Announcement Announcement Module
Collapse
No announcement yet.
Authentication storing credentials as cleartext Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Authentication storing credentials as cleartext

    Immediately after a user authenticates using form-based Spring Security, I get their Authentication object via:

    Code:
    	var auth = SecurityContextHolder.getContext().getAuthentication();
    	var password = auth.getCredentials().toString();
    The password is retrieved in cleartext. Since I am not storing the cleartext in my data store, I am assuming the cleartext password is somehow associated with the Authentication object as a result of the form-based login, since that is the only place the password could exist in that state.

    Is this expected behavior?

    Config:

    Code:
        <http use-expressions="true" access-denied-page="/denied">
    		<form-login login-page='/login' authentication-failure-url='/login?error=true' default-target-url="/redirect" always-use-default-target="false" />
    		<logout logout-url="/logout" logout-success-url="/" />
        </http>
    	
    	<beans:bean id="restUserDetailsService" class="my.RESTUserDetailsService" />
    
        <authentication-manager alias="authenticationManager">
            <authentication-provider user-service-ref="restUserDetailsService">
                <password-encoder hash="md5"/>
            </authentication-provider>
        </authentication-manager>

  • #2
    You can configure the AuthenticationManager to erase credentials post-authentication. See the namespace appendix, for example. This is also the default behaviour in 3.1.

    Comment


    • #3
      I don't need to clear it. I actually wanted it set to the user's password hash. But I can get the hash from our custom UserDetails object.

      Comment


      • #4
        Code:
        <!-- Configure Authentication mechanism -->
        	<authentication-manager alias="authenticationManager">
        		<!-- SHA-256 values can be produced using 'echo -n your_desired_password | sha256sum' (using normal *nix environments) -->
        		<authentication-provider>
        			<password-encoder hash="sha-256"/>
        			<user-service>
        ...
        			</user-service>
        		</authentication-provider>
        	</authentication-manager>
        This is what Roo generates. As you can see you can change the password hash encoding there.
        You could also define your own UserDetailsService like this:
        http://jpasecurity.sourceforge.net/p...e_the_password (spring petclinic tutorial extension).
        Hope it helps.

        regards,
        Max
        Last edited by MaxMan; May 11th, 2011, 02:08 PM.

        Comment

        Working...
        X