Spring Security and Password Encoding
On previous posts we dived into spring security. We implemented security backed by jdbc, security based on custom jdbc queries and security retrieving information from a nosql database.
By being careful enough we will find out that passwords are in plain text. Although this serves well for example purposes in real environments, passwords are always encoded and stored encoded in the database.
Spring security supports password encoding in a pretty convenient way. It comes with its own preconfigured password encoders but It alsos gives us the ability to either create our custom password encoder.
StandardPasswordEncoder, Md5PasswordEncoder and the popular BCryptPasswordEncoder are some of the password encoders that come along with spring security.
package com.gkatzioura.spring.security; import org.junit.Test; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.security.authentication.encoding.Md5PasswordEncoder; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.crypto.password.StandardPasswordEncoder; /** * Created by gkatzioura on 10/5/16. */ public class EncoderTest { private static final Logger LOGGER = LoggerFactory.getLogger(EncoderTest.class); @Test public void md5Encoder() { Md5PasswordEncoder md5PasswordEncoder = new Md5PasswordEncoder(); String encoded = md5PasswordEncoder.encodePassword("test_pass",null); LOGGER.info("Md5 encoded "+encoded); } @Test public void bcryptEncoder() { BCryptPasswordEncoder bCryptPasswordEncoder = new BCryptPasswordEncoder(); String encoded = bCryptPasswordEncoder.encode("test_pass"); LOGGER.info("Becrypt encoded "+encoded); } @Test public void standardEncoder() { StandardPasswordEncoder standardPasswordEncoder = new StandardPasswordEncoder(); String encoded = standardPasswordEncoder.encode("test_pass"); LOGGER.info("Standard encoded "+encoded); } }
To add password encoding all we have to do is to set a password encoder in our spring configuration.
With jdbc-backed spring security configuration it is pretty easy, we just set the password encoder of our choice. In our case we will use the md5 password encoder.
package com.gkatzioura.spring.security.config; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Profile; import org.springframework.security.authentication.encoding.Md5PasswordEncoder; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import javax.sql.DataSource; /** * Created by gkatzioura on 10/5/16. */ @EnableWebSecurity @Profile("encodedjdbcpassword") public class PasswordEncodedSecurityConfig extends WebSecurityConfigurerAdapter { @Autowired private DataSource dataSource; @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.jdbcAuthentication().dataSource(dataSource) .passwordEncoder(new Md5PasswordEncoder()) .usersByUsernameQuery("SELECT username,password,1 FROM Custom_Users_Encoded_pass where username=?") .authoritiesByUsernameQuery("SELECT username,authority FROM Custom_Roles where username=?"); } @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers("/public").permitAll() .anyRequest().authenticated() .and() .formLogin() .permitAll() .and() .logout() .permitAll(); } }
Then we will add a user to the database with the encoded password.
drop table if exists Custom_Users_Encoded_pass; create table Custom_Users_Encoded_pass(id bigint auto_increment, username varchar(255), password varchar(255)); -- real password is test_pass insert into Custom_Users_Encoded_pass(username,password) values('TestUser','4ac1b63dca561d274c6055ebf3ed97db');
Therefore by trying to access http://localhost:8080/secured will have to give the username TestUser and the password test_pass in the login prompt.
Last but not least we will have to change our gradle.build to set encodedjdbcpassword as our default profile.
bootRun { systemProperty "spring.profiles.active", "encodedjdbcpassword" }
You can find the sourcecode on github.
Reference: | Spring Security and Password Encoding from our JCG partner Emmanouil Gkatziouras at the gkatzioura blog. |
Urging programmers to encrypt sensitive data in the database is a good idea, so thanks for that. But I have to take issue with your choice of MD5 as an encoder. MD5 is extremely weak and has been hacked many times. No pro should ever use it, IMHO. SHA-256 or Bycrpt are much better choices.
Also, you didn’t mention adding a Salt to the Hash and using many iterations, which altogether makes the hash much, much stronger. I’d suggest a read of this article: http://www.springminutes.com/2011/11/right-way-to-hash-passwords-with-spring.html
That is totally correct and should have been mentioned in the original post. Thank you for mentioning it and for the link you provided!