Announcement Announcement Module
Collapse
No announcement yet.
Spring Security - encrypt password before authenticating Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • #16
    Originally posted by Garoad View Post
    "This" meaning the case I described above of storing password hashes. It may already be possible but I'm assuming not since nobody has said otherwise yet.

    Instead of storing a recoverable password, we store (say) an MD5 hash of the password. To authenticate, re-hash the password provided by the user at the time of authentication (this is the part those in the thread seem to be having trouble with), comparing the original stored hash with the newly generated one.
    What you're describing is exactly how Spring Sec can be configured to work, that's why I was confused

    Simply configure a password encoder on your user service and Spring Sec will take care of the rest during authentication. When saving the password in the first place, obviously you need to encode it in the same way, but you can just re-use the password encoder for that too. Problem solved!

    Pre-authenticated auth is something completely different.

    Comment


    • #17
      Perhaps I misinterpreted the original post. I did find this which I believe relates to what I was asking for (and what you've brought up just now):

      <authentication-provider user-service-ref="userService">
      <password-encoder hash="md5">
      <salt-source user-property="username" />
      </password-encoder>
      </authentication-provider>

      Comment


      • #18
        You are correct sir! The only thing that sometimes gives people a difficult time is understanding how the password gets MD5 hashed upon insert/update, but I bet you will be able to figure that out too

        I think somewhere earlier in the thread there was confusion about hashing the password prior to authenticating against LDAP, which definitely won't work, ever.

        Comment


        • #19
          Re: Spring Security - encrypt password before authenticating

          Has there been proposed any solution that enables (salted) hashed passwords to be sent to the server rather than cleartext passwords? We are in a similar situation where we can't use https (client's company policy) and we would really like to scramble the passwords before sending them over the wire.

          Best regards,
          Peter Rigole

          Comment


          • #20
            I'm not aware of anything that would let you do this. Regardless, no matter what you do the password on the client side, if it's unsecure over the wire, it's of course completely vulnerable to replay attacks. Your best bet is to at least write some kind of custom time-sensitive non-repudiation algorithm (such as a hidden, maybe server-encrypted timestamp form field) so that replay attacks are much less likely to work.

            Why on earth would a client not want to use SSL to secure username and password data though?

            Comment


            • #21
              Originally posted by prigole View Post
              Has there been proposed any solution that enables (salted) hashed passwords to be sent to the server rather than cleartext passwords? We are in a similar situation where we can't use https (client's company policy) and we would really like to scramble the passwords before sending them over the wire.
              You cannot do this. If you just send a scrambled/hashed password in a single request, then it has the same value to an attacker as the plaintext password. They can just send the same scrambled value themselves to gain access.

              The only alternative is to use a protocol like SRP to authenticate.

              Comment

              Working...
              X