0

I have been asked to add Spring Security in a project. Previously, hashing was done manually like this:

public final class PasswordEncryption
{
  private static PasswordEncryption instance;
  private PasswordEncryption() 
  {
  }
  public synchronized String encrypt(String plaintext) throws UnavailableException
  {
    MessageDigest md = null;
    try
    {
      md = MessageDigest.getInstance("SHA-256"); //step 2
    }
    catch(NoSuchAlgorithmException e)
    {
      System.out.println("NoSuchAlgorithmException");

    }
    try
    {
      md.update(plaintext.getBytes("UTF-8")); //step 3
    }
    catch(UnsupportedEncodingException e)
    {
      throw new UnavailableException(e.getMessage());
    }
    byte raw[] = md.digest(); //step 4
    String hash = (new BASE64Encoder()).encode(raw); //step 5
    return hash; //step 6
  }
  public static synchronized PasswordEncryption getInstance() //step 1
  {
    if(instance == null)
    {
      return new PasswordEncryption();
    }
    else    
    {
      return instance;
    }
  }
}

Now I have changed it to this:

<authentication-manager>
    <authentication-provider>
        <password-encoder hash="sha-256" base64="true" />
        <jdbc-user-service data-source-ref="dataSource"
            users-by-username-query="
          select username, password, status 
          from user where email = ?" />
    </authentication-provider>
</authentication-manager>

When i try to login, I get the error Bad credentials. I have checked the query it is correct and returns the correct value. So I figure the problem must be in hashing.

khateeb
  • 5,265
  • 15
  • 58
  • 114
  • Does the status column map to the 'enabled' spring security field? Is the email same as username? What if you change the query to "select username, password, status as enabled from user where email = ?" – indybee Feb 10 '14 at 14:25
  • Have you tried encoding a known password with Spring Security's `ShaPasswordEncoder` and checked that it produces the same value as you have stored for the user? – Shaun the Sheep Feb 10 '14 at 22:42
  • @LukeTaylor I tried it. It seems that Spring Security's `ShaPasswordEncoder.encodePassword` requires a default salt but my password encryptor does not. How should I get around this? – khateeb Feb 28 '14 at 10:38
  • @indybee Yes, status maps to enabled. Email is not the same as username. Still can't login after changing query as problem is in encoding. – khateeb Feb 28 '14 at 10:39
  • @khateeb No it doesn't. The salt can be null. It's also trivial to implement your own `PasswordEncoder` using the code you have above. However a plain SHA hash is a poor choice security-wise. You should look into [migrating your users to BCrypt](http://stackoverflow.com/a/17348888/241990). – Shaun the Sheep Feb 28 '14 at 16:33
  • @LukeTaylor How do I use a null salt in xml? I have done it in Java but don't know in XML. – khateeb Mar 03 '14 at 09:20
  • I don't really know what you mean. It's a parameter passed to a Java method. You don't need to set anything in XML. – Shaun the Sheep Mar 03 '14 at 15:36
  • @LukeTaylor In this line ``it automatically takes a salt. How do I make this take a null salt? – khateeb Mar 04 '14 at 03:59
  • I don't know what you mean by "it automatically takes a salt". As it stands, that configuration should produce plain unsalted SHA hashes. – Shaun the Sheep Mar 04 '14 at 12:57

0 Answers0