Announcement Announcement Module
Collapse
No announcement yet.
REST web services DIGEST autentication login problem Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • REST web services DIGEST autentication login problem

    hello everybody

    i'm implementing an authenticated Rest service with Digest authentication. I'm using a custom UserDetailsService and everything works fine if I'm not using encrtpted passwords.

    PHP Code:
    public UserDetails loadUserByUsername(String username) {
        ...
        
    PasswordEncoder encoder = new PasswordEncoder();
        ...
         
    AUTHORITIES.add(new SimpleGrantedAuthority("user"));
         return new 
    User("ezanchet",encoder.encode("myPassword"),AUTHORITIES);
        ...

    and this is my spring security conf

    PHP Code:
    <beans:bean id="encoder" class="it.springframework.security.crypto.password.StandardPasswordEncoder"/>
     
    <
    authentication-manager>
        <
    authentication-provider user-service-ref="digestUserService" >
            <
    password-encoder ref="encoder"/>
        </
    authentication-provider>
    </
    authentication-manager>

    <
    beans:bean id="digestUserService" class="it.company.app.users.digestUserServiceImpl"/> 
    with this configuration i'm not able to authenticate and I suppose that the password is not generate correctly.

    any suggestion ? many thanks Enrico.

  • #2
    For starters why are you creating a new, different instance of the PasswordEncoder in your service, you should be using the one configured in the applicationcontext. Next why are you encoding the password that should be stored encoded not plain-text.

    Comment


    • #3
      if i well understand you mean that i can use @autowired instead using NEW to instantiate a PasswordEncoder. is this correct ?

      at the moment i'm not connected to Database so i'm emulating the retrieval of password and authorities. so my next question is : how i can encode a password to store on my Database if i want to emulate a login with useranem = "test" and password = "password" ??

      i have thought that using encoder.encode("password") i got a valid encoded password but login fails.

      Comment


      • #4
        Why... If you store passwords in plain-text and receive them in plain text then why encode them for comparison?!

        If they are stored encoded (as theyshould be) you don't need to re-encode the password as that would encode the already encoded password. And thus you don't need a PasswordEncoder in your service. If they aren't encrypted you are also not going to need one as it doesn't add any security only complexity...

        Comment


        • #5
          my idea is to store encrypted password in my Database.

          for the moment is only a test to well understand how it works. in this way i need to emulate the password retrieved from Database. so supposing i want to test a login with username = "test" and password = "password" in my method loadUserByUsername(String username) i need only to crypt the password ?

          return new User("username",encoder.encode("password"),AUTHORI TIES);

          and from client application that consumes my rest web services i'll use "test" as username and "password" as password ??

          and change my authentication manager in:

          <authentication-manager>
          <authentication-provider user-service-ref="digestUserService" />
          </authentication-manager>

          Comment


          • #6
            I still would store encrypted passwords, even for testing that way you have everything production like.

            But if you really must use @Autowired (or whatever means to you use to do DI) to get the configured PasswordEncoder, call that for the password and store the password in the User.

            So basically what you wrote down before.

            Comment


            • #7
              i'm sorry but i didn't well understand. suppose for a moment that i'm using database to manage user account. when i add a new registered user in my Database i store username (for example "test") and password encoded using encoder.encode("password").

              the encode password (if i well understand is encoded in SHA256) is something like this: 5E884898DA28047151D0E56F8DC6292773603D0D6AABBDD62A 11EF721D1542D8

              so in my Database i have an entry with username = test and password = 5E884898DA28047151D0E56F8DC6292773603D0D6AABBDD62A 11EF721D1542D8

              my doubt: which password i have to use in client application ? "password" or "5E884898DA28047151D0E56F8DC6292773603D0D6AABBDD62 A11EF721D1542D8" ??

              thank you very much for your patience :-)

              Comment


              • #8
                Well what do you normally enter in a password box?! Your password or the hash?

                Comment


                • #9
                  you are right, it was a stupid question, but i was not able to understand how Spring Security can check my client application password (it sends: "password") and the password stored in my Database (there is: "5E884898DA28047151D0E56F8DC6292773603D0D6AABB DD62 A11EF721D1542D8").

                  i'll check your modification as soon as i'll be back home and i'll let you know if login works correctly.

                  Thanks again for your help :-)

                  Comment


                  • #10
                    Code:
                    but i was not able to understand how Spring Security can check my client application password
                    That is the whole point of the PasswordEncoder...

                    Comment


                    • #11
                      hi, i have just tried the modification we talked about earlier and it is still not working.

                      spring security:

                      PHP Code:
                      <beans:bean id="standardPasswordEncoder" class="org.springframework.security.crypto.password.StandardPasswordEncoder" />

                          <
                      beans:bean id="digestUserServiceImpl" class="it.company.app.service.DigestUserServiceImpl"/>
                          
                          <
                      authentication-manager>
                              <
                      authentication-provider user-service-ref="digestUserServiceImpl" />
                            </
                      authentication-manager
                      and this is my DigestUserServiceImpl:

                      PHP Code:
                              @Autowired 
                          
                      private StandardPasswordEncoder passwordEncoder;
                          
                          @
                      Override
                          
                      public UserDetails loadUserByUsername(String usernamethrows UsernameNotFoundException {
                              
                              List<
                      GrantedAuthorityAUTHORITIES = new ArrayList<GrantedAuthority>();
                              
                              if(
                      username.equals("test")) {
                              
                                  
                      AUTHORITIES.add(new SimpleGrantedAuthority("user"));
                                  return new 
                      User("test"passwordEncoder.encode("password"), AUTHORITIES);    
                                   
                              } else {
                                  
                                  throw new 
                      UsernameNotFoundException("User not found: " username);
                                  
                              }
                              
                          } 
                      i try to login with username = "test" and password = "password" but is always incorrect :-(

                      Comment


                      • #12
                        Ofcourse it is wrong... You are only wiring the password encoder to your service (through @Autowired)... You should also provide it to the Authenticationmanager... I suggest you read the spring security reference guide especially the section which covers password encoding/encryption.

                        Comment


                        • #13
                          do you have any link ? i'm not so expert in spring / spring security, this is my first application with this framework.

                          I have found this link: http://www.cleancode.co.nz/blog/937/...authentication but the configuration at the end is the one i posted in this thread and it is not working.

                          Comment


                          • #14
                            the configuration at the end is the one i posted in this thread and it is not working.
                            No it isn't... Check again they also provide the password encoder to the authentication provider, which is the part you are lacking.

                            Yours...
                            Code:
                            <authentication-manager> 
                              <authentication-provider user-service-ref="digestUserServiceImpl" />
                            </authentication-manager>
                            Theirs..

                            Code:
                            <authentication-manager>
                              <authentication-provider user-service-ref="cleancodeUserService" >
                                <password-encoder ref="encoder"/>
                              </authentication-provider>
                            </authentication-manager>

                            Comment


                            • #15
                              yes but if you take a look to my first post you'll see that configuration that is the first one i tried.

                              when i try to connecto from my client application i always get: "401 Unauthorized"

                              do you have any good link or example ? i have no more ideas...

                              Comment

                              Working...
                              X