Java 向CustomUsersCredentials添加新密码,好主意还是坏主意?
我想创建一个RESTAPI端点,以允许用户更改/更新其凭据 我有一个自定义用户详细信息:Java 向CustomUsersCredentials添加新密码,好主意还是坏主意?,java,spring,Java,Spring,我想创建一个RESTAPI端点,以允许用户更改/更新其凭据 我有一个自定义用户详细信息: @Entity @Table(name="ACCOUNT_USER") public class CustomUserDetails implements UserDetails { private static final long serialVersionUID = 1L; @Id @NotBlank @Column(name = "USERNAME", uniqu
@Entity
@Table(name="ACCOUNT_USER")
public class CustomUserDetails implements UserDetails {
private static final long serialVersionUID = 1L;
@Id
@NotBlank
@Column(name = "USERNAME", unique=true)
private String username;
@NotBlank
@Column(name = "PASSWORD")
private String password;
@Column(name = "LOCKED")
private boolean locked;
@ManyToMany(cascade=CascadeType.ALL, fetch=FetchType.EAGER)
@JoinTable(name = "USER_ROLE",
joinColumns = @JoinColumn(name = "USER_ID"),
inverseJoinColumns = @JoinColumn(name = "ROLE_ID"))
private Set<CustomRole> roles;
public CustomUserDetails(String username, String password, boolean enabled, boolean accountNonExpired, boolean credentialsNonExpired, boolean accountNonLocked, Collection<GrantedAuthority> authorities) {
this.setUsername(username);
this.setPassword(password);
this.roles = new HashSet<CustomRole>();
for (GrantedAuthority authority: authorities) {
roles.add(new CustomRole(authority.getAuthority()));
}
}
public CustomUserDetails() { // jpa only
}
//setters and getters
}
如您所见,CustomUserDetails有nopnewPassword
字段
将此字段添加到此对象有意义吗?还有什么其他选择?在这种情况下,最佳做法是什么 首先,在
CustomUserDetails
类中添加newPassword
字段没有意义
第二,只更新不同端点中的密码更好、更常见(例如,/change\u password
,/update\u password
等端点,通过POST
方法)。但是您可以使用PUT
方法/signup
端点来更新CustomUserDetails
字段,但在这种情况下忽略password
字段。最好不要直截了当
第三,最佳做法
oldPassword
,另一个是newPassword
oldPassword
与数据库中的现有散列密码匹配,则使用散列newPassword
我没有关于spring安全性的答案,但是出于安全原因,应该避免将密码存储在字符串中。最好使用char数组,或者根本不在任何对象中使用它。
@SuppressWarnings("rawtypes")
@RequestMapping(value = "/singup", method = RequestMethod.PUT)
public ResponseEntity updateCredentials(@RequestBody CustomUserDetails user, HttpServletResponse response) throws IOException {
logger.debug("Attempting credentials update " + user.getUsername());
try {
authenticateUserAndSetSession(user, response);
} catch(BadCredentialsException ex) {
return SecurityUtils.createCustomResponseEntity(CustomStatusCode.BAD_CREDENTIALS);
}
customUserDetailsService.update(user, newPassword); // where to add this newPassword ?
return SecurityUtils.createCustomResponseEntity(CustomStatusCode.OK);
}