Spring Security and Custom Password Encoding
In this article, we are going to create a DaoAuthenticationProvider bean and set it to the AuthenticationManagerBuilder.
CORE
·
Join the DZone community and get the full member experience.
Join For FreeOn a previous post, we added password encoding to our spring security configuration using jdbc and md5 password encoding.
However, in the case of custom UserDetailsServices we need to make some tweaks to our security configuration. We need to create a DaoAuthenticationProvider bean and set it to the AuthenticationManagerBuilder.
Since we need a Custom UserDetailsService I will use the Spring Security/MongoDB example codebase.
What we have to do is to change our Spring Security configuration.
package com.gkatzioura.spring.security.config;
import com.gkatzioura.spring.security.service.CustomerUserDetailsService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Profile;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.authentication.encoding.Md5PasswordEncoder;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import javax.sql.DataSource;
/**
* Created by gkatzioura on 10/5/16.
*/
@EnableWebSecurity
@Profile("encodedcustompassword")
public class PasswordCustomEncodedSecurityConfig extends WebSecurityConfigurerAdapter {
@Bean
public UserDetailsService mongoUserDetails() {
return new CustomerUserDetailsService();
}
@Bean
public DaoAuthenticationProvider authProvider() {
DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider();
authProvider.setUserDetailsService(mongoUserDetails());
authProvider.setPasswordEncoder(new BCryptPasswordEncoder());
return authProvider;
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(authProvider());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/public").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.permitAll()
.and()
.logout()
.permitAll();
}
}
In most cases, this works ok. However, we might as well want to roll our own PasswordEncoder, which is pretty easy.
package com.gkatzioura.spring.security.encoder;
import org.springframework.security.crypto.bcrypt.BCrypt;
import org.springframework.security.crypto.password.PasswordEncoder;
/**
* Created by gkatzioura on 10/5/16.
*/
public class CustomPasswordEncoder implements PasswordEncoder {
@Override
public String encode(CharSequence rawPassword) {
String hashed = BCrypt.hashpw(rawPassword.toString(), BCrypt.gensalt(12));
return hashed;
}
@Override
public boolean matches(CharSequence rawPassword, String encodedPassword) {
return BCrypt.checkpw(rawPassword.toString(), encodedPassword);
}
}
So we will change our configuration in order to use the new PasswordEncoder
@Bean
public DaoAuthenticationProvider authProvider() {
DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider();
authProvider.setUserDetailsService(mongoUserDetails());
authProvider.setPasswordEncoder(new CustomPasswordEncoder());
return authProvider;
}
Next step will be to create the encoded password.
@Test
public void customEncoder() {
CustomPasswordEncoder customPasswordEncoder = new CustomPasswordEncoder();
String encoded = customPasswordEncoder.encode("custom_pass");
LOGGER.info("Custom encoded "+encoded);
}
Then add a user with a hashed password to our mongodb database.
db.users.insert({"name":"John","surname":"doe","email":"[email protected]","password":"$2a$12$qB.L7buUPi2RJHZ9fYceQ.XdyEFxjAmiekH9AEkJvh1gLFPGEf9mW","authorities":["user","admin"]})
All that we need is to change the default profile on our gradle script and we are good to go.
bootRun {
systemProperty "spring.profiles.active", "encodedcustompassword"
}
You can find the source code on GitHub.
Published at DZone with permission of Emmanouil Gkatziouras. See the original article here.
Opinions expressed by DZone contributors are their own.
Comments