Spring Security

Password Hashing or Encoding in Spring Security

In Spring Security tutorial, we will discuss about Password Hashing or Encoding through SHA hashing algorithm. In last Spring Security form login example, the password is stored in clear-text, it is vulnerable to attack. In practice, recommend to hash your password before storing them. Here we will see how to use SHA hashing algorithm to hash password, and use the hashed password to perform the login authentication in Spring Security.

Spring Security supports following hashing algorithms :

 

  • plaintext
  • sha
  • sha-256
  • md5
  • md4

Here we will perform password hashing through SHA hashing algorithm. We will use this hashed password to accomplish the login authentication in Spring Security.

Required Tools used for this Application:

  • Spring MVC 3.0.1
  • Spring Security 3.1.0
  • STS 2.8.1.RELEASE
  • Tomcat 7
  • Jdk 1.7
  • Jacksum 1.7.0

 

Password Hashing:
For password hashing, we are incorporating Jacksum 1.7.0, you can download it from here.

After downloading it, execute the below CMD command to generate hash value of the plain text/password, by using the same folder path where you download it ,as follows :

In above my password is “sweetu” after hashing we will get as “22c27ff8a5be6260871523871ee37d0768eb02fc
when it is “sweety” then we will get as “15eabb8159c574ddb45fea23e853e18bc599ce87“.

In original example, password is stored in clear text. As follows.

<security:authentication-manager>
   <security:authentication-provider>
   <security:password-encoder hash="sha"/>
    <security:user-service>
 <security:user name="dineshonjava" password="sweety" authorities="ROLE_USER" />
     </security:user-service>
  </security:authentication-provider>
</security:authentication-manager>

Now, use “jacksum” to hash the password “sweety” with SHA algorithm is “15eabb8159c574ddb45fea23e853e18bc599ce87“.

<security:authentication-manager>
   <security:authentication-provider>
  <security:password-encoder hash="sha"/>
    <security:user-service>
 <security:user name="dineshonjava" 
        password="15eabb8159c574ddb45fea23e853e18bc599ce87" 
        authorities="ROLE_USER" />
    </security:user-service>
  </security:authentication-provider>
</security:authentication-manager>

Use this hashed password in sdnext-security.xml as follows :

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:>
Now rest of the code is same as the previous example no need to discuss every file just look and run the application.

Running the example

Export the example as war and deploy it Tomcat 7 server. While browsing the project you will get the following screen for loging:

Access URL "http://localhost:8080/sdnext/index", Spring will redirect to your custom login form.
URL : http://localhost:8080/sdnext/login

If username/password is correct, then
URL : http://localhost:8080/sdnext/index

Download Source Code-
SpringSecurityPasswordHashing.zip

References-
https://www.dineshonjava.com/spring-security-form-based-login-example/
Spring Security
Spring Security documentation

SHA-1 hashing algorithm 
Jacksum Java library 

 

 

                             <<previous<<             || index  ||         >>next>>

 

Previous
Next
Dinesh Rajput

Dinesh Rajput is the chief editor of a website Dineshonjava, a technical blog dedicated to the Spring and Java technologies. It has a series of articles related to Java technologies. Dinesh has been a Spring enthusiast since 2008 and is a Pivotal Certified Spring Professional, an author of a book Spring 5 Design Pattern, and a blogger. He has more than 10 years of experience with different aspects of Spring and Java design and development. His core expertise lies in the latest version of Spring Framework, Spring Boot, Spring Security, creating REST APIs, Microservice Architecture, Reactive Pattern, Spring AOP, Design Patterns, Struts, Hibernate, Web Services, Spring Batch, Cassandra, MongoDB, and Web Application Design and Architecture. He is currently working as a technology manager at a leading product and web development company. He worked as a developer and tech lead at the Bennett, Coleman & Co. Ltd and was the first developer in his previous company, Paytm. Dinesh is passionate about the latest Java technologies and loves to write technical blogs related to it. He is a very active member of the Java and Spring community on different forums. When it comes to the Spring Framework and Java, Dinesh tops the list!

Share
Published by
Dinesh Rajput

Recent Posts

Strategy Design Patterns using Lambda

Strategy Design Patterns We can easily create a strategy design pattern using lambda. To implement…

2 years ago

Decorator Pattern using Lambda

Decorator Pattern A decorator pattern allows a user to add new functionality to an existing…

2 years ago

Delegating pattern using lambda

Delegating pattern In software engineering, the delegation pattern is an object-oriented design pattern that allows…

2 years ago

Spring Vs Django- Know The Difference Between The Two

Technology has emerged a lot in the last decade, and now we have artificial intelligence;…

2 years ago

TOP 20 MongoDB INTERVIEW QUESTIONS 2022

Managing a database is becoming increasingly complex now due to the vast amount of data…

2 years ago

Scheduler @Scheduled Annotation Spring Boot

Overview In this article, we will explore Spring Scheduler how we could use it by…

3 years ago