Announcement Announcement Module
Collapse
No announcement yet.
Application of Salt in password encoding. Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Application of Salt in password encoding.

    What is the application of passing salt-source in password encoding in spring security xml file ?
    Whats are the benefits of Salt in authentication process ?
    Please explain me in brief with example .

    Thanks in advance.

  • #2
    Finally got the solution.
    The basic application of passing the salt-source in <securityassword-encoder hash="sha" ref="passwordEncoder">
    is secure your application from Dictionary-Attack.
    Using Salt u ca add an extra string in password so hacker has to work more for braking the password.
    There are two salt u can use 1) Global Salt. 2) Per User Salt.

    In Global Salt there is one single common word append to password.
    ex. if i use test as my salt then it append yourpassword{test} and encode it to particular algorithm.

    In Per User Salt we have to give one user attribute serve as Salt String.
    ex. if i give username as my salt string, if my username is user1 then result yourpassword{user1} and encode it to particular algorithm.

    The steps for use Salt in application.
    1) in bean configuration file
    Code:
      <bean id="saltSource"  class="org.springframework.security.authentication.dao.ReflectionSaltSource" p:userPropertyToUse="username" />
    			<bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.ShaPasswordEncoder" />
    			<security:authentication-manager >
    				<security:authentication-provider user-service-ref="userDetailService">
    			       <security:password-encoder hash="sha" ref="passwordEncoder">
    			        <security:salt-source ref="saltSource"/>
    			       </security:password-encoder>
    					</security:authentication-provider>
    			</security:authentication-manager>
    2) Add the encode password at registering the user.

    Code:
     
    UserDetails userDetails = new User(password,password,isEnabled,isAccountNonExpired,isCredentialsNonExpired,isAccountNonLocked,authorities); 
    			String password = passwordEncoder.encodePassword(employee.getPassword(),saltSource.getSalt(userDetails));
    			user.setPassword(password);
                            userSerivce.save(user);
    

    Comment


    • #3
      Don't use SaltSource or the old interfaces unless you have a legacy application which requires them. Use an encoder which generates its own random salt where you don't have to worry about it. Preferably use BCrypt as described here http://stackoverflow.com/a/8528804/2...verflow answer.

      Comment

      Working...
      X