Jasypt | StrongPasswordEncryptor | Password not matching

Question

I am using Jasypt's StrongPasswordEncryptor to encode user's password and for matching too.

I have created a util class to invoke its API :-

public class EncryptionUtil {

private static final StrongPasswordEncryptor passwordEncryptor = new StrongPasswordEncryptor();

/**
 * Default private constructor.
 */
private EncryptionUtil() {
}

/**
 * Encrypts a string using {@link StrongPasswordEncryptor}
 * 
 * @param input
 *            Plain string
 * @return encrypted string.
 */
public static final String encyptString(final String input) {
    return passwordEncryptor.encryptPassword(input);
}

/**
 * @see StrongPasswordEncryptor#checkPassword(String, String)
 * @param plainPassword
 * @param encryptedPassword
 * @return boolean
 */
public static boolean checkPassword(String plainPassword, String encryptedPassword) {
    return passwordEncryptor
            .checkPassword(plainPassword, encryptedPassword);
}

}

Trying to test it using Junit runs perfectly fine:-

@Test
public void test() {
    String encryptedPassword = EncryptionUtil.encyptString("password");
    Assert.assertNotNull(encryptedPassword);
    Assert.assertTrue(EncryptionUtil.checkPassword("password",
            encryptedPassword));
}

I am storing user credentials in a SQL table. For testing/development environment I did a SQL insert after encrypting the password using the EncryptionUtil class.

Problem:-

The credential matching is failing once its deployed/run to some other machine - when credential are fetched from database for matching.

After playing around a bit with the StrongPasswordEncryptor#encyptString, I found out that for the same plain password (say "password") the resultant encypted password is different when run multiple times.

i.e :-

@Test
public void test() {
    String encryptedPassword = EncryptionUtil.encyptString("password");
    System.out.println(encryptedPassword);
}

This would print different encrypted string on each run. I am not an encryption expert, but I believe that the salt used by the StrongPasswordEncryptor is different in each run.

How do I fix this ?

I should be able insert encrypted user password in SQL table that passes the credential matching flow.

Answer 1

It would be different for every run of your test program since,StrongPasswordEncryptor will be created every time during start-up and attached to the class EncryptionUtil since it is marked as static and final. This means that SALT provided will also be new for every instance of StrongPasswordEncryptor

You need to read this, Directly from Documentation

When in a web application, Jasypt allows developers to avoid storing encryption passwords for PBE encryptors in files inside the webapp, specifying instead these passwords to the application through a web interface each time it is deployed.

• Special *Config classes: org.jasypt.encryption.pbe.WebPBEConfig and org.jasypt.encryption.pbe.WebStringPBEConfig, which when assigned to an encryptor, "mark" this encryptor as eligible for receiving its password via web.

• A context listener, org.jasypt.web.pbeconfig.WebPBEInitializationContextListener which will let us create our encryptors, set them their WebPBEConfig configs and register them somewhere in our application. This context listener will be unnecessary if we are using the Spring Framework.

• A filter, org.jasypt.web.pbeconfig.WebPBEConfigFilter, which will avoid any user to access the web application until the encryption passwords have been set by the admin.

• A servlet, org.jasypt.web.pbeconfig.WebPBEConfigServlet, which will show the authorised user a form with which he/she can set the encryption passwods for all encryptors with a WebPBEConfig.

Please read it completely from Documentation