Password encryption/decryption Spring security

Question

I am encrypting the security in my web page with MD5 and Im using the following code.

public static String stringToMD5(String password)
    {

        MessageDigest messageDigest;

        try {
            messageDigest = MessageDigest.getInstance("MD5");
            messageDigest.update(password.getBytes(),0, password.length());  
            String hashedPass = new BigInteger(1,messageDigest.digest()).toString(16);  
            if (hashedPass.length() < 32) {
               hashedPass = "0" + hashedPass; 
            }
            return hashedPass;
        } catch (NoSuchAlgorithmException e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        }  
        return password;
    }

But because a custom way to log in I had to developed a custom AbstractAuthenticationProcessingFilter and now I have to decrypt that MD5.

So the question is how to decrypt the produced by that function.

Thanks in advance.

score 2 · Accepted Answer · answered May 01 '12 at 15:58

2

MD5 is a one-way algorithm. This is not a one-to-one mapping. There is no way to decrypt its output.

When working with stored MD5 encrypted passwords, you must authenticate users by encrypting their input and comparing the result to the stored encrypted password.

answered May 01 '12 at 15:58

Dmitry Ovsyanko

1,416
11
6

Is there any other way to encrypt the password that is suported by spring security () that could be decrypted?? – IturPablo May 01 '12 at 16:02
Quote from http://static.springsource.org/spring-security/site/docs/3.0.x/apidocs/org/springframework/security/authentication/encoding/PasswordEncoder.html: "*This will generally be a one-way* message digest such as MD5 or SHA, but may also be a plaintext variant which does no encoding at all, but rather returns the same password it was fed. The latter is useful to plug in when the original password must be stored as-is." – Dmitry Ovsyanko May 01 '12 at 16:07
Thanks Dmitry, so I guess spring security only supports password-encoder MD5 - SHA one way encrypting. am I right? any ways thanks. – IturPablo May 01 '12 at 16:13
AFAIK, in general, the ability for an admin to restore original users passwords is considered very bad practice. This is why one-way hashing functions are used in such authentication schemes. Spring just follows the common rule. – Dmitry Ovsyanko May 01 '12 at 16:18

Password encryption/decryption Spring security

1 Answers1