CODEWITHSUNDEEP
mysqljdbcspring-securitycasbcrypt
ev0lution37
ev0lution37

Reputation: 1179

Spring Security - Bcrypt with CAS, MySQL, SearchModeSearchDatabaseAuthenticationHandler, and BasicDataSource

If I have a database that stores usernames and passwords encrypted using Spring's Bcrypt encoder, how would I go about decoding it back to plain text within Spring with my current set up?

My MySQL has this table for authentication:

username     |  password     |  enabled
----------------------------------------
varchar(50)  |  varchar(100)  |  tinyint

The password field would contain the Bcrypt password for each user.

Now for CAS's deployerConfigContext.xml.

<bean class="org.jasig.cas.adaptors.jdbc.SearchModeSearchDatabaseAuthenticationHandler">
    <property name="tableUsers"><value>user_authentication</value></property>
    <property name="fieldUser"><value>username</value></property>
    <property name="fieldPassword"><value>password</value></property>
    <property name="dataSource" ref="dataSource"/>
  </bean>

And I defined the dataSource as:

<bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource">
    <property name="driverClassName">
        <value>com.mysql.jdbc.Driver</value>
    </property>
    <property name="url">
        <value>jdbc:mysql://localhost:3306/user_mgt</value>
    </property>
    <property name="username"><value>root</value></property>
    <property name="password"><value>test_pw</value></property>
</bean>

I'm not sure if I could implement Bcrypt decoding without customization.

Upvotes: 0

Views: 997

Answers (1)

Bilal BBB
Bilal BBB

Reputation: 1164

when you use hashed passwords, it is impossible to get the plain text back, for this raison we use hashing algorithms to put hashed passwords. To authenticate users, you have got to compare the hashed password in the database with the hashed password the user enter to connect. Spring security does it for you, you have just to tell spring security that you use BCryptPasswordEncoder in your configuration : 

<authentication-manager>
    <authentication-provider>
       .......
       <password-encoder red="encoder"/>
    </authentication-provider>
</authentication-manager>
.........
<beans:bean id="encoder" class="org.springframework.security.crypto.password.BCryptPasswordEncoder"/>

please, refer to spring security documentation

Upvotes: 1

Related Questions