Spring Security:password encoding in DB and in applicationContext

by

If you are choosing a hashing system yourself, rather than building an app using an existing database which already contains hashed passwords, then you should make sure your hashing algorithm also uses a salt. Don’t just use a plain digest.

A good choice is bcrypt, which we now support directly in Spring Security 3.1 via the BCryptPasswordEncoder (implemented using jBCrypt). This automatically generates a salt and concatenates it with the hash value in a single String.

Some databases have built-in support for hashing (e.g. Postgres). Otherwise, you need to hash the password yourself before passing it to JDBC:

String password = "plaintextPassword";
PasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
String hashedPassword = passwordEncoder.encode(password);

That’s all you need to do to encode the passwords when you create a user.

For authentication, you would use something like:

<bean id="encoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>

<bean id="authProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
  <property name="userDetailsService" ref="yourJdbcUserService" />
  <property name="passwordEncoder" ref="encoder" />
</bean>

More Related Contents:

  1. Best way to store password in database [closed]
  2. Spring Security 3 database authentication with Hibernate
  3. What is the best way to keep passwords configurable, without having them too easily available to the casual human reader?
  4. How to login and authenticate to Postgresql after a fresh install?
  5. Display dynamic image from database or remote source with p:graphicImage and StreamedContent
  6. Version of SQLite used in Android?
  7. What are the performance characteristics of sqlite with very large database files? [closed]
  8. Primary keys with Apache Spark
  9. What are database normal forms and can you give examples? [closed]
  10. Exposing database IDs – security risk?
  11. How can I put a database under git (version control)?
  12. Multiple schemas versus enormous tables [closed]
  13. Techniques for database inheritance?
  14. Frontend tool to manage H2 database [closed]
  15. How to disable Django query cache?
  16. Deciding between an artificial primary key and a natural key for a Products table
  17. Django’s ManyToMany Relationship with Additional Fields
  18. data block size in HDFS, why 64MB?
  19. Log to a database using log4j
  20. How should international geographical addresses be stored in a relational database?
  21. Is there any option for local database like Sqlite for j2me – CLDC devices?
  22. How can I solve Postgresql SCRAM authentication problem?
  23. What is the difference between Non-Repeatable Read and Phantom Read?
  24. Ideas on database design for capturing audit trails [closed]
  25. I need a client side browser database. What are my options [closed]
  26. How does the HyperLogLog algorithm work?
  27. Android: Where are database files stored?
  28. List of standard lengths for database fields
  29. How to find SQLITE database file version
  30. Oracle: How do I convert hex to decimal in Oracle SQL?

Leave a Comment