Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Spring Security salt for custom UserDetails

Tags:

configuration

spring-security

salt

I would like to add salt like:

PasswordEncoder encoder = new ShaPasswordEncoder();
        userDetails.setPassword(encoder.encodePassword(userDetails.getPassword(),saltSource.getSalt(userDetails));

as far userDetails is instance of my custom UserDetail class,i obliged to cast it to this spring class:UserDetails ,but as it's logically expected i got in Runtime:

java.lang.ClassCastException: model.UserDetails cannot be cast to org.springframework.security.core.userdetails.UserDetails

config:

<beans:bean id="saultSource" class="org.springframework.security.authentication.dao.ReflectionSaltSource">
        <beans:property name="userPropertyToUse" value="username"/>
</beans:bean>

<authentication-manager alias="authenticationManager">
<authentication-provider>
<password-encoder hash="sha">
    <salt-source user-property="username"/>
</password-encoder>
    <jdbc-user-service data-source-ref="dataSource"/>
</authentication-provider>
</authentication-manager>

How can I configure salt correctly in this case?

like image 802
sergionni Avatar asked Dec 28 '11 16:12

sergionni

1 Answers

ReflectionSaltSource only works with a UserDetails object (I'm assuming that's where you get the class-cast exception?), so you would have to either implement UserDetails or create your own SaltSource implementation which works with your object.

However, I wouldn't use a property of the user as the salt unless you are working with a legacy system which already does this. The username is not a very good salt value. It's much better to use a random salt which is stored with the password. A good example is the BCrypt algorithm. See my answer to this question for an example of using it with Spring Security 3.1. As explained there, BCrypt automatically generates a random salt which it stores in the same string as the hashed password.

Note that there is actually a new PasswordEncoder interface in the Spring Security 3.1 "crypto" package (in org.springframework.security.crypto.password). This doesn't include a salt in the API methods, since it assumes the salt is internally generated (as it is with the BCrypt implementation). The framework will generally accept one of these or the legacy org.springframework.security.authentication.encoding.PasswordEncoder.

like image 117
Shaun the Sheep Avatar answered Oct 01 '22 00:10

Shaun the Sheep
Sign in to Comment

Related questions

When do we use denyAll in spring security
Spring Security java config - why does order of options matter?
Session not replicated on session creation with Spring Boot, Session, and Redis
java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessClassInPackage.sun.reflect.annotation") Spring
Spring OAuth/JWT get extra information from access token
Spring security - how come I cannot login into my application?
Security between microservices
can't get hasIpAddress working on Spring Security
Angular 2, Spring boot , spring security , login form
Can we use httpbasic and OAuth2 both for an API depending on path variable?
Custom authentication with spring-security and reactive spring
Spring Security Filter chain executed twice per request. Why?
JWT signature does not match locally computed signature. JWT validity cannot be asserted and should not be trusted
Use multiple HttpSessionIdResolver with Spring
Select Identity Provider Locally with Spring Security's SAML 2.0
How to load roles from database for anonymous user in spring security 3?
Spring - Call custom-authentication-provider from a controller
Spring security: forcing https using annotations?
How to know if current web visitor logged in with Spring Security 3.0
Step by step login example using spring security 3.0 with hdbc

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!