Configuring Jasig CAS to use BCrypt

Question

I want to configure Jasig CAS to use BCrypt as passwordEncoder.

Searching around I've found that this can be handled entirely by Spring Framework but I'm not familiar with it.

From what I understand I just need to add spring-security-core and spring-security-crypto libraries to war file and change passwordEncoder bean in deployerConfigContext.xml.

But I am getting this as a result:

Tail of tomcat logfile:

Caused by: org.springframework.beans.factory.CannotLoadBeanClassException: Cannot find class [org.springframework.security.crypto.password] for bean with name 'passwordEncoder' defined in ServletContext resource [/WEB-INF/deployerConfigContext.xml]; nested exception is java.lang.ClassNotFoundException: org.springframework.security.crypto.password
        at org.springframework.beans.factory.support.AbstractBeanFactory.resolveBeanClass(AbstractBeanFactory.java:1328)
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:453)
        at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:303)
        at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:230)
        at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:299)
        at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:194)
        at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:351)
        ... 66 more
Caused by: java.lang.ClassNotFoundException: org.springframework.security.crypto.password
        at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1720)
        at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1571)
        at org.springframework.util.ClassUtils.forName(ClassUtils.java:249)
        at org.springframework.beans.factory.support.AbstractBeanDefinition.resolveBeanClass(AbstractBeanDefinition.java:395)
        at org.springframework.beans.factory.support.AbstractBeanFactory.doResolveBeanClass(AbstractBeanFactory.java:1349)
        at org.springframework.beans.factory.support.AbstractBeanFactory.resolveBeanClass(AbstractBeanFactory.java:1320)
        ... 72 more

Sep 23, 2015 2:06:30 PM org.apache.catalina.core.ApplicationContext log
INFO: Closing Spring root WebApplicationContext

Part of deployerConfigContext.xml:

<bean id="primaryAuthenticationHandler"
      class="org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler"
      p:dataSource-ref="dataSource"
      p:passwordEncoder-ref="passwordEncoder"
      p:sql="select password from users where username=? and active=1" />

<bean id="passwordEncoder" class="org.springframework.security.crypto.password"/>

ls ~tomcat/webapps/cas/WEB-INF/lib | grep spring-security

spring-security-cas-4.0.1.RELEASE.jar
spring-security-config-4.0.1.RELEASE.jar
spring-security-core-4.0.1.RELEASE.jar
spring-security-core-4.0.2.RELEASE.jar
spring-security-crypto-4.0.2.RELEASE.jar
spring-security-web-4.0.1.RELEASE.jar

Correct me if I'm wrong, but I suppose that I have configured the bean in deployerConfigContext.xml. Can you point me what is wrong?

Answer 1

You have a typo here:

<bean id="passwordEncoder" class="org.springframework.security.crypto.password"/>

That is not a class element; it's a package. The encoder is likely this one:

<bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>

See: https://docs.spring.io/spring-security/site/docs/4.2.7.RELEASE/apidocs/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.html