I'm working with Spring Boot Security.
I have to Sign up a user (name, login, password, ... .),
the password inserted to oracle DB is encoded using PasswordEncoder.
Then the Sign in is implemented with JWT.
I'd like to recuperate the password registered in DB, but it's not possible with PasswordEncoder.
That's why I used StandardPBEStringEncryptor which allowed decrypt the encrypted registered password.
But, now, I faced another problem which is :
encoded password does not look like bcrypt jwt
Could you please tell me if I missed something ? Have you any idea to recuperate the registered password ?
Any suggestion will be appreciated.
Related
I have an asp.net web API. I implemented a token authentication that I am trying to validate user name and password from the database. I am new to JWT so I need your advice.
Here are my questions;
Should I encrypt username and password in my database?
The client sends the username and password in the request body, Should the client send them in the header? And should they be encrypted?
Best Regards.
You should absolutely encrypt your password in the database. Even better if you hash it with "salt" (hashing will let you implement the log in logic, but the original password will be unrecoverable even if you know the hash).
Sending the password in the request body is fine if the connection is protected by TLS (HTTPS). There's no gain in putting it in the headers.
Usernames are often stored in plain text.
P.S. Your question has nothing specific to JWT, it is just general password management.
i am new to spring. i need to make a user registration form where user will provide their basic details and password which i am directly saving to database.password is as string datatype in registration bean and varchar in database.
Now my approach is that i will do the service call from mobile or website to that web service and send password as plain text.
But i think this is not a good way as there is no security while sending data through webservice or in server code or in database, password is just a string with few validations.
Is there a good approach to do this task according to industry standards.
Thank you in advance.
Also i want that my password should not be intercepted by hackers or in server. The password should go in encrypted form from client and should save in database.Nobody managing server/DB should see that password.
Use BCryptPasswordEncoder provided by Spring Security to encrypt your user's password and store hashed password string to the database.
Example:
#Transactional
#Override
public User create(UserCreateForm form) {
User user = new User();
user.setEmail(form.getEmail());
user.setPasswordHash(new BCryptPasswordEncoder().encode(form.getPassword()));
user.setRole(form.getRole());
return userRepository.save(user);
}
I have working on jhipster.but i am unable to decrypt password in jhipster and Spring.PasswordEncoderClass only provide encode and Match password function.can you help to decrypt password in jhipster.
Thanks in advance
We are using Spring Security's StandardPasswordEncoder, I do hope you can't decrypt it :-)
We are indeed storing hashed passwords: as you say, you can encode a password, and validate (match) if a specific String is the correct password, but you can't decrypt it. This means that if your database is stolen by a hacker, he would have a very hard time to figure out your users' passwords.
So this is a very good idea if you want to keep your users' password secure.
If, however, you want to have your passwords in plain text, you can change the encoder in your SecurityConfiguration class: you need to change the "passwordEncoder" bean, and probably use Spring Security's "NoOpPasswordEncoder" class. Of course, I have never done it, as I care about my users' data :-)
I have a database where passwords are encrypted in plain old md5. There is no salt. All the usernames are numeric.
This is what the db looks like..
Username, Password, Hashed Password
0101,abcd123,79cfeb94595de33b3326c06ab1c7dbda
I am writing a web application using spring security. I have managed to get authentication working when the user the user types in 0101 as the username and then abcd123 as the password.
But what I really want working is the user to type in 101 (without the leading zero) as the username and abcd123 as the password.
I got my code working with the leading zero by overriding org.springframework.security.core.userdetails.UserDetailsService > loadUserByUsername(String userId).
I started looking at salt and then realized that I was totally going down the wrong track because this has nothing to do with my use password.
How can I alter my code so that my requirement is meant? I tried to hack my own implementation of loadUserByUsername(String userId) to prepend a 0 on the way into the method but this did not work.
thanks
Thanks for the advice guys. I was lucky and I found another column in the database named sign on id. It contains the actual string that the user enters to sign into the application.
How do I encrypt a password insert it into the db and after the comparison when he will want to connect?
I would use Spring security 3.1.
Link Doc Spring : http://docs.spring.io/spring-security/site/docs/3.1.4.RELEASE/reference/crypto.html Link API SPring security 3.1.4 : http://docs.spring.io/spring-security/site/docs/3.1.4.RELEASE/apidocs/
Hash the password and store it in database.. when login hash the password which enters and compare it with the password which is stored in database..
check this link.. may help you...
http://www.mkyong.com/spring-security/spring-security-password-hashing-example/