I created my own authentication provider for my spring application, on which I specified the org.springframework.security.crypto.password.PasswordEncoder. I have my users stored in the database with their encrypted passwords (after a database algorithm). For being able to make the authentication, I would need to have access from the org.springframework.security.crypto.password.PasswordEncoder class to the username that is sent for authentication. Can anyone guide me how can I do this? Or is there any other approach?
N.B. I'm using SpringSecurity 3.2.
I don't even care if it's an old question, I've just spent 9 hours trying to figure this out. Might as well leave it here in case someone else stumbles upon this again.
String username = ((ServletRequestAttributes)RequestContextHolder.currentRequestAttributes()).getRequest().getParameter("username");
Using the code above I was able to extract the username from current request.
ATTENTION: You must use the following class org.springframework.web.context.request.RequestContextHolder
There was a similar one that was doing me wrong.
Assuming that User Entered UserName,UserPassword is User,Pwd.
In order to Authenticate, you can perform the following.
Get User Entered Username and Password(User,Pwd).
Encode the Pwd using
String encodedPassword=passwordEncoder.encode(pwd);
Compare if UserEnteredUserName=DBUserNAme and UserEnteredEncodedPassword==EncodedPasswordInDB, based on match values, you can authenticate the User.
Related
I am able to get LDAP authentication working with spring boot ActiveDirectoryLdapAuthenticationProvider. Same code works in other client environments, but somehow with one client it is not working.
I am able to connect to LDAP and bind and also reach the roodn, all is working fine.
In search filter, in place of using default one i.e.:
(&(objectClass=user)(userPrincipalName={0}))
I am using:
(&(objectCategory=person)(objectClass=user)(sAMAccountName={0}))
I have tried a lot of search filters, but nothing seems to work.
Can anyone please help on this, don't have much knowledge on LDAP.
The question is really if you should match by userPrincipalName or sAMAccountName. That really depends on what your users expect.
The sAMAccountName is what you would normally think of when you say "username".
The userPrincipalName looks like an email address. It's usually the same as the sAMAccountName followed by # and the domain DNS name, but it doesn't have to be.
You can see here for more information on that: User Naming Attributes
Whatever value the user types in as the username should match the attribute you have chosen here.
#gariel user is expecting to strictly login only using sAMAccountName. I got the login working with email ID (&(objectClass=user)(userPrincipalName={0})) filter. But to make it work with sAMAccountName with their LDAP, changing it to (&(objectClass=user)(sAMAccountName={0})) just doesn't work. Their sAMAccountName and userprincipalname are not same.
As a work around, instead of completely depending on spring security for authentication,
user inputs the sAMAccoutName, and i intercept the request using a custom filter. In the custom filter, using JAVA code i query LDAP to provide me with the emailId of that sAMAccountName. Once i have the emailID of the user, i update the username field in the request from sAMAccountName to emailID and then proceed the authentication request forward(remember i already had the LDAP authentication working with emailID).
In SecurityConfig file : .addFilterBefore(new CustomFilter(), UsernamePasswordAuthenticationFilter.class)
CustomFilter is where i am doing everything mentioned above.
Now everything works fine, but i have new issue. When user successfully authenticates, if user is not present in local db and doesn't require any authority it works fine. But the user is defined to be ADMIN in local db, and post authentication we provide it with the ADMIN authority, for some reason because of the custom filter it goes into a loop.
I've implemented really basic user authentication before - generate a session cookie when logging in, and when the user loads a page with authentication just check the cookie.
However, the complexity of Spring Security / Apache Shiro is really confusing me.
All I really want is:
be able to have a user log in once and see their username on every page they visit (like on Stackoverflow)
have this login persist for a reasonable length (cookie expiry time or something like that)
It looks like I have the option of using EhCache or implementing my own subclass of... something... to use something like postgres.
I seem to have gotten the first thing I want working in Apache Shiro:
Subject sub = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken(username, password);
token.setRememberMe(remember);
try {
sub.login(token);
// ...
