Spring Security password hashing example
Published: August 18, 2011 , Updated: August 18, 2011 , Author: mkyong
In last Spring Security form login example, the password is stored in clear-text, it is vulnerable to attack. In practice, recommend to hash your password before storing them.
In this tutorial, we show you how to use SHA hashing algorithm to hash password, and use the hashed password to perform the login authentication in Spring Security.
To hash string with SHA or MD5 algorithm, refer to this Java SHA example or using Jacksum, third-party Java library. For readability, we will use Jacksum to perform password hashing.
1. Password
In original example, password is stored in clear text.
<authentication-manager> <authentication-provider> <user-service> <user name="mkyong" password="123456" authorities="ROLE_USER" /> </user-service> </authentication-provider> </authentication-manager>
2. Password + Hashing
Now, use “jacksum” to hash the password “123456″ with SHA algorithm.
C:\>java -jar jacksum.jar -a sha -q "txt:123456" 7c4a8d09ca3762af61e59520943dc26494f8941b
Put above hashed password in Spring like this :
<authentication-manager> <authentication-provider> <password-encoder hash="sha" /> <user-service> <user name="mkyong" password="7c4a8d09ca3762af61e59520943dc26494f8941b" authorities="ROLE_USER" /> </user-service> </authentication-provider> </authentication-manager>
Supported hashing algorithms in Spring Security :
- plaintext
- sha
- sha-256
- md5
- md4
Note
MD4 is a weak hashing algorithm and MD5 is cause collision vulnerabilities, both are not recommend to use. To hash, use SHA always.
MD4 is a weak hashing algorithm and MD5 is cause collision vulnerabilities, both are not recommend to use. To hash, use SHA always.
Download Source Code
Download it – Spring-Security-Password-Hashing-Example.zip (9 KB)
References
- MD5 hashing algorithm
- SHA-1 hashing algorithm
- SHA-2 hashing algorithm
- Jacksum Java library
- Java SHA hashing example
- Spring Security form-based login example
hi
in spring how to use custom password decoding .in my applicationcontext-security.xml file i used
and customUserDetailsService is a bean id with class that implements UserDetailsService there in loadUserByUsername method i use coustom password endoder.but while running the project in neatbeans i got the error
Exception while loading the app : java.lang.IllegalStateException: ContainerBase.addChild: start: org.apache.catalina.LifecycleException: org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘org.springframework.security.authentication.ProviderManager#0′: Cannot create inner bean ‘(inner bean)’ of type [org.springframework.security.config.authentication.AuthenticationManagerFactoryBean] while setting bean property ‘parent’; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘(inner bean)’: FactoryBean threw exception on object creation; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘org.springframework.security.authenticationManager’: Cannot resolve reference to bean ‘org.springframework.security.authentication.dao.DaoAuthenticationProvider#0′ while setting bean property ‘providers’ with key [0]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘org.springframework.security.authentication.dao.DaoAuthenticationProvider#0′: Initialization of bean failed; nested exception is org.springframework.beans.ConversionNotSupportedException:
please help me what i need to extend
Hello,
I have not tried it yet but,does the decryption happen internally while checking for authentication?
Thanks
[...] you should always hash the password with SHA or MD5 algorithm, this tutorial show you how – Spring Security password hashing example.3. Spring MVC ControllerSpring controller to handle what URL should go where. Note You may interest [...]