Reputation: 1678
How Spring encodePassword with salt
I introduce Spring security for a web application. First I have my authentication manager as follows.
<authentication-manager>
<authentication-provider>
<password-encoder hash='md5'>
</password-encoder>
<jdbc-user-service data-source-ref="dataSource"/>
</authentication-provider>
</authentication-manager>
For tesing I'm going to use '1' as both username and password. I use a online md5 hash generator and I got 'c4ca4238a0b923820dcc509a6f75849b' for md5(1). Login works fine with this configuration. The I wanted to try salt and I modify authentication manager as follows.
<authentication-manager>
<authentication-provider>
<password-encoder hash='md5'>
<salt-source user-property="username"/>
</password-encoder>
<jdbc-user-service data-source-ref="dataSource"/>
</authentication-provider>
</authentication-manager>
So as I read in web how salt used is like hash(salt + password). So using the same tool I hash '11' then got hash value '6512bd43d9caa6e02c990b0a82652dca'. I update the database with that value. But now login fail with error thrown 'Caused : Bad credentials'. Which means password didn't match with the database. So my question is does that mean Spring use a different way for salting?
Upvotes: 0
Views: 6398
Answers (2)
Reputation: 6089
Since you are using spring security, you can think of using PasswordEncoder bean.
<beans:bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.ShaPasswordEncoder">
</beans:bean>
And your authentication manager would be something like (change code ) :
<authentication-manager>
<authentication-provider>
<password-encoder ref="passwordEncoder">
<salt-source user-property="username"/>
<password-encoder/>
<jdbc-user-service data-source-ref="dataSource"/>
</authentication-provider>
</authentication-manager>
Visit Spring Security Custom Authentication and Password Encoding & Spring Security:password encoding in DB and in applicationContext to know more.
Upvotes: 2
Reputation: 1678
Damn anyway Spring salting method is different. User following Java code to calculate hash with salt.
public static void main(String[] args) {
Md5PasswordEncoder md5 = new Md5PasswordEncoder();
String hash = md5.encodePassword("1", "1");
System.out.println(hash);
}
I got '6a8a1f634e38d30e87b450899b31f810' as encrypted password(Different right??). Then I insert it to the database and try my application login. Vola!!! login succeed.
Upvotes: 0
Related Questions
- Hashing and Salting Passwords with Spring Security 3
- Handling salt with spring security PasswordEncoder
- Spring Security Encrypt MD5
- Implementing hash and salt in Spring 3 security
- Spring Security Salt Configuration with MD5 using basic String object
- Salting a password with spring 3 security
- Spring Security: use hashed password stored in database as salt of password encoder
- Spring security password hash + salt
- Md5 with salt encoding
- Authentication in Spring Security whith encoded password