Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Spring Security >5.0.0 removed Md5PasswordEncoder

I have a Spring project using Spring security. I was using Spring Boot 1.5 and now I migrated to Spring Boot 2.0.

I noticed that Md5PasswordEncoder has been removed in the final release of Spring Security. Instead Md4PasswordEncoder is still present even if deprecated (https://docs.spring.io/spring-security/site/docs/5.0.3.RELEASE/api/).

Should I use extenal MD5 encoder or is the classed moved somewhere else?

like image 239
drenda Avatar asked Apr 03 '18 15:04

drenda


People also ask

What can I use instead of NoOpPasswordEncoder?

Class NoOpPasswordEncoder. Deprecated. This PasswordEncoder is not secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder.

What is an alternative of Spring Security?

Django, OAuth2, Keycloak, Auth0, and Amazon Cognito are the most popular alternatives and competitors to Spring Security.

Is Spring Security necessary?

The Spring Security framework is a reliable way for Java developers to secure applications. However, proper implementation is critical to prevent the most common vulnerabilities.

How do I enable security in spring boot?

For adding a Spring Boot Security to your Spring Boot application, we need to add the Spring Boot Starter Security dependency in our build configuration file. Maven users can add the following dependency in the pom. xml file. Gradle users can add the following dependency in the build.


1 Answers

The fact that Md5PasswordEncoder ceased to exist doesn't mean that Spring Security 5 isn't able to create MD5 hashes. It uses new MessageDigestPasswordEncoder("MD5") for that.

There are two options, both work with the new DelegatingPasswordEncoder, which expects a password prefix to determine the hashing algorithm, for example {MD5}password_hash:

Either set the default password encoder to MD5 (in uppercase!), so if passwords aren't prefixed, then the default encoder is applied:

PasswordEncoder passwordEncoder = PasswordEncoderFactories.createDelegatingPasswordEncoder();
passwordEncoder.setDefaultPasswordEncoderForMatches(new MessageDigestPasswordEncoder("MD5"));

Or prefix the existing password hashes in the database with {MD5}. This way the DelegatingPasswordEncoder delegates to the `MD5' hasher. Something like:

update myusertable set pwd = '{MD5}' || pwd;
like image 75
Markus Pscheidt Avatar answered Sep 17 '22 18:09

Markus Pscheidt