Announcement Announcement Module
Collapse
No announcement yet.
Custom salt Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Custom salt

    Hello everybody,

    I'm quite new in this area of security. Maybe someone will point me in the right direction on the following matter.

    I would like to use salt to protect against rainbow tables. I've been looking for tutorials and documentation over Internet about how to implement that. The 'username' salt example is quite common for most of them. The password is hashed by the algorithm by using the following construction: password{username}. That doesn't suit with my scenario. I would like to encode the passwords using a custom salt which comprises the username plus a string CONSTANT that will be injected into the application. Therefore the construction will be something like: password{usernameCONSTANT}. Could some one point me out how can I get this value ( usernameCONSTANT) for authentification?

    When only the 'username' will be used, will have something like:

    Code:
    public CustomUserDetails createUser(String username, String plainTextPassword) {
        CustomUserDetails u = new CustomUserDetails();
        u.setUsername(username);
        u.setPassword(passwordEncoder.encodePassword(
                plainTextPassword, saltSource.getSalt(u)));
        return u;
    }
    Here, the 'getSalt'() method returns from UserDetails the username.

    If I will use something like:

    Code:
    ...
    StringBuffer bf = new StringBuffer(username);
    bf.append(CONSTANT);
    .....
    passwordEncoder.encodePassword(plainTextPassword, bf.toString())
    how I will "notify" the authentication mechanism that the salt value is: username+CONSTANT?

    Thank you.

    -fabian23
Working...
X