assigned to the user. This may be hashed if the corresponding authentication provider supports hashing (remember to set the "hash" attribute of the "user-service" element).</xs:documentation>
|
||||
</xs:annotation>
|
||||
</xs:attribute>
|
||||
<xs:attribute name="authorities" use="required" type="xs:string">
|
||||
<xs:annotation>
|
||||
<xs:documentation>One of more authorities granted to the user. Separate authorities with a comma (but no space). For example, "ROLE_USER,ROLE_ADMINISTRATOR" </xs:documentation>
|
||||
</xs:annotation>
|
||||
</xs:attribute>
|
||||
</xs:attributeGroup>
|
||||
<xs:element name="jdbc-user-service">
|
||||
<xs:annotation>
|
||||
@ -399,6 +448,22 @@
|
||||
</xs:complexType>
|
||||
</xs:element>
|
||||
<xs:attributeGroup name="jdbc-user-service.attlist">
|
||||
<xs:attribute name="hash">
|
||||
<xs:annotation>
|
||||
<xs:documentation>Defines the type of hashing used on user passwords. If unspecified, "plaintext" is nominated, which indicates that the passwords are not hashed. We recommend strongly against using MD4, as it is a very weak hashing algorithm.</xs:documentation>
|
||||
</xs:annotation>
|
||||
<xs:simpleType>
|
||||
<xs:restriction base="xs:token">
|
||||
<xs:enumeration value="plaintext"/>
|
||||
<xs:enumeration value="sha:hex"/>
|
||||
<xs:enumeration value="sha:base64"/>
|
||||
<xs:enumeration value="md5:hex"/>
|
||||
<xs:enumeration value="md5:base64"/>
|
||||
<xs:enumeration value="md4:hex"/>
|
||||
<xs:enumeration value="md4:base64"/>
|
||||
</xs:restriction>
|
||||
</xs:simpleType>
|
||||
</xs:attribute>
|
||||
<xs:attribute name="dataSource" use="required" type="xs:string">
|
||||
<xs:annotation>
|
||||
<xs:documentation>The bean ID of the DataSource which provides the required tables.</xs:documentation>
|
||||
@ -406,11 +471,30 @@
|
||||
</xs:attribute>
|
||||
</xs:attributeGroup>
|
||||
<xs:element name="custom-user-service">
|
||||
<xs:annotation>
|
||||
<xs:documentation>Represents a UserDetailsService implementation that has been provided by you. Registration here will automate the creation of a DaoAuthenticationProvider that delegates to your UserDetailsService implementation.</xs:documentation>
|
||||
</xs:annotation>
|
||||
<xs:complexType>
|
||||
<xs:attributeGroup ref="security:custom-user-service.attlist"/>
|
||||
</xs:complexType>
|
||||
</xs:element>
|
||||
<xs:attributeGroup name="custom-user-service.attlist">
|
||||
<xs:attribute name="hash">
|
||||
<xs:annotation>
|
||||
<xs:documentation>Defines the type of hashing used on user passwords. If unspecified, "plaintext" is nominated, which indicates that the passwords are not hashed. We recommend strongly against using MD4, as it is a very weak hashing algorithm.</xs:documentation>
|
||||
</xs:annotation>
|
||||
<xs:simpleType>
|
||||
<xs:restriction base="xs:token">
|
||||
<xs:enumeration value="plaintext"/>
|
||||
<xs:enumeration value="sha:hex"/>
|
||||
<xs:enumeration value="sha:base64"/>
|
||||
<xs:enumeration value="md5:hex"/>
|
||||
<xs:enumeration value="md5:base64"/>
|
||||
<xs:enumeration value="md4:hex"/>
|
||||
<xs:enumeration value="md4:base64"/>
|
||||
</xs:restriction>
|
||||
</xs:simpleType>
|
||||
</xs:attribute>
|
||||
<xs:attribute name="id" use="required" type="xs:string">
|
||||
<xs:annotation>
|
||||
<xs:documentation>The bean ID of your custom UserDetailsService implementation.</xs:documentation>
|
||||
|
@ -12,33 +12,30 @@
|
||||
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
|
||||
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd">
|
||||
|
||||
<http>
|
||||
<http autoConfig="true">
|
||||
<intercept-url pattern="/secure/extreme/**" access="ROLE_SUPERVISOR"/>
|
||||
<intercept-url pattern="/secure/**" access="IS_AUTHENTICATED_REMEMBERED" />
|
||||
<intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
|
||||
|
||||
<!-- All of this is unnecessary if autoConfig="true"-->
|
||||
<!-- All of this is unnecessary if autoConfig="true"
|
||||
<form-login />
|
||||
<anonymous />
|
||||
<http-basic />
|
||||
<logout />
|
||||
<remember-me />
|
||||
-->
|
||||
|
||||
<concurrent-session-control maxSessions="1" exceptionIfMaximumExceeded="true"/>
|
||||
|
||||
</http>
|
||||
|
||||
<!--
|
||||
<beans:bean name="tokenRepo" class="org.springframework.security.ui.rememberme.InMemoryTokenRepositoryImpl"/>
|
||||
-->
|
||||
|
||||
<repository>
|
||||
<user-service>
|
||||
<user name="bob" password="bobspassword" authorities="ROLE_SUPERVISOR" />
|
||||
<user name="bill" password="billspassword" authorities="ROLE_A,ROLE_B" />
|
||||
<user-service hash="md5:hex">
|
||||
<user name="rod" password="a564de63c2d0da68cf47586ee05984d7" authorities="ROLE_SUPERVISOR,ROLE_USER" /> <!-- koala -->
|
||||
<user name="dianne" password="65d15fe9156f9c4bbffd98085992a44e" authorities="ROLE_USER" /> <!-- emu -->
|
||||
<user name="scott" password="2b58af6dddbd072ed27ffc86725d7d3a" authorities="ROLE_USER" /> <!-- wombat -->
|
||||
<user name="peter" password="22b5c9accc6e1ba628cedc63a72d57f8" authorities="ROLE_USER" /> <!-- opal -->
|
||||
</user-service>
|
||||
</repository>
|
||||
|
||||
|
||||
|
||||
</beans:beans>
|
Loading…
x
Reference in New Issue
Block a user