VOOZH about

URL: https://www.javacodegeeks.com/2016/10/spring-security-custom-password-encoding.html

⇱ Spring Security and Custom Password Encoding - Java Code Geeks

On a previous post we added password encoding to our spring security configuration using jdbc and md5 password encoding.

However in case of custom UserDetailsServices we need to make some tweeks to our security configuration.
We need to create a DaoAuthenticationProvider bean and set it to the AuthenticationManagerBuilder.

Since we need a Custom UserDetailsService I will use use the Spring Security/MongoDB example codebase.

What we have to do is to change our Spring Security configuration.

package com.gkatzioura.spring.security.config;

import com.gkatzioura.spring.security.service.CustomerUserDetailsService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Profile;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.authentication.encoding.Md5PasswordEncoder;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;

import javax.sql.DataSource;

/**
 * Created by gkatzioura on 10/5/16.
 */
@EnableWebSecurity
@Profile("encodedcustompassword")
public class PasswordCustomEncodedSecurityConfig extends WebSecurityConfigurerAdapter {

 @Bean
 public UserDetailsService mongoUserDetails() {
 return new CustomerUserDetailsService();
 }

 @Bean
 public DaoAuthenticationProvider authProvider() {
 DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider();
 authProvider.setUserDetailsService(mongoUserDetails());
 authProvider.setPasswordEncoder(new BCryptPasswordEncoder());
 return authProvider;
 }

 @Override
 protected void configure(AuthenticationManagerBuilder auth) throws Exception {

 auth.authenticationProvider(authProvider());
 }

 @Override
 protected void configure(HttpSecurity http) throws Exception {

 http.authorizeRequests()
 .antMatchers("/public").permitAll()
 .anyRequest().authenticated()
 .and()
 .formLogin()
 .permitAll()
 .and()
 .logout()
 .permitAll();
 }

}

In most cases this works ok. However we might as well want to roll our own PasswordEncoder, which is pretty easy.

package com.gkatzioura.spring.security.encoder;

import org.springframework.security.crypto.bcrypt.BCrypt;
import org.springframework.security.crypto.password.PasswordEncoder;

/**
 * Created by gkatzioura on 10/5/16.
 */
public class CustomPasswordEncoder implements PasswordEncoder {

 @Override
 public String encode(CharSequence rawPassword) {

 String hashed = BCrypt.hashpw(rawPassword.toString(), BCrypt.gensalt(12));

 return hashed;
 }

 @Override
 public boolean matches(CharSequence rawPassword, String encodedPassword) {

 return BCrypt.checkpw(rawPassword.toString(), encodedPassword);
 }

}

So we will change our configuration in order to use the new PasswordEncoder

@Bean
 public DaoAuthenticationProvider authProvider() {
 DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider();
 authProvider.setUserDetailsService(mongoUserDetails());
 authProvider.setPasswordEncoder(new CustomPasswordEncoder());
 return authProvider;
 }

Next step will be to create the encoded password.

@Test
 public void customEncoder() {

 CustomPasswordEncoder customPasswordEncoder = new CustomPasswordEncoder();
 String encoded = customPasswordEncoder.encode("custom_pass");

 LOGGER.info("Custom encoded "+encoded);
 }

Then add a user with a hashed password to our mongodb database.

 db.users.insert({"name":"John","surname":"doe","email":"john2@doe.com","password":"$2a$12$qB.L7buUPi2RJHZ9fYceQ.XdyEFxjAmiekH9AEkJvh1gLFPGEf9mW","authorities":["user","admin"]})

All that we need is to change the default profile on our gradle script and we are good to go.

bootRun {
 systemProperty "spring.profiles.active", "encodedcustompassword"
}

You can find the sourcecode on github.

Reference: Spring Security and Custom Password Encoding from our JCG partner Emmanouil Gkatziouras at the gkatzioura blog.
Do you want to know how to develop your skillset to become a Java Rockstar?
Subscribe to our newsletter to start Rocking right now!
To get you started we give you our best selling eBooks for FREE!
1. JPA Mini Book
2. JVM Troubleshooting Guide
3. JUnit Tutorial for Unit Testing
4. Java Annotations Tutorial
5. Java Interview Questions
6. Spring Interview Questions
7. Android UI Design
and many more ....
I agree to the Terms and Privacy Policy

Thank you!

We will contact you soon.

πŸ‘ Photo of Emmanouil Gkatziouras
 Emmanouil GkatziourasOctober 10th, 2016Last Updated: October 8th, 2016
0 118 1 minute read

Emmanouil Gkatziouras

He is a versatile software engineer with experience in a wide variety of applications/services.He is enthusiastic about new projects, embracing new technologies, and getting to know people in the field of software.

Related Articles

Subscribe

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Oldest
Newest Most Voted
Back to top button
Close
wpDiscuz