Spring Security Password Hashing

In this tutorial, we will discuss about Password Hashing in Spring Security. In last Spring Security form login example, the password is stored in clear-text, it is vulnerable to attack. In practice, recommend to hash your password before storing them. Here we will see how to use SHA hashing algorithm to hash password, and use the hashed password to perform the login authentication in Spring Security.

Spring Security supports following hashing algorithms :


  • plaintext
  • sha
  • sha-256
  • md5
  • md4
Here we will perform password hashing through SHA hashing algorithm. We will use this hashed password to accomplish the login authentication in Spring Security.

Required Tools used for this Application:
  • Spring MVC 3.0.1
  • Spring Security 3.1.0
  • STS 2.8.1.RELEASE
  • Tomcat 7
  • Jdk 1.7
  • Jacksum 1.7.0

Password Hashing:
For password hashing, we are incorporating Jacksum 1.7.0, you can download it from here.

After downloading it, execute the below CMD command to generate hash value of the plain text/password, by using the same folder path where you download it ,as follows :

In above my password is "sweetu" after hashing we will get as "22c27ff8a5be6260871523871ee37d0768eb02fc"
when it is "sweety" then we will get as "15eabb8159c574ddb45fea23e853e18bc599ce87".

In original example, password is stored in clear text. As follows.
<security:authentication-manager>
   <security:authentication-provider>
   <security:password-encoder hash="sha"/>
    <security:user-service>
 <security:user name="dineshonjava" password="sweety" authorities="ROLE_USER" />
     </security:user-service>
  </security:authentication-provider>
</security:authentication-manager>

Now, use "jacksum" to hash the password "sweety" with SHA algorithm is "15eabb8159c574ddb45fea23e853e18bc599ce87".
<security:authentication-manager>
   <security:authentication-provider>
  <security:password-encoder hash="sha"/>
    <security:user-service>
 <security:user name="dineshonjava" 
        password="15eabb8159c574ddb45fea23e853e18bc599ce87" 
        authorities="ROLE_USER" />
    </security:user-service>
  </security:authentication-provider>
</security:authentication-manager>

Use this hashed password in sdnext-security.xml as follows :
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:security="http://www.springframework.org/schema/security"
       xmlns:p="http://www.springframework.org/schema/p" 
       xsi:schemaLocation="http://www.springframework.org/schema/beans
                           http://www.springframework.org/schema/beans/spring-beans.xsd
                           http://www.springframework.org/schema/security
                           http://www.springframework.org/schema/security/spring-security-3.1.xsd">

   <security:http auto-config="true">
  <security:intercept-url pattern="/index*" access="ROLE_USER" />
  <security:form-login login-page="/login" default-target-url="/index"
   authentication-failure-url="/fail2login" />
  <security:logout logout-success-url="/logout" />
 </security:http>

    <security:authentication-manager>
   <security:authentication-provider>
    <security:password-encoder hash="sha"/>
     <security:user-service>
   <security:user name="dineshonjava" password="15eabb8159c574ddb45fea23e853e18bc599ce87" authorities="ROLE_USER" />
     </security:user-service>
   </security:authentication-provider>
 </security:authentication-manager>

</beans>

Now rest of the code is same as the previous example no need to discuss every file just look and run the application.

Running the example

Export the example as war and deploy it Tomcat 7 server. While browsing the project you will get the following screen for loging:

Access URL "http://localhost:8080/sdnext/index", Spring will redirect to your custom login form.
URL : http://localhost:8080/sdnext/login


If username/password is correct, then
URL : http://localhost:8080/sdnext/index



Download Source Code-
SpringSecurityPasswordHashing.zip


References-
http://www.dineshonjava.com/2013/02/spring-security-form-based-login-example.html
Spring Security
Spring Security documentation

SHA-1 hashing algorithm 
Jacksum Java library 


 


                             <<previous<<             || index  ||         >>next>>

7 comments:

  1. thaaaaaaaaaaaaaaaaanx very match for all this courses you are great programer

    ReplyDelete
  2. This comment has been removed by the author.

    ReplyDelete
  3. thaaaaaaaaaaaaaaaaanx very match for all this courses you are great programer

    ReplyDelete
  4. thaaaaaaaaaaaaaaaaanx very match for all this courses you are great programer

    ReplyDelete
  5. thaaaaaaaaaaaaaaaaanx very match for all this courses you are great programer

    ReplyDelete
  6. thaaaaaaaaaaaaaaaaanx very match for all this courses you are great programer

    ReplyDelete
  7. thaaaaaaaaaaaaaaaaanx very match for all this courses you are great programer

    ReplyDelete