But I'm super stuck on how to get this session to persist between restarts of the spring webserver. Like, I know Stackoverflow highly recommends a code example but I literally don't even know where to start. Right now my "progress" on trying to figure out how to persist sessions between restarts (bolded to clarify what I'm asking) is literally the single line
DefaultWebSecurityManager dwsm = new DefaultWebSecurityManager();
// ...
dwsm.setCacheManager(new EhCacheManager());
and I don't even know what that actually does.
I would really appreciate any kind of guidance here since I really don't even know where to begin and the documentation I've been able to find is unfortunately not super thorough.
thats one of the problems with just sessions. That they are not persistant over restarts unless you save your sessions.
Now days people usually use a token based approach like oauth2.
The flow in a token based authentication system is:
User sends his/hers credentials to an authorizationserver (oauth2).
If credentials were correct they get a token back
The client (webpage) makes a request to the backend to get the user object and supplies the token in this call as an "Authorization"-header.
The backend takes the token and sends it to the authorizationserver (oauth2) to check its validity.
if the token is valid the backend server fetches the user object and sends this to the client.
The client gets the username from the user object and stores this in its state (react, redux if such an app). In every call to the backend the client must supply the token it got from the first login so that the server always knows that the caller is whom he/she claims to be
I have working on jhipster.but i am unable to decrypt password in jhipster and Spring.PasswordEncoderClass only provide encode and Match password function.can you help to decrypt password in jhipster.
Thanks in advance
We are using Spring Security's StandardPasswordEncoder, I do hope you can't decrypt it :-)
We are indeed storing hashed passwords: as you say, you can encode a password, and validate (match) if a specific String is the correct password, but you can't decrypt it. This means that if your database is stolen by a hacker, he would have a very hard time to figure out your users' passwords.
So this is a very good idea if you want to keep your users' password secure.
If, however, you want to have your passwords in plain text, you can change the encoder in your SecurityConfiguration class: you need to change the "passwordEncoder" bean, and probably use Spring Security's "NoOpPasswordEncoder" class. Of course, I have never done it, as I care about my users' data :-)
I have a database where passwords are encrypted in plain old md5. There is no salt. All the usernames are numeric.
This is what the db looks like..
Username, Password, Hashed Password
0101,abcd123,79cfeb94595de33b3326c06ab1c7dbda
I am writing a web application using spring security. I have managed to get authentication working when the user the user types in 0101 as the username and then abcd123 as the password.
But what I really want working is the user to type in 101 (without the leading zero) as the username and abcd123 as the password.
I got my code working with the leading zero by overriding org.springframework.security.core.userdetails.UserDetailsService > loadUserByUsername(String userId).
I started looking at salt and then realized that I was totally going down the wrong track because this has nothing to do with my use password.
How can I alter my code so that my requirement is meant? I tried to hack my own implementation of loadUserByUsername(String userId) to prepend a 0 on the way into the method but this did not work.
thanks
Thanks for the advice guys. I was lucky and I found another column in the database named sign on id. It contains the actual string that the user enters to sign into the application.
I have been working on this for several days, and hope someone can help me.
There are three requirements for the authentication processing.
Authentication using OpenID, login page is login.jsp. After login is successfully, display the username and email address at login-succ.jsp
There is a input field in the login.jsp, I also need to display the value of mymessage in the login-succ.jsp if login is successfully
After login successfully, user is in the login-succ.jsp, with his username email address and mymessage value. If user refresh the login-succ.jsp page, these three values should be display again.
I have tried to achieve these three requirements using CustomOpenIDAuthenticationFilter at my another post, but if I save the message into session and there are two instances of login.jsp, the two instances will overwrite the message values to each other after refresh action. I do not know if I am doing everything wrong. So can anyone please give me some suggestions about how to meet these three requirements using Spring security and Spring MVC.
Thanks.
To me, this feels like a design that is begging for some type of injection attack (taking a URL parameter that is displayed blindly on the page to the user is a really bad idea).
Instead, I would stick the message in the HttpSession prior to the user being redirected to OpenID login, and retrieve the message after they are successfully redirected. Obviously, you would need code to clear the message from the session upon failure, logout, etc.