Spring Security Configuration with MD5 Using a Base String Object

Question

Spring Security Configuration with MD5 Using a Base String Object

I checked this forum and the docs, but did not find the answer to this question, that is, how can I make the basic Spring security configuration using the basic Java object as MD5 encoding salt?

Here is my Spring Security Context Context Configuration:

  <beans:bean id="saltSource" class="com.myproject.sec.util.MyString" scope="singleton" >
      <beans:constructor-arg value="12345" />
  </beans:bean>

  <authentication-manager alias="authenticationManager">
    <authentication-provider user-service-ref="userService">
        <password-encoder hash="md5">
            <salt-source ref="saltSource" />
        </password-encoder>
    </authentication-provider> 
  </authentication-manager>

... but this configuration throws an unwanted Exception error, complaining that the Salt source is not connected to the org.springframework.security.authentication.dao.SaltSource interface, but I do not want to use the User details as my salt property (as this interface supports user data), but rather my custom String object, as shown above. How do I achieve this?

, , , , :

  <authentication-manager alias="authenticationManager">
    <authentication-provider user-service-ref="userService">
        <password-encoder hash="md5">
            <salt-source user-property="username"/>
        </password-encoder>
    </authentication-provider> 
  </authentication-manager>

, "12345" :

  <authentication-manager alias="authenticationManager">
    <authentication-provider user-service-ref="userService">
        <password-encoder hash="md5">
            <salt-source system-wide="12345"/>
        </password-encoder>
    </authentication-provider> 
  </authentication-manager>

... , "12345", , fred, , Salt "fred12345", ?

+4

spring spring-mvc spring-security

Cem Sultan 02 . '13 19:57

3

, + "12345", SaltSource ( ):

public class UserNameAndStringSalt implements SaltSource {
    @Override
    public Object getSalt(UserDetails user) {
        return user.getUsername() + "12345";                
    }
}

:

<beans:bean id="saltSource" class="com.myproject.UserNameAndStringSalt" scope="singleton" />

<authentication-manager alias="authenticationManager">
  <authentication-provider user-service-ref="userService">
      <password-encoder hash="md5">
          <salt-source ref="saltSource" />
      </password-encoder>
  </authentication-provider> 
</authentication-manager>

, MD5 SHA - BCrypt SCrypt , : https://security.stackexchange.com/questions/8607/how-quickly-can-these-password-schemes-really-be-beaten

+2

Kresimir Nesek 03 . '13 17:30

It is recommended to use StandardPasswordEncoder, which provides spring security. It will automatically process the pickling for you. It also uses the much stronger SHA256 hash.

http://docs.spring.io/spring-security/site/docs/3.1.x/apidocs/org/springframework/security/crypto/password/StandardPasswordEncoder.html

<beans:bean id="passwordEncoder" class="org.springframework.security.crypto.password.StandardPasswordEncoder" />

<authentication-manager alias="authenticationManager">
    <authentication-provider user-service-ref="userService">
        <password-encoder ref="passwordEncoder" />   
    </authentication-provider>
</authentication-manager>

0

Bart Oct 3 '13 at 18:03

source share

Neil McGuigan · Accepted Answer · 2013-10-02T23:25:15+0000

, MD5 -, .

Spring Security newish BCryptPasswordEncoder. ( db):

http://docs.spring.io/spring-security/site/docs/current/apidocs/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.html

:

Spring

Spring Security Configuration with MD5 Using a Base String Object

More articles: