Variation In Spring Securtiy In Password Authentication In 2.0.0
Posted By : Sahil Dwivedi | 29-Apr-2018
Spring Security provides authentication and authorization support in order to Secure Spring-based applications. It integrates with Spring MVC and comes bundled with popular security algorithm implementations.In doing practical I was found that Some changes regarding password encyption.Encryption of our data is important for securing our data from unauthorized access. while working with spring security we are using encryption algorithms to encrypt our data as like we are storing our password in the database in encrypted form.In this blog, I want to share Spring security behavior with respect to version(2.0.0).Password storage has undergone a major overhaul to provide more secure defaults and the ability to migrate how passwords are stored. The PasswordEncoder(by default) is now DelegatingPasswordEncoder which has active change.This change make sure that passwords are now encoded using BCrypt by default.
1.)Before Spring security (2.0.0) we are using some encryption beans like BCryptPasswordEncoder, ShaPasswordEncoder and Md5PasswordEncoder.it encoded our password which is entered by user and matches with database encoded password which is already stored.
The simple BCryptPasswordEncoder as a bean in our configuration is:
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
2.)while switching the from version 1.5.10 of spring security to updated(2.0.0) I was facing some changes in spring security password encoding functionality.
by default, spring security is encrypting password internally .then while entering a password it is unable to authenticate.
3.)To overcome above issues I found that following solution.
@Autowired
protected void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("xyz").password("{noop}demo").roles("USER");
}
@Override
protected void configure(HttpSecurity httpsecurity)throws Exception {
httpsecurity.authorizeRequests().anyRequest().fullyAuthenticated().and().httpBasic();
httpsecurity.csrf().disable();
}
4.)In above method inMemoryauthentication defining password with a keyword {noop}. noop is derive as NoOpPasswordEncoder.This is important to know because unlike encryption, passwords hashes are designed so that there is no other way to recover our plaintext, it makes it difficult to transfer the passwords. While it is simple for users to use to NoOpPasswordEncoder, we chose to include it by default to make it simple for the getting started experience.
Cookies are important to the proper functioning of a site. To improve your experience, we use cookies to remember log-in details and provide secure log-in, collect statistics to optimize site functionality, and deliver content tailored to your interests. Click Agree and Proceed to accept cookies and go directly to the site or click on View Cookie Settings to see detailed descriptions of the types of cookies and choose whether to accept certain cookies while on the site.
About Author
Sahil Dwivedi
Sahil Dwivedi is an associate consultant developer,he has knowledge of core Java and AngularJS. His hobbies are watching movies,playing football and Listening music.He is creative person.