优化：使用更加安全的编码保存用户密码

2025-11-09 12:13:47 +08:00 · 2025-03-01 18:44:30 +08:00
parent 57747d9082
commit 34fdf59432
11 changed files with 99 additions and 52 deletions
--- a/smart-admin-api-java8-springboot2/sa-base/src/main/java/net/lab1024/sa/base/module/support/securityprotect/service/SecurityPasswordService.java
+++ b/smart-admin-api-java8-springboot2/sa-base/src/main/java/net/lab1024/sa/base/module/support/securityprotect/service/SecurityPasswordService.java
@@ -5,8 +5,8 @@ import net.lab1024.sa.base.common.domain.ResponseDTO;
 import net.lab1024.sa.base.common.util.SmartStringUtil;
 import net.lab1024.sa.base.module.support.securityprotect.dao.PasswordLogDao;
 import net.lab1024.sa.base.module.support.securityprotect.domain.PasswordLogEntity;
-import org.apache.commons.codec.digest.DigestUtils;
 import org.apache.commons.lang3.RandomStringUtils;
+import org.springframework.security.crypto.argon2.Argon2PasswordEncoder;
 import org.springframework.stereotype.Service;

 import javax.annotation.Resource;
@@ -46,6 +46,8 @@ public class SecurityPasswordService {
    @Resource
    private Level3ProtectConfigService level3ProtectConfigService;

+    static Argon2PasswordEncoder encoder = Argon2PasswordEncoder.defaultsForSpringSecurity_v5_8();
+
    /**
     * 校验密码复杂度
     */
@@ -84,8 +86,9 @@ public class SecurityPasswordService {

        // 检查最近几次是否有重复密码
        List<String> oldPasswords = passwordLogDao.selectOldPassword(requestUser.getUserType().getValue(), requestUser.getUserId(), level3ProtectConfigService.getRegularChangePasswordNotAllowRepeatTimes());
-        if (oldPasswords != null && oldPasswords.contains(getEncryptPwd(newPassword))) {
-            return ResponseDTO.userErrorParam(String.format("与前%s个历史密码重复，请换个密码!", level3ProtectConfigService.getRegularChangePasswordNotAllowRepeatTimes()));
+        boolean isDuplicate = oldPasswords.stream().anyMatch(oldPassword -> encoder.matches(newPassword, oldPassword));
+        if (isDuplicate) {
+            return ResponseDTO.userErrorParam(String.format("与前%d个历史密码重复，请换个密码!", level3ProtectConfigService.getRegularChangePasswordNotAllowRepeatTimes()));
        }

        return ResponseDTO.ok();
@@ -143,7 +146,14 @@ public class SecurityPasswordService {
     * 获取 加密后 的密码
     */
    public static String getEncryptPwd(String password) {
-        return DigestUtils.md5Hex(String.format(PASSWORD_SALT_FORMAT, password));
+        return encoder.encode(password);
+    }
+
+    /**
+     * 校验密码是否匹配
+     */
+    public static Boolean matchesPwd( String password,  String encodedPassword){
+     return encoder.matches( password, encodedPassword);
    }

 }