I have a legacy app made in grails which uses springSecurityService.encodePassword to generate user password. It's stored in database like this:
{bcrypt}$2a$04$hO0LTu6a54t41bVpxTfPCe0837vYQbA4dZ3HSTlpMEppoB9kmsz0y
On my new app made in Spring Boot only, I'm using BCryptPasswordEncoder().encode(password)
I read that by default grails also uses bcrypt encode. but with spring-boot the password is stored like this:
$2a$10$zHHRMpHWoP6KByWkmgQWqeKN0k.mWE5uD3Fg0Fb92S5eNKaPS5puK
It looks like it's the same encoding but even manually entering the prefix {bcrypt} I can't access the legacy app and also removing it, legacy users can't access the new app.
How can I generate a spring password with the same encoding as springSecurityService.encodePassword?
Related
I can run a Spring Boot application and then use the springdoc-openapi-maven-plugin artifact to generate an OpenAPI spec.
However, is there also a way to generate the spec without running the application first?
I currently want to generate the spec in a GitHub Action and a direct way would simplify this a lot.
you can use swagger editor: https://editor.swagger.io/
It allows you to write a json/yaml with your specifications and at the same time you can view the result.
Also, in the upper part there are 2 features, which allow you to generate the code based on the json/yaml made.
For example you can create a spring application with all the endpoints you go to specify in your json/yaml ( server).
But you can also generate HTML. (Client)
It seems that Spring is not reading the customized keys for sanitizing the values.(it is only referring to default ones)
I have added below properties in application.properties file
endpoints.env.id=env
endpoints.env.sensitive=true
endpoints.env.enabled=true
endpoints.env.keys-to-sanitize=port
After starting the app and navigating to /env endpoint I am getting below response
"endpoints.env.keys-to-sanitize":{"value":"port","origin":"URL
[file:./application.properties]:40:32"},"endpoints.env.sensitive":{"value":"true","origin":"URL
[file:./application.properties]:41:25"},"endpoints.env.enabled":{"value":"true","origin":"URL
[file:./application.properties]:42:23"},"password":{"value":"******","origin":"URL
[file:./application.properties]:43:10"} ,
"management.port":{"value":"8081","origin":"URL [file:./application.properties]:36:17"}
Notice that port are still visible and the password is masked with ****.
Am I missing something. My requirement is to add few more keys to hide their values.
If you are using Spring Boot version 2 and above, the properties have changed.
You can follow the Actuator Migration Guide for more details.
I am currently configuring my CAS Server v5.0.2 to use Database Authentication, particularly using the Encode method, using the CAS properties file. Below are the relevant property configurations from the properties file:
cas.authn.jdbc.encode[0].sql=SELECT * FROM public.vt_user WHERE email=?
cas.authn.jdbc.encode[0].driverClass=org.postgresql.Driver
cas.authn.jdbc.encode[0].url=jdbc:postgresql://localhost:5432/tracking
cas.authn.jdbc.encode[0].user=postgres
cas.authn.jdbc.encode[0].password=postgres
cas.authn.jdbc.encode[0].saltFieldName=salt
cas.authn.jdbc.encode[0].passwordFieldName=password
cas.authn.jdbc.encode[0].healthQuery=SELECT 1 FROM INFORMATION_SCHEMA.TABLES
cas.authn.jdbc.encode[0].numberOfIterations=1
cas.authn.jdbc.encode[0].numberOfIterationsFieldName=
cas.authn.jdbc.encode[0].staticSalt=
cas.authn.jdbc.encode[0].algorithmName=SHA-1
cas.authn.jdbc.encode[0].dialect=org.hibernate.dialect.PostgreSQLDialect
cas.authn.jdbc.encode[0].passwordEncoder.type=DEFAULT
cas.authn.jdbc.encode[0].passwordEncoder.characterEncoding=UTF-8
cas.authn.jdbc.encode[0].passwordEncoder.encodingAlgorithm=SHA-1
The database I am connecting with is a PostgreSQL DB. The passwords were previously encoded using Spring Security's 3.2.5 ShaPasswordEncoder with the default strength which is SHA-1 plus a salt value. I have tested the CAS DB Authentication configuration by entering valid credentials in the CAS Server's default login page, but authentication always fail and return "Invalid credentials." Additionally, I am already aware that the 3.2.5 ShaPasswordEncoder is deprecated, but I am not planning to change it's implementation. The logs show that the username can be successfully queried from the user table, but the passwords from the table and the input don't match.
Right now I am looking for any approach on resolving this issue. I am still relatively new to CAS, and I really appreciate the much needed help. Thanks!
I resolved this issue by modifying the QueryAndEncodeDatabaseAuthenticationHandler.java file from the cas-server-upport-jdbc dependency (of the same CAS version) to use Spring Security's ShaPasswordEncoder instead of the one used by CAS which is Apache Shiro's default hash service.
Specifically, what I did was to add the modified java file (plus the AbstractJdbcUsernamePasswordAuthenticationHandler.java) inside the CAS maven overlay that I'm using inside the src/main/java/org/apereo/cas/adaptors/jdbc directory. The relevant function that I modified inside the java file is named digestEncodedPassword. I commented out the original lines of code and replaced it with my implementation of the ShaPasswordEncoder. The custom source code should be compiled alongside when building CAS.
My application uses Spring Security and Spring MVC and is hosted on Glassfish 3.1.2.
I'm looking for a forum software (phpBB like) that I can integrate easily in my app.
Does anyone know some ?
I found JForum but it's a web app which needs to be installed... Maybe should I install it and copy the directory in my application?
I tried jForum, and even if it seems that the project is not continuing, it fits to my application.
To get it working with Spring, I had to use SSO (Single sign-on) by modifying jForum config.
In the file SystemGlobals.properties, I had to change property authentication.type = default to authentication.type = sso.
jForum will use the remote user of the request context.
See classes below for more informations
net.jforum.JForum
net.jforum.ControllerUtils
net.jforum.sso.RemoteUserSSO
net.jforum.sso.SSOUtils
In my grails application,i am using spring security core plugin for security,and email confirmation plugin for email validity,now i need to implement code for forget password.
Do i need to use spring security ui plugin or i can achiebe it with existing plugins?
With thanks,
Since passwords are stored with one-way encryption, there's no way to retrieve the original cleartext password (unless you store it unencrypted, which is a bad idea). So the workflow in the UI plugin involves resetting the password via email.
You can install that, but you don't have to use the UI plugin - feel free to copy the implementation and use it in your application.
I implemented a reset password feature using the email confirmation plugin. This was when I was using the Acegi security plugin (the Spring Security plugin's ancestor), but AFAIK it should work with the Spring Security plugin too.