tags:

views:

2031

answers:

3
Q: 

Spring Security Encypt MD5

Hi. I have a java web application using spring framework and spring security for its login. In my database I have my passwords encrypted to MD5 before being saved. I added in my application-config.xml this codes

 <security:authentication-provider>
<security:password-encoder hash="md5"/>
<security:jdbc-user-service
  data-source-ref="dataSource"
  users-by-username-query="select user_name username, user_password password, 1 enabled from users where user_name=?"
  authorities-by-username-query="select username, authority from authorities where username=?" />
</security:authentication-provider>

At first It worked when the password in the db were not encrypted. But when I encrypted it and added this snippet in my application config

      <security:password-encoder hash="md5"/>

I am not able to login.

+1  A: 

Have you read 6.3.3 Hashing and Authentication section from Spring Security reference manual? It mentioned some possible issues that you might encounter in using password hashing.

Some possibilities it listed:

  • Database password hash might be in Base64, while the result from MD5PasswordEncoder is in hexadecimal strings
  • Your password hash might be in upper-case, while the result from the encoder is in lower case strings
DJ  2009-11-30 18:42:07
A: 

How are you creating your MD5 hashes? Something like the following works well in Java:

MessageDigest messageDigest = MessageDigest.getInstance("MD5");  
messageDigest.update(user.getPassword().getBytes(),0, user.getPassword().length());  
String hashedPass = new BigInteger(1,messageDigest.digest()).toString(16);  
if (hashedPass.length() < 32) {
   hashedPass = "0" + hashedPass; 
}

When you encode "koala" do you get "a564de63c2d0da68cf47586ee05984d7"?

labratmatt  2009-12-01 03:36:20
ah ok.. i missed the 16 in messageDigest.digest()).toString(16). thanks
cedric  2009-12-01 06:47:45
+1  A: 

I realize this is a little late, but Spring has built-in classes that make this a lot easier. 

@Test
public void testSpringEncoder() {
    PasswordEncoder encoder = new Md5PasswordEncoder();
    String hashedPass = encoder.encodePassword("koala", null);

    assertEquals("a564de63c2d0da68cf47586ee05984d7", hashedPass);
}

This is a unit test that I wrote using the built in Spring Security code, it is a lot smaller than the MessageDigest code and since you are using Spring Security already, you should have the classes in your classpath already.

bh5k  2010-05-20 22:09:39

related questions

How to implement password protection for individual files?
Encrypting appSettings in web.config
Usefulness of SQL Server "with encryption" statement
How can I use a key blob generated from Win32 CryptoAPI in my .NET application?
CodeReview: Tiny Encryption Algorithm for arbitrary sized data
Simple encryption implementation in C
Which hard disk encryption software to choose?
Passing untampered data from Flash app to server?
How do I prevent replay attacks?
Is there a best .NET algorithm for credit card encryption?
Encrypt data from users in web applications
How to encrypt one message for multiple recipients?
Two-way password encryption without ssl
What's the answer to this Microsoft PDC challenge?
GPG: How does key signing work and how is it done?
Secure Online Highscore Lists for Non-Web Games
Programmatically encrypting a config-file in .NET
How do I use 3des encryption/decryption in Java?
Encryption in C# Web-Services
Suitable alternative to CryptEncrypt
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
C# - CryptographicException: Padding is invalid and cannot be removed
How can I encode xml files to xfdl (base64-gzip)?
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
Encrypting Passwords