Menu
I have Spring Security working within my application to authenticate a user with one password. I'm trying to meet a requirement that an override password will also authenticate that same user.
How can I do this with Spring Security?
372
The BCryptPasswordEncoder implementation uses the widely supported bcrypt algorithm to hash the passwords.
The passwords are stored in the relational database. To keep it simple in this example we send the user credentials with every HTTP request. It means the application must start authentication whenever the client wants to access the API.
Fortunately, Spring Security includes password hashing out of the box. What's more, since version 3.1, Spring Security automatically takes care of salting too. The following example is available to download from GitHub in version 3.4 of the Spanners app.
To verify the user entered the correct password, use the same one way hash against their entered value and then compare it with the previously hashed value - if they are the same, then the entered password is correct.
It is possible, you will have to implement your own AuthenticationProvider possibly by extending the existing DaoAuthenticationProvider (see additionalAuthenticationChecks() in there).
Also the user is only associated with a single password by default (UserDetails.getPassword()), so you will need to have an extension of that class holding multiple passwords, and a corresponding implementation of UserDetailsService that knows how to load the user along with its passwords.
75
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
