Menu
Have config (applicationContext-security.xml):
<authentication-manager alias="authenticationManager"> <authentication-provider> <password-encoder hash="sha"/> <jdbc-user-service data-source-ref="dataSource"/> </authentication-provider> </authentication-manager> from other side have SQLs from my dataSource(it's JdbcDaoImpl):
... public static final String DEF_USERS_BY_USERNAME_QUERY = "select username,password,enabled " + "from users " + "where username = ?"; ... There is now word about sha in this code,so password selected from standard Spring Security users table not encoded.
Perhaps, I should provide some sha attribute for password column in my hibernate mapping config here:
<class name="model.UserDetails" table="users"> <id name="id"> <generator class="increment"/> </id> <property name="username" column="username"/> <property name="password" column="password"/> <property name="enabled" column="enabled"/> <property name="mail" column="mail"/> <property name="city" column="city"/> <property name="confirmed" column="confirmed"/> <property name="confirmationCode" column="confirmation_code"/> <set name="authorities" cascade="all" inverse="true"> <key column="id" not-null="true"/> <one-to-many class="model.Authority"/> </set> </class> For now password saved to DB as is,but should be encoded.
How to friend applicationContext config and DB queries to be the same password encoding?
407
Spring Security supports many password encoders, for both old and modern algorithms. Also, Spring Security provides methods to work with multiple password encodings in the same application.
Instead of using just the password as input to the hash function, random bytes (known as salt) would be generated for every users' password. The salt and the user's password would be ran through the hash function which produced a unique hash. The salt would be stored alongside the user's password in clear text.
Password Hashing With Spring Security Luckily for us, Spring Security ships with support for all these recommended algorithms via the PasswordEncoder interface: Pbkdf2PasswordEncoder gives us PBKDF2. BCryptPasswordEncoder gives us BCrypt, and. SCryptPasswordEncoder gives us SCrypt.
Fortunately, Spring Security includes password hashing out of the box. What's more, since version 3.1, Spring Security automatically takes care of salting too.
If you are choosing a hashing system yourself, rather than building an app using an existing database which already contains hashed passwords, then you should make sure your hashing algorithm also uses a salt. Don't just use a plain digest.
A good choice is bcrypt, which we now support directly in Spring Security 3.1 via the BCryptPasswordEncoder (implemented using jBCrypt). This automatically generates a salt and concatenates it with the hash value in a single String.
Some databases have built-in support for hashing (e.g. Postgres). Otherwise, you need to hash the password yourself before passing it to JDBC:
String password = "plaintextPassword"; PasswordEncoder passwordEncoder = new BCryptPasswordEncoder(); String hashedPassword = passwordEncoder.encode(password); That's all you need to do to encode the passwords when you create a user.
For authentication, you would use something like:
<bean id="encoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/> <bean id="authProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider"> <property name="userDetailsService" ref="yourJdbcUserService" /> <property name="passwordEncoder" ref="encoder" /> </bean> If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
