Announcement Announcement Module
No announcement yet.
Custom Authentication and Filter Provider with random salt using JPA as backend. Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Custom Authentication and Filter Provider with random salt using JPA as backend.

    Hay, semi new to Spring (read Rob and Peter's book and Carlos book both recommended) and had what might be a simple question. Currently made a Custom Authentication and Custom Filter provider that calls up the user information from an implementation of OpenJPA (the code is below). It is relatively thin but does the trick. I want to use the Spring..crypto.password.PasswordEncoder but I am having a bear of a time figure this out. Almost every example I have seen uses the jdbc-user-service for injection and not an option. I assume because of the random salt that it is executing the extraction to get the hash on the database layer. Is there a way to do this with plain old java or outside the jdbc-user-service? I would like to do it manually by injection the crypto service on the OpenJpa DAO layer to basically almost never have it in clear text and then when the clear txt password were posted on the website, then use the crypto.password.PasswordEncoder to encrypt the clear text and compare, but of course the salt + hash is different. So basically I reverted to a sha(256) implementation of the same as seen below and could always put a salt randomly in the backend DAO module for the user and just lookup the random salt per user and encrypt the typed in password for comparison. This seems a little over the top if Spring..crypto.password.PasswordEncoder can do this work for me and I can call it up in my Custom Authentication Provider or filter. Code is below but any guidance on how to make the crypto.standard.PasswordEncoder work on a strict JPA application or am I on the correct path with injecting my own salt and using sha256 with Open JPA?

    <bean id="customAuthenticationProvider" class="com.seersoft.springsecurity.authentication.ClairvoyanceUserAuthenticationProvider"/>
        <security:authentication-manager alias="authenticationManager">
            <security:authentication-provider ref="customAuthenticationProvider"/>
    Don't think there is anyway to inject the <password-encoder ref="passwordEncoder"/> into this when it is a customAutheticationProvider but I know nothing.
        public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
                throws AuthenticationException {
            if (!request.getMethod().equals("POST")) {
                throw new AuthenticationServiceException("Authentication method not supported: " + request.getMethod());
            String username = obtainUsername(request);
            if(log.isDebugEnabled()) {
            	log.debug("USERNAME OBTAINED: " + username);
            /* old crypto code that didn't work because spring is unaware of the encoder and compares
             * with a new random slat.
             * String rawPassword = obtainPassword(request);
             * StandardPasswordEncoder encoder = new StandardPasswordEncoder();
             * String encodedPassword = encoder.encode(rawPassword);
             * String Password = encodedPassword;
            /* If going the salt route will pull up the salt from the DAO here and replace the null*/
            String rawPassword = obtainPassword(request);
            ShaPasswordEncoder encoder = new ShaPasswordEncoder(256);
            String encodedPassword = encoder.encodePassword(rawPassword, null);
            String password = encodedPassword;
            if(log.isDebugEnabled()) {
            	log.debug("PASSWORD RAW OBTAINED: " + rawPassword);
            	log.debug("PASSWORD ENCODED OBTAINED: " + password);
            String domain = request.getParameter("domain");
            DomainUsernamePasswordAuthenticationToken authRequest = new DomainUsernamePasswordAuthenticationToken(username,
                    password, domain);
            setDetails(request, authRequest);
            return this.getAuthenticationManager().authenticate(authRequest);
    Any help would be greatly appreciated or ideas. My mind thinks that I have to create a random salt for everyone and then just pull it up on the filter to do the compare. This seems very Spring 3.0 and all the books really push away from that because Spring 3.1 looks like it tries to do the heavy lifting for you, which I would prefer.

  • #2
    If anyone gets to this with same problem just ended up producing my own salted password using the ShaPasswordEncoder and a random salt that is generated for each user on creation of the user at the DAO level. Then just use a custom authentication filter to rehash and slat the clear txt password on authentication and send it over to the authentication provider to compare. Efficient but not elegant but works. The joys of OpenJpa.