Spring Security Custom Authentication and Password Encoding -

-

is there tutorial out there or have pointers on how following spring-security?

task:

i need salt database authenticating username , use encrypt provided password (from login page) compare stored encrypted password (a.k.a. authenticate user).

additional information:

i use custom database structure. userdetails object created via custom userdetailsservice in turn uses custom daoprovider information database.

my security.xml file far:

<authentication-manager>     <authentication-provider user-service-ref="userdetailsservice">     </authentication-provider> </authentication-manager>

now guess i'll need 

        <password-encoder hash="sha" />

but else? how tell spring security use databaseprovided salt in order encode password?

edit:

i found this so post informatative not sufficient: if define salt source in xml used password encoder, so:

        <password-encoder ref="passwordencoder">                             <salt-source ref="saltsource"/>         </password-encoder>

i'll have write custom saltsource use custom salt. that's not found inside userdetails object. so...

alternative 1:

can use custom implementation of userdetails might have salt property?

<beans:bean id="saltsource" class="path.to.mysaltsource"     p:userpropertytouse="salt"/>

and

@service("userdetailsservice")  public class userdetailsserviceimpl implements userdetailsservice {     public userdetails loaduserbyusername(string username)             throws usernamenotfoundexception, dataaccessexception {          // ...         return builduserfromaccount(account);     }      @transactional(readonly = true)      userdetailsimpl builduserfromaccount(account account){          // ... build user object contains salt property }

custom user class:

public class userdetailsimpl extends user{      // ...      private string salt;      public string getsalt() { return salt; }      public void setsalt(string salt) { this.salt = salt; } }

security.xml:

<authentication-manager>     <authentication-provider user-service-ref="userdetailsservice">         <password-encoder hash="sha">                         <salt-source ref="saltsource"/>     </password-encoder>     </authentication-provider> </authentication-manager>  <beans:bean id="saltsource" class="org.springframework.security.authentication.dao.reflectionsaltsource" p:userpropertytouse="salt"/>


alternative 2:

otherwise i'd have inject accountdao saltsource extract salt given username database.

but: how spring security call saltsource? saltsource.getsalt(userdetails)?

then i'd have make sure saltsource uses userdetails.accountname on accountdao retrieve salt.

edit2:

just learned approach is.. legacy.. :( guess i'll use standardpasswordencoder (which still have figure out how use exactly).

btw: implemented first option custom userdetails class extending user class , adding salt property passed saltsource userpropertytouse has been proposed in post mentioned in edit 1...

edit 3:

just got standardpasswordencoder working, i'll leave pointers here:

use standardpasswordencoder authentication:

<beans:bean id="encoder"      class="org.springframework.security.crypto.password.standardpasswordencoder"> </beans:bean>   <authentication-manager>     <authentication-provider user-service-ref="userdetailsservice">         <password-encoder ref="encoder" />              </authentication-provider> </authentication-manager>

this requires spring-security-crypto module in version 3.1.0.rc? far know. couldn't find repository has 3.0. version (even though somewhere had versions listed included 3.0.6 , on). documentations talks spring security 3.1 figured, i'll go that.

when creating user (for me admin can that), use 

        standardpasswordencoder encoder = new standardpasswordencoder();         string result = encoder.encode(password);

and i'm done.

spring security randomly create salt , add password string before storing in database no salt column needed anymore.

one can provide global salt constructor argument (new standardpasswordencoder("12345");), didn't know how set security configuration retrieve value bean instead of supplying static string <constructor-arg name="secret" value "12345" />. don't know how needed anyway.

i'll mark answered, solved problem , no other comments or answers given:

edit 1 - alternative 1 answers original question

but had learn customized password salting legacy approach not needed in spring security 3.1 more, describe in

edit 3 left pointers on how use standardpasswordencoder automated salts stored password.


Comments

Post a Comment

Popular posts from this blog

objective c - Change font of selected text in UITextView -

-
can suggest me how change font of selected text in uitextview.i cannot use uiwebview since have edit text. have seen pages app.how possible in app. see formatting text within uilabel differently . since need editing, should @ javascript-based editors such ckeditor or tinymce . highly recommend wwdc 2011 video session 511: "rich text editing in safari on ios."
Read more

php - Accessing POST data in Facebook cavas app -

-
so i've got simple form in canvas / iframe facebook app, , i'm trying pass along values post. reading on s.o. , fb's latest docs, understand it, data send via post form can accessed on receiving end $_request object. i read on thread on s.o. in order post forms work need pass along input named "signed_request" value current signed_request (i have signed request working ok otherwise...all login , authentication stuff working fine). isnt mentioned anywhere in official fb docs. so problem comes in $_request object signed request, , bunch of other session stuff. form inputs found. the way can read them set method of form "request" isn't real form method. takes of inputs , sends them args in url. horrible. here's sample page canvas app form i'm using try debug (leaving out authentication stuff): <form enctype="application/x-www-form-urlencoded" method="post" target="_top" id="my_form" action=...
Read more

c# - Getting control value when switching a view as part of a multiview -

-
i have following code in aspx page: <asp:button id="display_button" runat="server" text="display" onclick="button1_click" /> &nbsp; <asp:button id="edit_button" runat="server" text="edit" onclick="button2_click" /> &nbsp; <asp:button id="save_button" runat="server" text="save" onclick="button3_click" visible="false" /> &nbsp; <asp:multiview id="multiview1" runat="server" activeviewindex="0"> <asp:view id="view1" runat="server"> <asp:formview id="view_program" runat="server"> <itemtemplate> <%# eval("status").tostring().trim() %> </itemtemplate> </asp:formview> </asp:view> <asp:view id="view2" runat="server"> ...
Read more