Spring Security BASIC auth - matching password hash

Question

When doing BASIC authentication with Spring Security I want to match password hash and not password itself. For the sake of storing hash and not the password server-side.

I have the following code:

@EnableWebSecurity
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    AppConfig appConfig;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
            http.authorizeRequests()
                    .antMatchers("/v2/**")
                    .hasAuthority(MY_AUTHORITY).anyRequest().authenticated()
                    .and()
                    .httpBasic();
    }

    @Autowired
    public void configureSecurityManager(AuthenticationManagerBuilder authManagerBuilder) throws Exception {
            new InMemoryUserDetailsManagerConfigurer<AuthenticationManagerBuilder>()
                    .withUser(appConfig.getCredentials().getUserName())
                    .password(appConfig.getCredentials().getPassword())
                    .authorities(MY_AUTHORITY)
                    .and()
                    .configure(authManagerBuilder);
    }
}

I've found some examples with BCrypt, however they're dealing with hashing the password and not incorporating hash comparison into BASIC auth scheme.

Or am I getting this wrong all the way and client should send hash and not the password to the server?

Answer 1

Here you have an example: http://www.devglan.com/spring-security/spring-boot-security-password-encoding-bcrypt-encoder

Once the password encoder is defined, while comparing password coming from the request with the DB password, spring will by default consider password in the DB is bcrypt encoded.

Also I recommend you the following link: https://security.stackexchange.com/questions/64631/is-it-safe-to-send-clear-usernames-passwords-on-a-https-connection-to-authentica