All geek questions in one place

Spring Security Salt for Custom UserDetails

I would like to add salt as:

PasswordEncoder encoder = new ShaPasswordEncoder(); userDetails.setPassword(encoder.encodePassword(userDetails.getPassword(),saltSource.getSalt(userDetails));

how far userDetails is an instance of my user class UserDetail , I must pass it to this spring: UserDetails class, but since it was logically expected, I got it in Runtime:

 java.lang.ClassCastException: model.UserDetails cannot be cast to org.springframework.security.core.userdetails.UserDetails

configurations:

 <beans:bean id="saultSource" class="org.springframework.security.authentication.dao.ReflectionSaltSource"> <beans:property name="userPropertyToUse" value="username"/> </beans:bean> <authentication-manager alias="authenticationManager"> <authentication-provider> <password-encoder hash="sha"> <salt-source user-property="username"/> </password-encoder> <jdbc-user-service data-source-ref="dataSource"/> </authentication-provider> </authentication-manager>

How can I adjust the salt correctly in this case?

+6
source share
3 answers

ReflectionSaltSource only works with a UserDetails object (I assume that when you get an exception from a class)? so you have to either implement UserDetails or create your own SaltSource implementation that works with your object.

However, I would not use the user property as a salt if you are not working with an outdated system that already does this. Username is not a very good value for salt. It is much better to use random salt, which is stored with a password. A good example is the BCrypt algorithm. See my answer to this question for an example of using it with Spring Security 3.1. As explained there, BCrypt automatically generates a random salt, which it stores on the same line as the hashed password.

Note that there is actually a new PasswordEncoder interface in Spring Security 3.1 "crypto" (in org.springframework.security.crypto.password ). This does not include salt in the API methods , as it assumes that salt is generated internally (as in the case of BCrypt implementation). A framework typically accepts one of these or the deprecated org.springframework.security.authentication.encoding.PasswordEncoder .

+3
source

Your model.UserDetails class must implement the org.springframework.security.core.userdetails.UserDetails interface - it does not need to be the org.springframework.security.core.userdetails.User class .

You can also see this answer to learn how to set up ReflectionSaltSource for both encoding and decoding passwords, or to help you get a larger image to follow Luke's great BCryptPasswordEncoder on BCryptPasswordEncoder .

+1
source

I wrote a blog post about some of these details here: http://rtimothy.tumblr.com/post/26527448708/spring-3-1-security-and-salting-passwords Luke wrote the code, so he certainly knows what he is talking about, but I see that many people, including me, have difficulty grabbing on to this information, I hope this helps.

0
source

Source: https://habr.com/ru/post/904611/

More articles:


All Articles