Spring Security Encrypt MD5

Question

I have a java web application using spring framework and spring security for its login. In my database I have my passwords encrypted to MD5 before being saved. I added in my application-config.xml this codes

 <security:authentication-provider>
<security:password-encoder hash="md5"/>
<security:jdbc-user-service
        data-source-ref="dataSource"
        users-by-username-query="select user_name username, user_password password, 1 enabled from users where user_name=?"
        authorities-by-username-query="select username, authority from authorities where username=?" />
</security:authentication-provider>

At first It worked when the password in the db were not encrypted. But when I encrypted it and added this snippet in my application config

      <security:password-encoder hash="md5"/>

I am not able to login.

md5 is a hash function, not a method of encryption. – u0b34a0f6ae Nov 30 '09 at 17:05 — u0b34a0f6ae, Nov 30 '09 at 17:05
what do you mean. What should have I done – cedric Nov 30 '09 at 17:24 — cedric, Nov 30 '09 at 17:24

score 48 · Answer 1 · answered May 20 '10 at 22:09

48

I realize this is a little late, but Spring has built-in classes that make this a lot easier.

@Test
public void testSpringEncoder() {
    PasswordEncoder encoder = new Md5PasswordEncoder();
    String hashedPass = encoder.encodePassword("koala", null);

    assertEquals("a564de63c2d0da68cf47586ee05984d7", hashedPass);
}

This is a unit test that I wrote using the built in Spring Security code, it is a lot smaller than the MessageDigest code and since you are using Spring Security already, you should have the classes in your classpath already.

answered May 20 '10 at 22:09

bh5k

873
6
13

2

This is the best answer. Clean and easy with spring. – Georgie Porgie Jul 29 '11 at 20:54
1

Here's [another answer](http://stackoverflow.com/questions/7378107/hashing-and-salting-passwords-with-spring-security-3) with a bit more details on how to use it neatly in your Spring application. – chrisjleu May 22 '12 at 17:56

score 6 · Accepted Answer · answered Dec 01 '09 at 03:36

6

How are you creating your MD5 hashes? Something like the following works well in Java:

MessageDigest messageDigest = MessageDigest.getInstance("MD5");  
messageDigest.update(user.getPassword().getBytes(),0, user.getPassword().length());  
String hashedPass = new BigInteger(1,messageDigest.digest()).toString(16);  
if (hashedPass.length() < 32) {
   hashedPass = "0" + hashedPass; 
}

When you encode "koala" do you get "a564de63c2d0da68cf47586ee05984d7"?

answered Dec 01 '09 at 03:36

labratmatt

1,821
2
20
21

ah ok.. i missed the 16 in messageDigest.digest()).toString(16). thanks – cedric Dec 01 '09 at 06:47
actually, there can be less than 31 symbols. so. this won't work in some situations (very rare). you have to add "0" as long as you don't have 32 symbols – Eugene Nacu Oct 01 '12 at 08:39

score 5 · Answer 3 · answered Nov 30 '09 at 18:42

Have you read 6.3.3 Hashing and Authentication section from Spring Security reference manual? It mentioned some possible issues that you might encounter in using password hashing.

Some possibilities it listed:

Database password hash might be in Base64, while the result from MD5PasswordEncoder is in hexadecimal strings
Your password hash might be in upper-case, while the result from the encoder is in lower case strings

Spring Security Encrypt MD5

3 Answers3

Linked