Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Password encryption with Spring/Hibernate - Jasypt or something else? [closed]

In a Java application stack with Spring & Hibernate (JPA) in the Data Access Layer, what are good methods of applying the password encryption (hopefully using annotations), and where can you find out more about getting it done (tutorial, etc)?

It's understood that I would use a JCA supported algorithm for encrypting the passwords, but I would prefer to not have to implement the wrapper logic if there is an easy way.

I was looking at Jasypt, and was a) wondering if that's a good option and how to do it and b) what else people are using for this. If anyone is using Jasypt or an alternative, details of your experience it would be great.

like image 997
stevedbrown Avatar asked Jul 02 '09 15:07

stevedbrown


People also ask

What encryption does Jasypt use?

Jasypt provides implementations for one type of encryption: Password-Based Encryption (PBE).

What is the best way to encrypt passwords in Java?

Password-Based Encryption using Salt and Base64: The password-based encryption technique uses plain text passwords and salt values to generate a hash value. And the hash value is then encoded as a Base64 string. Salt value contains random data generated using an instance of Random class from java. util package.

Is Jasypt secure?

Jasypt stands for Java Simplified Encryption.It provides basic encryption of plain-text, numbers, binaries to secure confidential data.It is completely thread safe and provides high performance in multi-processor too.


2 Answers

Java has all of the required libraries already provided for you. Simply create a utility method that implements hashing with a salt as described at OWASP.

If you really don't want to own that code and don't mind an extra dependency, it seems that the Shiro library (formerly JSecurity) has an implementation of what is described by OWASP.

It also looks like the JASYPT library you mentioned has a similar utility.

I realize that this answer doesn't mention Spring or Hibernate but I'm not clear how you are hoping to utilize them in this scenario.

like image 65
laz Avatar answered Oct 12 '22 23:10

laz


You can use Jasypt with Hibernate to encrypt or hash your properties on the fly if thats what you're looking for. The actual algorithm for computing digests (hashes) is pretty simple using the JCE if you want to roll your own as well.

like image 36
Kevin Avatar answered Oct 12 '22 23:10

Kevin