Announcement Announcement Module
Collapse
No announcement yet.
Password Encoder SHA Strength Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Password Encoder SHA Strength

    I am converting from acegi 1.0.6 to SS2, and have a question about specifying the SHA hashing strength.

    Am I still required to define a ShaPasswordEncoder and pass in the strength (in this case, 256) as a constructor-arg?

    This is what I have right now:
    HTML Code:
        <security:authentication-provider>
            <security:jdbc-user-service
                    data-source-ref="dataSource"
                    authorities-by-username-query="select ACCT.login, AUTH.AUTHORITY_NAME FROM T_ACCOUNT ACCT, T_AUTHORITY AUTH WHERE ACCT.login=?"
                    users-by-username-query="select login, hashedpassword as password, enabled from T_ACCOUNT where login = ?"/>
            <security:password-encoder hash="sha">
                <security:salt-source user-property="login" />
            </security:password-encoder>
        </security:authentication-provider>
    Help would be appreciated.

    Jason

  • #2
    Yes. You'll have to define your own externally. I guess we could support additional hash names like "sha256","sha512" in future without too much hassle.

    Comment


    • #3
      Okay, you'll have to excuse my ignorance.

      I changed my implementation to this:
      HTML Code:
          <security:authentication-provider>
              <security:jdbc-user-service
                      data-source-ref="dataSource"
                      authorities-by-username-query="select ACCT.login, AUTH.AUTHORITY_NAME FROM T_ACCOUNT ACCT, T_AUTHORITY AUTH WHERE ACCT.login=?"
                      users-by-username-query="select login as username, hashedpassword as password, enabled from T_ACCOUNT where login = ?"/>
          </security:authentication-provider>
      
          <bean id="passwordEncoder" class="org.springframework.security.providers.encoding.ShaPasswordEncoder">
              <constructor-arg value="256" />
          </bean>
      
          <bean id="saltSource" class="org.springframework.security.providers.dao.salt.ReflectionSaltSource">
              <property name="userPropertyToUse">
                  <value>getUserName</value>
              </property>
          </bean>
      This is my first attempt at using the security namespace, so I don't know how to specify the password encoder and salt source in order to apply it to the jdbc-user-service.

      Can anyone give me a quickie howto on using the passwordEncoder and saltSource beans with the jdbc-user-service?

      Comment


      • #4
        Use the "ref" attribute on <password-encoder>:

        http://static.springframework.org/sp...ig.html#d4e226

        Comment


        • #5
          Originally posted by Luke Taylor View Post
          Use the "ref" attribute on <password-encoder>:

          http://static.springframework.org/sp...ig.html#d4e226
          By default, does it look for the "saltSource" bean?

          Comment


          • #6
            No. Try using

            Code:
            <password-encoder ref='encoderBean'>
                <salt-source user-property='whatever'/>
            </password-encoder>

            Comment

            Working...
            X