I have working on jhipster.but i am unable to decrypt password in jhipster and Spring.PasswordEncoderClass only provide encode and Match password function.can you help to decrypt password in jhipster.
Thanks in advance
We are using Spring Security's StandardPasswordEncoder, I do hope you can't decrypt it :-)
We are indeed storing hashed passwords: as you say, you can encode a password, and validate (match) if a specific String is the correct password, but you can't decrypt it. This means that if your database is stolen by a hacker, he would have a very hard time to figure out your users' passwords.
So this is a very good idea if you want to keep your users' password secure.
If, however, you want to have your passwords in plain text, you can change the encoder in your SecurityConfiguration class: you need to change the "passwordEncoder" bean, and probably use Spring Security's "NoOpPasswordEncoder" class. Of course, I have never done it, as I care about my users' data :-)
Related
I have default auth implemented in Laravel 7 and works like a charm.
However, I have a very peculiar requirement wherein, the password shouldn't even travel in plain text although SSL is implemented on network.
One way would be to handle it via javascript on login page wherein I encrypt the value of password and send the same to server and then decrypt the same in php before handing it to laravel attemptLogin method.
However, I am not so sure about this approach.
Any help would be awesome.
Solution:
On client side, used crypt.js/aes.min.js and encrypted the password using a key and iv.
In login controller, overrode credentials method and decrypted using openssl_decrypt before passing on to hash check.
This is already discussed on this answer:
It is standard practice to send "plaintext" passwords over HTTPS. The
passwords are ultimately not plaintext, since the client-server
communication is encrypted as per TLS.
And this one:
If you hash on the client side, the hashed password becomes the actual
password (with the hashing algorithm being nothing more than a means
to convert a user-held mnemonic to the actual password).
This means that you will be storing the full "plain-text" password
(the hash) in the database, and you will have lost all benefit of
hashing in the first place.
You may also read this answer for more security options.
I solved it as below:
On client side, used crypt.js/aes.min.js and encrypted the password using a key and iv.
In login controller, overrode credentials method and decrypted using openssl_decrypt before passing on to hash check.
I'm working with Spring Boot Security.
I have to Sign up a user (name, login, password, ... .),
the password inserted to oracle DB is encoded using PasswordEncoder.
Then the Sign in is implemented with JWT.
I'd like to recuperate the password registered in DB, but it's not possible with PasswordEncoder.
That's why I used StandardPBEStringEncryptor which allowed decrypt the encrypted registered password.
But, now, I faced another problem which is :
encoded password does not look like bcrypt jwt
Could you please tell me if I missed something ? Have you any idea to recuperate the registered password ?
Any suggestion will be appreciated.
I created my own authentication provider for my spring application, on which I specified the org.springframework.security.crypto.password.PasswordEncoder. I have my users stored in the database with their encrypted passwords (after a database algorithm). For being able to make the authentication, I would need to have access from the org.springframework.security.crypto.password.PasswordEncoder class to the username that is sent for authentication. Can anyone guide me how can I do this? Or is there any other approach?
N.B. I'm using SpringSecurity 3.2.
I don't even care if it's an old question, I've just spent 9 hours trying to figure this out. Might as well leave it here in case someone else stumbles upon this again.
String username = ((ServletRequestAttributes)RequestContextHolder.currentRequestAttributes()).getRequest().getParameter("username");
Using the code above I was able to extract the username from current request.
ATTENTION: You must use the following class org.springframework.web.context.request.RequestContextHolder
There was a similar one that was doing me wrong.
Assuming that User Entered UserName,UserPassword is User,Pwd.
In order to Authenticate, you can perform the following.
Get User Entered Username and Password(User,Pwd).
Encode the Pwd using
String encodedPassword=passwordEncoder.encode(pwd);
Compare if UserEnteredUserName=DBUserNAme and UserEnteredEncodedPassword==EncodedPasswordInDB, based on match values, you can authenticate the User.
I have a database where passwords are encrypted in plain old md5. There is no salt. All the usernames are numeric.
This is what the db looks like..
Username, Password, Hashed Password
0101,abcd123,79cfeb94595de33b3326c06ab1c7dbda
I am writing a web application using spring security. I have managed to get authentication working when the user the user types in 0101 as the username and then abcd123 as the password.
But what I really want working is the user to type in 101 (without the leading zero) as the username and abcd123 as the password.
I got my code working with the leading zero by overriding org.springframework.security.core.userdetails.UserDetailsService > loadUserByUsername(String userId).
I started looking at salt and then realized that I was totally going down the wrong track because this has nothing to do with my use password.
How can I alter my code so that my requirement is meant? I tried to hack my own implementation of loadUserByUsername(String userId) to prepend a 0 on the way into the method but this did not work.
thanks
Thanks for the advice guys. I was lucky and I found another column in the database named sign on id. It contains the actual string that the user enters to sign into the application.
I need to decode a password that was encoded using the org.springframework.security.authentication.encoding.PasswordEncoder.encodePassword method. Basically, application "A" maintains the encoded/encrypted password in its database. Application "B" makes a RESTful call to application "A" to get the userid and password (passes password as encoded/encrypted) and then application "B" needs to view the clear text version of the password, how would it decode it?
The mentioned class "org.springframework.security.authentication.encoding.PasswordEncoder.encodePassword" seems to use digest function to encode the password. Because all the digest function are mentioned to be one way only it is easy to make encoded password from the clear text but almost impossible to obtain unencrypted version from the digest.
If you want to authenticate user just encrypt the password and compare it to it's stored encrypted version.
Other option can be reseting the password (replacing value stored in application "A").
If you insist on unencrypted password in application "B" from the digest, you have to crack it, which can be time consuming operation...