I have a Spring project using Spring security. I was using Spring Boot 1.5 and now I migrated to Spring Boot 2.0.
I noticed that Md5PasswordEncoder has been removed in the final release of Spring Security. Instead Md4PasswordEncoder
is still present even if deprecated ( https://docs.spring.io/spring-security/site/docs/5.0.3.RELEASE/api/ ).
Should I use extenal MD5 encoder or is the classed moved somewhere else?
The fact that Md5PasswordEncoder
ceased to exist doesn't mean that Spring Security 5 isn't able to create MD5
hashes. It uses new MessageDigestPasswordEncoder("MD5")
for that.
There are two options, both work with the new DelegatingPasswordEncoder
, which expects a password prefix to determine the hashing algorithm, for example {MD5}password_hash
:
Either set the default password encoder to MD5
(in uppercase!), so if passwords aren't prefixed, then the default encoder is applied:
PasswordEncoder passwordEncoder = PasswordEncoderFactories.createDelegatingPasswordEncoder();
passwordEncoder.setDefaultPasswordEncoderForMatches(new MessageDigestPasswordEncoder("MD5"));
Or prefix the existing password hashes in the database with {MD5}
. This way the DelegatingPasswordEncoder
delegates to the `MD5' hasher. Something like:
update myusertable set pwd = '{MD5}' || pwd;
You should use org.springframework.security.crypto.password.PasswordEncoder
instead. Here is a good article about switching to the new interface.
If you want to use MD5 you can customize :
@Bean
public PasswordEncoder passwordEncoder() {
return new PasswordEncoder() {
@Override
public String encode(CharSequence charSequence) {
return getMd5(charSequence.toString());
}
@Override
public boolean matches(CharSequence charSequence, String s) {
return getMd5(charSequence.toString()).equals(s);
}
};
}
public static String getMd5(String input) {
try {
// Static getInstance method is called with hashing SHA
MessageDigest md = MessageDigest.getInstance("MD5");
// digest() method called
// to calculate message digest of an input
// and return array of byte
byte[] messageDigest = md.digest(input.getBytes());
// Convert byte array into signum representation
BigInteger no = new BigInteger(1, messageDigest);
// Convert message digest into hex value
String hashtext = no.toString(16);
while (hashtext.length() < 32) {
hashtext = "0" + hashtext;
}
return hashtext;
}
// For specifying wrong message digest algorithms
catch (NoSuchAlgorithmException e) {
System.out.println("Exception thrown"
+ " for incorrect algorithm: " + e);
return null;
}
}
Spring remove MD5 because it is not secure enough anymore. You should use Bcrypt.
My solution as below:
protected static String mergePasswordAndSalt(String password, Object salt, boolean strict) {
if (password == null) {
password = "";
}
if ((strict) && (salt != null) && ((salt.toString().lastIndexOf("{") != -1) || (salt.toString().lastIndexOf("}") != -1))) {
throw new IllegalArgumentException("Cannot use { or } in salt.toString()");
}
if ((salt == null) || ("".equals(salt))) {
return password;
}
return password + "{" + salt.toString() + "}";
}
public static String EncodingPassword(String password, String salt) {
String merge = mergePasswordAndSalt(password,salt,false);
return DigestUtils.md5Hex(merge);
}
use the function above to replace the code below:
new Md5PasswordEncoder().encodePassword(String rawPass, Object salt);
From the source code of Md5PasswordEncoder in spring-security-core-3.1.4.RELEASE.jar, we can find out how it handle the password and salt:
//org.springframework.security.authentication.encoding.BasePasswordEncoder.class
protected String mergePasswordAndSalt(String password, Object salt, boolean strict)
{
if (password == null) {
password = "";
}
if ((strict) && (salt != null) && (
(salt.toString().lastIndexOf("{") != -1) || (salt.toString().lastIndexOf("}") != -1))) {
throw new IllegalArgumentException("Cannot use { or } in salt.toString()");
}
if ((salt == null) || ("".equals(salt))) {
return password;
}
return password + "{" + salt.toString() + "}";
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.