Spring Security Password Hashing

In this section, you will learn about Password Hashing in Spring Security.

In this section, you will learn about Password Hashing in Spring Security.

Spring Security Password Hashing

In this section, you will learn about Password Hashing in Spring Security.

In the Spring Security Authorized Access Using Custom Login Form example, the password is stored directly using clear text which is susceptible to attack. So, it is advised don't store password directly in plain text, you should hash your passwords before storing them.

Spring Security supports following hashing algorithms :

plaintext
sha
sha-256
md5
md4

EXAMPLE

In this example, we will perform password hashing through SHA hashing algorithm. We will use this hashed password to accomplish the login authentication in Spring Security.

The tools and technologies used in the below example is given below :

jdk1.6.0_18
apache-tomcat-6.0.29
Eclipse 3.5.1
Spring 3.0.5.RELEASE
Spring Security 3.0.5.RELEASE
Jacksum 1.7.0

The project structure and jar file used is given below :

First we will discuss about password hashing :

Password Hashing

For password hashing, we are incorporating Jacksum 1.7.0, you can download it from here.

After downloading it, execute the below CMD command to generate hash value of the plain text/password ,by using the same folder path where you download it ,as follows :

C:\JackSum>java -jar jacksum.jar -a sha -q "txt:deepak"
d11186354d1ef01ca06ae37d7e23e827da13e85f

In the above case, my password is deepak, after hashing it converts into d11186354d1ef01ca06ae37d7e23e827da13e85f. Use this hashed password in spring-security.xml as follows :

spring-security.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.3.xsd">

<http auto-config="true">
<intercept-url pattern="/admin*" access="ROLE_ADMIN" />
<form-login login-page="/login" default-target-url="/admin" authentication-failure-url="/failLogin" />
<logout logout-success-url="/logoff" />
</http>

<authentication-manager>
<authentication-provider>
<password-encoder hash="sha" />
<user-service>
<user name="admin" password="d11186354d1ef01ca06ae37d7e23e827da13e85f" authorities="ROLE_ADMIN" />
</user-service>
</authentication-provider>
</authentication-manager>

</beans:beans>

Rest of the code is given below :

CODE

web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5">
<display-name>SpringSecurityPasswordHashing</display-name>
<servlet>
<servlet-name>Dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Dispatcher</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/Dispatcher-servlet.xml,
/WEB-INF/spring-security.xml
</param-value>
</context-param>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>

Dispatcher-servlet.xml

<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans 
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/context 
http://www.springframework.org/schema/context/spring-context-3.0.xsd">

<context:component-scan base-package="net.roseindia" />

<bean
class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="prefix">
<value>/WEB-INF/views/</value>
</property>
<property name="suffix">
<value>.jsp</value>
</property>
</bean>

<bean id="messageSource"
class="org.springframework.context.support.ResourceBundleMessageSource">
<property name="basenames">
<list>
<value>LoginMsg</value>
</list>
</property>
</bean>

</beans>

LoginController.java

package net.roseindia;

import java.security.Principal;

import org.springframework.stereotype.Controller;
import org.springframework.ui.ModelMap;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;

@Controller
public class LoginController {
@RequestMapping(value = "/admin", method = RequestMethod.GET)
public String welcomeAdmin(ModelMap model, Principal principal) {
String username = principal.getName();
model.addAttribute("user", username);
model.addAttribute("msg", "Spring Security - ADMIN PAGE");
return "welcome";

}

@RequestMapping(value = "/login", method = RequestMethod.GET)
public String login(ModelMap model) {

return "login";

}

@RequestMapping(value = "/failLogin", method = RequestMethod.GET)
public String failedLogin(ModelMap model) {

model.addAttribute("error", "true");
return "login";

}

@RequestMapping(value = "/logoff", method = RequestMethod.GET)
public String logoff(ModelMap model) {

return "login";
}
}

LoginMsg.properties

AbstractUserDetailsAuthenticationProvider.badCredentials=Wrong username\ /\ password

login.jsp

<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<html>
<head>
<title>Login Page</title>
<style>
.errorblock {
color: #ff0000;
background-color: #ffEEEE;
border: 3px solid #ff0000;
padding: 8px;
margin: 16px;
}
</style>
</head>
<body onload='document.f.j_username.focus();'>
<h3>Login with Username and Password (Custom Page)</h3>

<c:if test="${not empty error}">
<div class="errorblock">
Login error : Please try again.<br />Root Cause:
${sessionScope["SPRING_SECURITY_LAST_EXCEPTION"].message}
</div>
</c:if>

<form name='f' action="<c:url value='j_spring_security_check' />"
method='POST'>

<table>
<tr>
<td>User:</td>
<td><input type='text' name='j_username' value=''>
</td>
</tr>
<tr>
<td>Password:</td>
<td><input type='password' name='j_password' />
</td>
</tr>
<tr>
<td colspan='2'><input name="submit" type="submit"
value="submit" />
</td>
</tr>
<tr>
<td colspan='2'><input name="reset" type="reset" />
</td>
</tr>
</table>

</form>
</body>
</html>

welcome.jsp

<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<html>
<body>
<h3>${msg}</h3> 
<h3>Username : ${user}</h3> 

<a href="<c:url value="/j_spring_security_logout" />" > Logoff</a>

</body>
</html>