Announcement Announcement Module
No announcement yet.
Authentication Fails when PasswordEncoder is being used. Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • #16
    Same problem with Acegi 1.0.3

    Hi guys, I thought i would share my experience.

    I'm having the same problem with Acegi 1.0.3.
    So, after stepping through the code, I noticed the following:

    1. In line 87 of BasePasswordEncoder, the password is salted as:
    return password + "{" + salt.toString() + "}";
    If I remove the '{' and '}', the encoder's digest output produces almost the same string as the one put in my database through an existing php application, with the difference being #2 below.

    2. The difference with what i have in my db and what the encoder gives is my db for some reason has the password digest in all uppercase. I'm not sure why my db has it but i plan on changing my query to fix that.

    I'm not sure if either #1 or #2 are real bugs or are caused by the legacy php app i'm integrating with. Anyway, as a workaround for me i should be able to subclass the MD5PasswordEncoder.

    hope that helps someone.

    - hitesh


    • #17
      Authentication Fails when PasswordEncoder used with salt

      i am working on a project where we need to apply authentication with password encoded with the salt, without the salt it's working properly, but when i m applying salt it fails... says Bad credentials, so i was just wondering can anybody please help me .. this is the code which i m using for encoding with salt, with the relevant .xml snippet
      IMP: we are using Linux ubunt 7.04
      String PASSWORD = "abc123";
      Object salt = "1234";
      String SALETEDPASS = PASSWORD + "{" + salt.toString() + "}";
      Md5PasswordEncoder md5PasswordEncoder = new Md5PasswordEncoder();
      String encdPswd = md5PasswordEncoder.encodePassword(PASSWORD, SALETEDPASS);

      and agegi-security.xml .. code :
      <bean id="daoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenti cationProvider">
      <property name="userDetailsService" ref="jdbcDaoImpl"/>
      <property name="passwordEncoder">
      <bean class="org.acegisecurity.providers.encoding.Md5Pas swordEncoder"/>
      <property name="saltSource" ref ="systemWideSalt"/>

      <bean id ="systemWideSalt"
      class="org.acegisecurity.providers.dao.salt.System WideSaltSource">
      <property name="systemWideSalt">
      so, plz anybody could tell me where m i doing wrong..
      any help would be highly appreciated..
      Last edited by ajois4u; Oct 3rd, 2007, 04:30 AM.


      • #18
        Authentication Fails when PasswordEncoder is being used.

        I am facing the same problem and I am using Jasypt Password Encoder.

        To begin with I had plain text password. So I was nto getting authenticated.
        So in getPassword of UserDetails I did a hack to return encrpted value of password[which I get as myDomain.getPassword()] and it let me pass .Inside application, I changed all other user's password and they all became encrypted. But when I log in back, I cant unless I return just myDO.getPassword() without any encryption.
        In Jasypt, you do not have to deal with salt etc.It does it internally.


        • #19
          Edit: Nevermind, what I wrote before here.

          Just make a prominent note somewhere in the docs and examples maybe that you have to call encoder.encodePassword(rawPass, saltSource.getSalt(userDetails)); instead of encoder.encodePassword(rawPass, saltSource); to encode your passwords for the first time before storing them into database.

          This mistake seems to be common.
          Last edited by otho; Nov 22nd, 2008, 05:08 AM.