I am using Spring 3 and grabbing users from a MySQL database.
Right now, in testing, I have a user with a MD5 password. And I can authenticate just fine using that.
However, we want to be a little more secure in how we hash the passwords. We want to:
MD5(username + salt + password)
The salt is a random string stored in the user record. But I can’t seem to figure out where/how to do this. This is what I have so far:
UserDao
public class UserDao {
public static Users findUserByUsername(String paUsername) {
String hql = "from Users where username = :username";
List<Users> list = null;
Users user = null;
try {
IO io = new IO("web"); // custom Hibernate framework
IOQuery query = new IOQuery();
query.setStatement(hql);
query.setParameter(new IOParameter("username", paUsername));
list = io.runQuery(query);
if (list.isEmpty()) {
return null;
}
return list.get(0);
} catch (Exception ex) {
return null;
}
}
}
UserDetailsServiceImpl
@Service("userDetailsService")
public class UserDetailsServiceImpl implements UserDetailsService {
@Autowired
private UserDao userDao;
@Override
public UserDetails loadUserByUsername(String paUsername) throws UsernameNotFoundException {
Users user = userDao.findUserByUsername(paUsername);
if(user == null) {
throw new UsernameNotFoundException("User not found");
}
return new User(
user.getUsername(),
user.getPassword(),
user.getEnabled(),
true,
true,
true,
getAuthorities(Enums.UserRoles.IT));
}
private Collection<? extends GrantedAuthority> getAuthorities(Enums.UserRoles paRole) {
List<GrantedAuthority> authList = getGrantedAuthorities(getRoles(paRole));
return authList;
}
private List<String> getRoles(Enums.UserRoles paRole) {
List<String> roles = new ArrayList<>();
if (paRole.equals(Enums.UserRoles.USER)) {
roles.add(Enums.UserRoles.USER.name());
} else if (paRole.equals(Enums.UserRoles.IT)) {
roles.add(Enums.UserRoles.USER.name());
roles.add(Enums.UserRoles.IT.name());
}
return roles;
}
private static List<GrantedAuthority> getGrantedAuthorities(List<String> paRoles) {
List<GrantedAuthority> authorities = new ArrayList<>();
for (String role : paRoles) {
authorities.add(new SimpleGrantedAuthority(role));
}
return authorities;
}
}
UserDetailsService
public class UserDetailService implements UserDetailsService {
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
return new UserDetailsServiceImpl().loadUserByUsername(username);
}
}
security-app-context
<beans:bean id="loginSuccessHandler" class="com.myapp.security.LoginSuccessHandler" />
<beans:bean id="loginFailureHandler" class="com.myapp.security.LoginFailureHandler" />
<beans:bean id="detailsService" class="com.myapp.security.UserDetailService" />
Any ideas on what I need to do?
Thanks
This is a fragment of the security config my app uses to set password encoding:
We don’t need to set a Salt source in the DaoAuthenticationProvider because the BCryptPasswordEncoder uses its own.