0

I'm using spring boot, spring mvc 4, spring security 4 and mysql as my data store for a new web app and I have two questions

  1. I've never used spring security before, but after seeing it, I have a question regarding the queries used to find users' authorities: why does it use username instead of user id. I mean searching for authorities based on user id is much faster and gives the ability to change the username in the future. I tried to overload the usersByUsernameQuery and the authoritiesByUsernameQuery but to use user id but it didn't work (and even if it works, the name of the method is bugging me) .. so please can someone explain to me why they used the username?

  2. In the previous php web apps that I worked on, we used to store the salt in the DB along with the password if we want to use BCrypt .. but I notice that it is not required to have this column in Spring .. so is the salt part of the encryption and Spring internally knows how to use it so I shouldn't worry about number of iterations, cost and salt storing?

seenukarthi
  • 8,241
  • 10
  • 47
  • 68
M.R.M
  • 540
  • 1
  • 13
  • 30

1 Answers1

0

1) I do not understand this question since if you have to find the authorities of an user called "Quentin", how do you know the id of "Quentin" ?

Please have a look at the query I use to retrieve an user at logon

<authentication-manager>
        <authentication-provider>
            <jdbc-user-service data-source-ref="dataSource"
                users-by-username-query="SELECT username, password, CASE enabled WHEN 1 THEN 'true' ELSE 'false' END 'enabled' FROM users WHERE BINARY username=?"
                authorities-by-username-query="SELECT username, authority FROM users WHERE BINARY username=?"
                id="jdbcUserService" />
            <password-encoder ref="passwordEncoder" hash="bcrypt" />
        </authentication-provider>
    </authentication-manager>
<beans:bean id="passwordEncoder"
    class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />

2) The salt is saved together with the password. There is an amazing explanation here on how this is done

Community
  • 1
  • 1
QGA
  • 3,114
  • 7
  • 39
  • 62