Spring security Custom hash algorithm

Question

I have a Spring Project that has been authenticated using Spring Security.

Spring Security code snippet :

    <authentication-manager>
        <authentication-provider>
        <password-encoder hash="md5"/>
                <jdbc-user-service data-source-ref="dataSource"

                users-by-username-query="
SELECT users.LOGIN_NAME AS username,
   users.PASSWD_HASH     AS password , users.status as enabled
   FROM RV_USER users
  WHERE users.LOGIN_NAME=?"
                authorities-by-username-query="
                      select users.LOGIN_NAME as username, authorities.ROLE_DESC as authority
from RV_ROLE authorities, RV_USER users
where authorities.ROLE_ID=users.ROLE_ID
and users.LOGIN_NAME=?"

            />
        </authentication-provider>
    </authentication-manager>

I want to use a custom hash algorithm rather than md5 or something else.

score 6 · Answer 1 · answered Oct 21 '13 at 13:37

6

You can create your own PasswordEncoder implementation. For example:

import org.springframework.security.crypto.password.PasswordEncoder;

public class CustomPasswordEncoder implements PasswordEncoder {

    public String encode(CharSequence rawPassword) {
        return null; // TODO implement
    }

    public boolean matches(CharSequence rawPassword, String encodedPassword) {
        return null; // TODO implement
    }
}

You can then use CustomPasswordEncoder with password-encoder@ref For example:

<authentication-manager>
  <authentication-provider>
    <password-encoder ref="customPasswordEncoder/>
    ...
  </authentication-provider>
</authentication-manager>

answered Oct 21 '13 at 13:37

Rob Winch

21,440
2
59
76

Thanks. But when I am authenticating with j_spring_security_check then it is hitting isPasswordValid() method. Where should I encode the password. Please share the code in details. – Probal Basak Oct 22 '13 at 07:07
Also how do i get the username so that I can validate the password against the username? – Probal Basak Oct 22 '13 at 07:19
If you are still hitting the isPasswordValid method you are using the old PasswordEncoder interface and not the code I have provided above. The password encoding is only for password encoding. It does not need to know how to validate the password against the username. Spring Security will take the username and password provided by the user, it will look up the current user with the UserDetailsService, it will then pass in the rawPassword (i.e. the one the user typed) and the password returned from the UserDetailsService to the matches method. – Rob Winch Oct 22 '13 at 13:34
Thanks. Its working perfectly now. One more thing. Is there any way to get the handle of the current request object in the isPasswordValid() method? – Probal Basak Oct 23 '13 at 09:07
What do you mean by current request object? Are you still using the old deprecated interface (i.e. there is no isPasswordValid method on the new API)? – Rob Winch Oct 23 '13 at 13:48
Yes. I am using the old interface. Now its working. There is no issue. – Probal Basak Oct 25 '13 at 06:40
Now I am stuck with something else. I want to encrypt a password field in the client side in javascript and decrypt the same in the server side in JAVA. Can anyone help? – Probal Basak Oct 25 '13 at 06:41
If I answered your question, please accept the answer and vote it up. If you have a new question, please post a new question. JavaScript is likely to have some different experts so you will want to tag the new question differently to attract those experts. – Rob Winch Oct 25 '13 at 13:15

Spring security Custom hash algorithm

1 Answers1