Gateway+spring security is used. The project originally planned to use gateway unified authentication. The integration steps click here
. At that time, I did not go deep into security. Today, I accidentally saw the code and found that the verification password was encrypted, but the password submitted in the login form was not encrypted. look at the code
Log in to the interface to verify whether the account password is correct
-
postman login interface call
-
The findByUsername method is to verify the password of the login interface, we need to implement this method to read the database account password. The database stores plaintext passwords, and the return value is encrypted when the code encapsulates it, so how to verify that the passwords are consistent internally?
-
Use the idea breakpoint to see who called the findByUsername method:
in this way, you can find out who called it, and then continue to execute, and found that this method is for comparing passwords
-
It is found that the prefix of the encrypted database password represents the encryption type
supported by the encryption type: -
At this point, the encryption method has been obtained, continue to the next step
-
It is found that the account number entered into the login interface is encrypted, and then it is judged whether the encrypted password is consistent with the password of the database table. The
encryption logic is very complicated, that is, to encrypt the password
-
This is the wrong password, the generated ciphertext is inconsistent
-
Use the correct password to call the login interface, and the generated ciphertext is consistent