ajm
Reputation: 13213
How to match old password while changing password in spring security?
I am using spring security in java based web application. I need to create a change password screen where user will have to type in old password to confirm.
I need to check if the old password typed in by the user matches his old password in the db.
How do i do it in the spring security.
Below is my spring security java config.
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailsService userDetailsService;
@Autowired
private AccessDecisionManager accessDecisionManager;
@Bean
@Autowired
public AccessDecisionManager accessDecisionManager(AccessDecisionVoterImpl accessDecisionVoter) {
List<AccessDecisionVoter<?>> accessDecisionVoters = new ArrayList<AccessDecisionVoter<?>>();
accessDecisionVoters.add(new WebExpressionVoter());
accessDecisionVoters.add(new AuthenticatedVoter());
accessDecisionVoters.add(accessDecisionVoter);
UnanimousBased accessDecisionManager = new UnanimousBased(accessDecisionVoters);
return accessDecisionManager;
}
@Override
@Autowired
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
}
@Bean
public PasswordEncoder passwordEncoder(){
PasswordEncoder passwordEncoder = new PasswordEncoder();
passwordEncoder.setStringDigester(stringDigester());
return passwordEncoder;
}
@Bean
public PooledStringDigester stringDigester() {
PooledStringDigester psd = new PooledStringDigester();
psd.setPoolSize(2);
psd.setAlgorithm("SHA-256");
psd.setIterations(1000);
psd.setSaltSizeBytes(16);
psd.setSaltGenerator(randomSaltGenerator());
return psd;
}
@Bean
public RandomSaltGenerator randomSaltGenerator() {
RandomSaltGenerator randomSaltGenerator = new RandomSaltGenerator();
return randomSaltGenerator;
}
Also, when new user is created i set his password as below.
user.setPassword(passwordUtils.encryptUserPassword(user.getPassword()));
@Component("passwordUtil")
public class PasswordUtils {
@Autowired
private PooledStringDigester _stringDigester;
public String encryptUserPassword(String originalPassword) {
String encryptedPassword = _stringDigester.digest(originalPassword);
return encryptedPassword;
}
}
Upvotes: 0
Views: 3333
Answers (1)
shazin
Reputation: 21883
Query the Password stored in the db by using Username/Email/User Id and finally write a function in PasswordUtils which makes use of PooledStringDigester.matches
public boolean isPasswordsMatch(String newPassword, String passwordFromDb) {
return _stringDigester.matches(newPassword, passwordFromDb);
}
Upvotes: 2
Related Questions
- How to update the password in Spring SecurityContext?
- Change password form which validates old password with spring security
- How to check for old passwords using Spring "matches" method?
- Changing password using Spring security
- How to Enforce Change Password on User's initial login using Spring Security
- password change in spring-security.xml
- changing password - Spring Security
- How to handle password change when using Spring Security
- Forcing user to change expired password in spring security
- Spring Security: password don't match with stored one