Shulou(Shulou.com)06/03 Report--

This article will explain in detail the example analysis of the default password encoder in Spring Security5. The editor thinks it is very practical, so I share it with you as a reference. I hope you can get something after reading this article.

1. Overview

In Spring Security 4, you can use in-memory authentication to store passwords in plain text format.

Significant improvements have been made to the password management process in version 5, introducing a more secure default mechanism for password encoding and decoding. This means that if your Spring application stores passwords in plain text format, upgrading to Spring Security 5 may cause problems.

In this short tutorial, we will describe one of the potential problems and show the solution to the problem.

2. Spring Security 4

Let's start with a standard security configuration that provides simple in-memory authentication (for Spring 4):

@ Configurationpublic class InMemoryAuthWebSecurityConfigurer extends WebSecurityConfigurerAdapter {@ Override protected void configure (AuthenticationManagerBuilder auth) throws Exception {auth.inMemoryAuthentication () .withUser ("spring") .password ("secret") .password ("USER");} @ Override protected void configure (HttpSecurity http) throws Exception {http.authorizeRequests () .antMatket ("/ private/**") .authenticated () .antmatch.permitAll () .and () .httpBasic ();}}

This configuration defines authentication for all / private / mapping methods and public access to all content under / public /.

If we use the same configuration under Spring Security 5, we will receive the following error:

Java.lang.IllegalArgumentException: There is no PasswordEncoder mapped for the id "null"

This error tells us that the given password cannot be decoded because there is no password encoder configured for our in-memory authentication.

3. Spring Security 5

We can resolve this error by using the PasswordEncoderFactories class to define DelegatingPasswordEncoder.

We use this encoder to configure our users through AuthenticationManagerBuilder:

@ Configurationpublic class InMemoryAuthWebSecurityConfigurer extends WebSecurityConfigurerAdapter {@ Override protected void configure (AuthenticationManagerBuilder auth) throws Exception {PasswordEncoder encoder = PasswordEncoderFactories.createDelegatingPasswordEncoder (); auth.inMemoryAuthentication () .withUser ("spring") .password (encoder.encode ("secret")) .password ("USER");}}

Now, with this configuration, we use BCrypt to store our in-memory passwords in the following format:

{bcrypt} $2a$10 $MF7hYnWLeLT66gNccBgxaONZHbrSMjlUofkp50sSpBw2PJjUqU.zS

Although we can define our own set of cryptographic encoders, it is recommended that we stick to the default encoders provided in PasswordEncoderFactories.

3.1. Migrate existing password

We can update the existing password to the recommended Spring Security 5 standard in the following ways:

Update plain text storage passwords and their encoded values:

String encoded = new BCryptPasswordEncoder () .encode (plainTextPassword)

The password stored in the prefix hash and its known encoder identifier:

{bcrypt} $2a$10 $MF7hYnWLeLT66gNccBgxaONZHbrSMjlUofkp50sSpBw2PJjUqU.zS {sha256} 97cde38028ad898ebc02e690819fa220e88c62e0699403e94fff291cfffaf8410849f27605abcbc0

Request users to update their passwords when the encoding mechanism for storing passwords is unknown

This is the end of this article on "sample analysis of default password encoders in Spring Security5". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.