Reputation: 83
How to change password hashing algorithm when using spring security?
I'm working on a legacy Spring MVC based web Application which is using a - by current standards - inappropriate hashing algorithm. Now I want to gradually migrate all hashes to bcrypt. My high level strategy is:
- New hashes are generated with bcrypt by default
- When a user successfully logs in and has still a legacy hash, the app replaces the old hash with a new bcrypt hash.
What is the most idiomatic way of implementing this strategy with Spring Security? Should I use a custom Filter or my on AccessDecisionManager or …?
Upvotes: 6
Views: 2271
Answers (2)
Reputation: 22742
You'll probably have to customize your AuthenticationProvider since that is where the password is actually compared with the user data and you have all the information you need available.
In the authenticate method, you would first load the user data. Then check the user-supplied password with both a BCryptPasswordEncoder and your legacy one. If neither returns a match, throw a BadCredentialsException.
If the user authenticates successfully (very important :-)) and the password is legacy format (the legacy encoder matched), you would then call some additional code to update the user's account data and replace the legacy hash with a bcrypt one. The BCryptPasswordEncoder can be also be used to create new hashes.
If you want, you could detect in advance whether the stored hash was already bcrypt before doing the comparisons. Bcrypt strings have quite a distinct format.
Note also that to make it harder to guess valid account names, you should try to make the method behave the same both when a supplied username exists and when it doesn't (in terms of the time it takes). So call the encoders even when you don't have any user data for the supplied username.
Upvotes: 6
Reputation: 6273
i think best way to do this is to specify password encoder to authentication provider some thing like below, for more information refer doc
<authentication-manager>
<authentication-provider user-service-ref="userService">
<password-encoder ref="passwordEncoder">
<salt-source ref="saltSource" />
</password-encoder>
</authentication-provider>
</authentication-manager>
<beans:bean class="org.springframework.security.authentication.encoding.Md5PasswordEncoder"
id="passwordEncoder" />
<beans:bean class="org.springframework.security.authentication.dao.ReflectionSaltSource"
id="saltSource">
<beans:property name="userPropertyToUse" value="userName" />
</beans:bean>
Upvotes: 0
Related Questions
- How to configure passwordEncoder in spring security config if i use Md5PasswordEncoder for password encryption?
- password change in spring-security.xml
- Configure Spring Security SAML to use SHA-256 as secure hash algorithm
- Hashing and Salting Passwords with Spring Security 3
- Spring Security - password hashing
- Spring Security and H2: How to hash passwords
- How to add MD5 or SHA hash to spring security?
- How can I determine the algorithm used for hashing passwords in a Grails app using springsecurity?
- Spring security Custom hash algorithm
- Salting a password with spring 3 security