2

I am reading the doc Spring 3.1 security documentation extensively, but I can't find answers to all my questions.

In a spring web application, based on form login (user + pwd), I want to salt user passwords with SHA-256, using a random salt for each user. This means I have to save the salt and the hashed password in my database for each user. No issue so far.

  1. It seems clear that I have to implement my own UserDetailsService to fetch my user information's from my database and configure it in my spring-security.xml.

  2. It seems like I will have to add an extra getSalt() method on top of my implementation of UserDetails to make it available when checking the login provided by the user against the stored hashed password.

Then the situation becomes unclear. I should intercept login requests. From section 6.4.3, it seems like Spring will map the user submitted credentials to an Authentication object and submit it to an AuthenticationManager.

My questions are:

i) What implementation of Authentication will Spring submit to the AuthenticationManager? How do I retrieve the name and password?

ii) It seems like I would have to implement my own AuthenticationManager. At each call of authenticate(...), I would fetch the login name and password, fetch UserDetails from the database. Then, hash the provided pwd with the corresponding salt and compare with the database hashed item. Correct?

iii) The AuthenticationManager API also has a supports(...) method. How should it be implemented?

iv) How should Authentication and AuthenticationManager be configured?

Jérôme Verstrynge
  • 57,710
  • 92
  • 283
  • 453
  • Just out of curiosity, is there a particular reason/requirement you chose to salt your user passwords? – Andre Jul 18 '12 at 15:18
  • @Andre To make sure that if someone breaks the database, they won't have access to the source passwords. – Jérôme Verstrynge Jul 18 '12 at 17:27
  • 2
    That's what I thought. I was just wondering if you need to actually store the salt. I've come across BCrypt a bunch of times and ended up using it with Spring Security; it works just fine. Take a look at this thread: http://stackoverflow.com/a/8528804/323807 – Andre Jul 18 '12 at 17:51

1 Answers1

2

I must not be reading your question properly, but Spring Security offers salted passwords out of the box:

http://static.springsource.org/spring-security/site/docs/3.1.x/reference/core-services.html#d0e3021

If an 8-bit salt is insufficient, you are able to inject your own SaltSource into the DaoAuthenticationProvider. The manual actually strongly recommends this.

Peter Bratton
  • 6,302
  • 6
  • 39
  • 61