4

I would like to know whether Spring / Spring Security provide a means to Encrypt / Decrypt a password.

The scenario would basically be to encrypt the password and store in the DB , and perform a user authentication against the same on login.

Vivek
  • 2,091
  • 11
  • 46
  • 61
  • 3
    Generally, passwords should be hashed rather than encrypted and decrypted. You compare the hashes to see whether the user entered value is correct. – Rich O'Kelly Jan 19 '12 at 14:34
  • @rich.okelly Can you provide any example in that direction – Vivek Jan 19 '12 at 14:41
  • SO can help here - see http://stackoverflow.com/questions/326699/difference-between-hashing-a-password-and-encrypting-it – Rich O'Kelly Jan 19 '12 at 14:44
  • Stored passwords should be hashed and [salted](http://en.wikipedia.org/wiki/Salt_%28cryptography%29). There should be no reasonable way to reconstruct the original password from the contents of the dB, all you need to be able to do is verify the entered password matches. – earcam Dec 02 '14 at 11:37

3 Answers3

3

The Jasypt project library that simplifies encryption .You can find a number of examples Spring based password encoderd in Integrating Jasypt with Spring Security 2.x or 3.x (or Acegi 1.x) here are other tutorial http://blog.teamextension.com/quick-jasypt-spring-3-tutorial-626 http://chrislovecnm.com/2011/06/16/encrypting-spring-3-java-based-configurations-values-with-jasypt/

abishkar bhattarai
  • 7,371
  • 8
  • 49
  • 66
  • These are just links to the documentation, which could break. Care to elaborate a bit? Show one of the examples in your answer? Otherwise, your answer will likely be removed, as we have a serious problem with link rot. – Tim Post Dec 12 '12 at 12:38
3

Take a look at the PasswordEncoder.

http://static.springsource.org/spring-security/site/docs/3.0.x/reference/core-services.html

Ortwin Angermeier
  • 5,957
  • 2
  • 34
  • 34
  • +1 for Spring Security Also take a look at integrating Jasypt for the actual encoding - http://stackoverflow.com/a/3771336/114340 – AngerClown Jan 19 '12 at 16:03
  • But this would help in encoding the Password, how can i decode the password, its part of my requirement – Vivek Jan 19 '12 at 16:46
  • You do not decode the password. You save the hash of the user's password in your db. To verify the user's password you compute the user's input again with the same hash algorithm and then compare the stored hash value against the calculated hash value. – Ortwin Angermeier Jan 19 '12 at 16:53
  • Yes, thats right , but I have to decode to password the scenario when I want to connect to a Database, the password of which is present in an encoded form. – Vivek Jan 19 '12 at 17:01
  • Is it user passwords or database passwords that you want to encrypt? User passwords should not be decryptable. – sourcedelica Jan 19 '12 at 21:58
  • @Vivek It's not clear what your usage scenario is, in your original post you want to authenticate users against a password you have stored in a DB. In that case use the PasswordEncoder to store a hash of the password in the database. For symmetric encryption, where you need to be able to get the plaintext back, see the equivalent [TextEncryptor](http://static.springsource.org/spring-security/site/docs/3.2.x/reference/crypto.html) interface. – dan carter Jul 21 '13 at 22:07
0

In case of securing access to database, LDAP or other resources, nowadays you can use Spring Boot Cloud CLI for passwords encryption and decryption

$ spring encrypt mysecret --key foo 682bc583f4641835fa2db009355293665d2647dade3375c0ee201de2a49f7bda

$ spring decrypt --key foo 682bc583f4641835fa2db009355293665d2647dade3375c0ee201de2a49f7bda mysecret

Later you can use these passwords in Spring Cloud Config.

tomikmar
  • 131
  • 2
  • 6