stackoom
  简体   繁体   中英

Spring Security >5.0.0 removed Md5PasswordEncoder

 原文  2018-04-03 15:20:44       java/ spring/ spring-boot/ spring-security

Question

I have a Spring project using Spring security. I was using Spring Boot 1.5 and now I migrated to Spring Boot 2.0.

I noticed that Md5PasswordEncoder has been removed in the final release of Spring Security. Instead Md4PasswordEncoder is still present even if deprecated ( https://docs.spring.io/spring-security/site/docs/5.0.3.RELEASE/api/ ).

Should I use extenal MD5 encoder or is the classed moved somewhere else?

5 answers

solution1
 6  2018-08-23 10:34:05

The fact that Md5PasswordEncoder ceased to exist doesn't mean that Spring Security 5 isn't able to create MD5 hashes. It uses new MessageDigestPasswordEncoder("MD5") for that.

There are two options, both work with the new DelegatingPasswordEncoder , which expects a password prefix to determine the hashing algorithm, for example {MD5}password_hash :

Either set the default password encoder to MD5 (in uppercase!), so if passwords aren't prefixed, then the default encoder is applied: 

PasswordEncoder passwordEncoder = PasswordEncoderFactories.createDelegatingPasswordEncoder();
passwordEncoder.setDefaultPasswordEncoderForMatches(new MessageDigestPasswordEncoder("MD5"));

Or prefix the existing password hashes in the database with {MD5} . This way the DelegatingPasswordEncoder delegates to the `MD5' hasher. Something like: 

update myusertable set pwd = '{MD5}' || pwd;

solution2
 5  2018-04-03 15:25:11

You should use org.springframework.security.crypto.password.PasswordEncoder instead. Here is a good article about switching to the new interface.

solution3
 4  2019-01-21 06:53:25

If you want to use MD5 you can customize : 

@Bean
public PasswordEncoder passwordEncoder() {
    return new PasswordEncoder() {
        @Override
        public String encode(CharSequence charSequence) {
            return getMd5(charSequence.toString());
        }

        @Override
        public boolean matches(CharSequence charSequence, String s) {
            return getMd5(charSequence.toString()).equals(s);
        }
    };
}

public static String getMd5(String input) {
    try {
        // Static getInstance method is called with hashing SHA
        MessageDigest md = MessageDigest.getInstance("MD5");

        // digest() method called
        // to calculate message digest of an input
        // and return array of byte
        byte[] messageDigest = md.digest(input.getBytes());

        // Convert byte array into signum representation
        BigInteger no = new BigInteger(1, messageDigest);

        // Convert message digest into hex value
        String hashtext = no.toString(16);

        while (hashtext.length() < 32) {
            hashtext = "0" + hashtext;
        }

        return hashtext;
    }

    // For specifying wrong message digest algorithms
    catch (NoSuchAlgorithmException e) {
        System.out.println("Exception thrown"
                + " for incorrect algorithm: " + e);
        return null;
    }
}

solution4
 1  2018-04-03 16:37:48

Spring remove MD5 because it is not secure enough anymore. You should use Bcrypt.

solution5
 0  2019-04-25 07:25:12

My solution as below: 

protected static String mergePasswordAndSalt(String password, Object salt, boolean strict) {
        if (password == null) {
            password = "";
        }

        if ((strict) && (salt != null) && ((salt.toString().lastIndexOf("{") != -1) || (salt.toString().lastIndexOf("}") != -1))) {
            throw new IllegalArgumentException("Cannot use { or } in salt.toString()");
        }

        if ((salt == null) || ("".equals(salt))) {
            return password;
        }
        return password + "{" + salt.toString() + "}";
    }

    public static String EncodingPassword(String password, String salt) {
        String merge = mergePasswordAndSalt(password,salt,false);
        return DigestUtils.md5Hex(merge);
    }

use the function above to replace the code below: 

new  Md5PasswordEncoder().encodePassword(String rawPass, Object salt);

From the source code of Md5PasswordEncoder in spring-security-core-3.1.4.RELEASE.jar, we can find out how it handle the password and salt: 

  //org.springframework.security.authentication.encoding.BasePasswordEncoder.class

  protected String mergePasswordAndSalt(String password, Object salt, boolean strict)
  {
    if (password == null) {
      password = "";
    }

    if ((strict) && (salt != null) && (
      (salt.toString().lastIndexOf("{") != -1) || (salt.toString().lastIndexOf("}") != -1))) {
      throw new IllegalArgumentException("Cannot use { or } in salt.toString()");
    }

    if ((salt == null) || ("".equals(salt))) {
      return password;
    }
    return password + "{" + salt.toString() + "}";
  }

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to configure passwordEncoder in spring security config if i use Md5PasswordEncoder for password encryption? Validate Md5PasswordEncoder hash without Java? Spring Security, Problem with PasswordEncoder Java Spring Security PasswordEncoder Upgrading Spring Security PasswordEncoder Spring Boot Security 4 custom PasswordEncoder Spring Security AuthenticationManager set a PasswordEncoder Using PasswordEncoder from Spring Security How to use new PasswordEncoder from Spring Security Spring Security 5 : There is no PasswordEncoder mapped for the id "null"
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM