Spring Security is a popular Java web application framework that protects web applications against authentication and authorization attacks. It works by performing claims based access control and by providing a view of the logged in user. In this post, we will explore how to implement a custom password encoder in Spring Security.
Many organizations today are still using the default password encoder that Spring Security uses by default. Request parameters are encoded as a base64 string. This is a very weak encoding when it come to password security.
The Spring Security framework is a very popular solution for securing your application in the Java EE 5 and 6 world. One issue with Spring Security is that it uses a proprietary cryptographic algorithm for encrypting passwords. Today, the default algorithm used in Spring Security framework is still the standard PBKDF2. The problem is that it is known to be vulnerable to rainbow table attacks.
In this tutorial, you will learn how to create a custom password encryptor in a Spring Boot application using Spring Security.
Table of contents
- Create a Spring Boot project and add the database connection properties.
- Add a user template.
- Make a user deposit.
- Implement a custom PasswordEncoder.
- Create a service class implementing UserDetailService
- Add a configuration class that extends the WebSecurityConfigurerAdapter.
- Create a user controller class.
- Job interview.
Creating a Spring Boot project and adding database connection properties Go to Spring Initializr and create a Spring Boot project with the Maven Spring Web, Spring Security, Spring Data JPA, and MySQL Driver dependencies.
Connection characteristics
spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver spring.datasource.url=jdbc:mysql://localhost:3306/user_database spring.datasource.username=username spring.datasource.password=password spring.jpa.hibernate.ddl-auto=create spring.jpa.show-sql=true
Add a user template
The User class creates an instance of user data. import javax.persistence.*; @Entity @Table(name = user) public class User { @Id @GeneratedValue(strategy = GenerationType.AUTO) @Column(name = id) private int id ; @Column(name = first name) private String first name ; @Column(name = lastName) private String lastName ; @Column(name = email) private String email ; @Column(name = username) private String username ; @Column(name = password) private String password ; //Generates getter, setter, construc and toString methods }
Create a custom archive
UserRepository class to store and retrieve a user object in the database. @Repository public interface UserRepository extends JpaRepository<User,Integer> { }
Implementing a user password recorder
Here is an example of a class that implements the PasswordEncoder interface. We will use this class to implement our own password encoder. PasswordEncoder is a Spring Security interface that we can use to give our class an implementation of our own password encoder. Implementation options for the password encoder include BcryptPasswordEncoder, NoOpPasswordEncoder, and StandardPasswordEncoder. Standard and custom implementations must override the encode and matches methods of the password encoder. The encryption method encrypts the raw password. As a general rule, a good encryption algorithm uses a SHA-1 hash or higher in combination with a randomly generated salt of 8 bytes or more. The match method checks that the encrypted password retrieved from the archive matches the raw password submitted after it was encrypted. Returns true if the password matches, false if it does not. The stored password itself is not decrypted. To use this password encoder, you create a custom password bean and integrate it into the user service, where the user’s password is encrypted before being stored in the database. public class CustomPasswordEncoder implements PasswordEncoder { @Override public String encode(CharSequence plainTextPassword) { return BCrypt.hashpw(plainTextPassword.toString(),BCrypt.gensalt(8)); } @Override public boolean matches(CharSequence plainTextPassword, String passwordInDatabase) { return BCrypt.checkpw(plainTextPassword.toString(),passwordInDatabase); } }
Create a service class that implements UserDetailService
UserDetailService provides a method to search for a user based on their name. The method finds the user during authentication, but since our interest lies in encrypting the password, we will return the user data and credentials as null.
Methods of recording and retrieval
The register method retrieves the user object from the controller, encrypts the password in unencrypted text, and then stores the user in the database. The find method returns a user object to the controller, which can then be accessed from the client using postman. @Service public class UserService implements UserDetailsService {. private UserRepository userRepository ; private CustomPasswordEncoder customPasswordEncoder ; @Autowired public UserService(UserRepository userRepository, @Lazy CustomPasswordEncoder customPasswordEncoder){ this.userRepository = userRepository; this.customPasswordEncoder = customPasswordEncoder ; } public void registerUser(user user) { user newUser = new User(); newUser.setId(user.getId()); newUser.setFirstName(user.getFirstName()); newUser.setLastName(user.getLastName()); newUser.setEmail(user.getEmail()); newUser.setUsername(user.getUsername()); newUser.setPassword(customPasswordEncoder.encode(user.getPassword()); userRepository.save(newUser) ; } public User findUserById(id) { return userRepository.findById(id) .orElseThrow() -> new NullPointerException(User not found)); } @Override public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { User user = new User(); return new org.springframework.security.core.userdetails.User(user.getUsername(), user.getPassword(),Collections.emptyList()) } }
Create a class that extends the WebSecurityConfigurerAdapter
WebSecurityConfigurerAdapter is a handy base class for creating an instance of WebSecurityConfigurerAdapter. The Dao authentication provider retrieves the user’s data from the user’s data service. The creator of the authentication manager adds authentication providers. HTTP Security allows you to configure web security for specific HTTP requests. By creating a password encoding bean, we can integrate it into the user service class to encrypt the user’s password. @Configuration @EnableWebSecurity public class CustomPasswordEncoderConfig extends WebSecurityConfigurerAdapter { private UserService userService ; @Autowired public CustomPasswordEncoderConfig(UserService userService){ this.userService = userService; } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.authenticationProvider(daoAuthenticationProvider()); } @Override protected void configure(HttpSecurity http) throws Exception { http.csrf().disable(); http.authorizeRequests() .antMatchers(/user/**) .permitAll(); } @Bean public DaoAuthenticationProvider daoAuthenticationProvider(){ DaoAuthenticationProvider daoAuthenticationProvider = new DaoAuthenticationProvider(); daoAuthenticationProvider.setPasswordEncoder(customPasswordEncoder()); daoAuthenticationProvider.setUserDetailsService(userService); return daoAuthenticationProvider; } @Bean public CustomPasswordEncoder customPasswordEncoder(){ return new CustomPasswordEncoder(); } }
Creating a user controller class
/user/register – Create a new user object. /user/find/{id} – retrieves the user’s instance. @RestController @RequestMapping(/user) public class UserController {. private UserService userService ; @Autowired public UserController(UserService userService){ this.userService = userService; } @PostMapping(/register) public void registerUser(@RequestBody User user){ userService.registerUser(user); } @GetMapping(/find/{id}) public User findUserById(@PathVariable(id) int id){ return userService.findUserById(id); } }
Application test
Create a new user object with postman with the following reference. http://localhost:8080/user/register Retrieve the user object and notice that the password is now encrypted. http://localhost:8080/user/find/1
Supplement
Password encryption is a security measure that protects the integrity and confidentiality of data from intruders. The security should also protect against other types of vulnerabilities, such as cross-site scripting, SQL injection, denial-of-service and cross-site query spoofing. To secure our application, we need to enable the strong authentication and authorization mechanism and provide a password hash.For many, choosing good passwords is a struggle, and it can be especially difficult for those who use the same password to secure different services or who do not have a good password manager that they can rely on. The secure password encoder is an easy-to-use tool that allows users to encode their passwords into a secure string without having to type the actual password.. Read more about spring security password encryption example and let us know what you think.
Related Tags:
spring security password encoderspring security password encoder sha256bcryptpasswordencoderbcrypt password encoderspring security decrypt passwordspring security password encryption and decryption example,People also search for,Privacy settings,How Search works,spring security password encoder,spring security password encryption and decryption example,spring security password encoder sha256,spring security password encryption example,password encryption and decryption in spring mvc,bcryptpasswordencoder,bcrypt password encoder,spring security decrypt password