Announcement Announcement Module
No announcement yet.
Application of Salt in password encoding. Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Application of Salt in password encoding.

    What is the application of passing salt-source in password encoding in spring security xml file ?
    Whats are the benefits of Salt in authentication process ?
    Please explain me in brief with example .

    Thanks in advance.

  • #2
    Finally got the solution.
    The basic application of passing the salt-source in <securityassword-encoder hash="sha" ref="passwordEncoder">
    is secure your application from Dictionary-Attack.
    Using Salt u ca add an extra string in password so hacker has to work more for braking the password.
    There are two salt u can use 1) Global Salt. 2) Per User Salt.

    In Global Salt there is one single common word append to password.
    ex. if i use test as my salt then it append yourpassword{test} and encode it to particular algorithm.

    In Per User Salt we have to give one user attribute serve as Salt String.
    ex. if i give username as my salt string, if my username is user1 then result yourpassword{user1} and encode it to particular algorithm.

    The steps for use Salt in application.
    1) in bean configuration file
      <bean id="saltSource"  class="" p:userPropertyToUse="username" />
    			<bean id="passwordEncoder" class="" />
    			<security:authentication-manager >
    				<security:authentication-provider user-service-ref="userDetailService">
    			       <security:password-encoder hash="sha" ref="passwordEncoder">
    			        <security:salt-source ref="saltSource"/>
    2) Add the encode password at registering the user.

    UserDetails userDetails = new User(password,password,isEnabled,isAccountNonExpired,isCredentialsNonExpired,isAccountNonLocked,authorities); 
    			String password = passwordEncoder.encodePassword(employee.getPassword(),saltSource.getSalt(userDetails));


    • #3
      Don't use SaltSource or the old interfaces unless you have a legacy application which requires them. Use an encoder which generates its own random salt where you don't have to worry about it. Preferably use BCrypt as described here answer.