I want to use bcrypt hashing algorithm in my grails project instead of its defaultSHA-256 message digest algorithm. To enable bcrypt, you just use the grails install-plugin spring-security-bcrypt command.
You can customize keying rounds by adding this to BuildConfig.groovy:
grails.plugins.springsecurity.password.bcrypt.logrounds = 15
My question is, is that all I need to do to set bcrypt as my password algorithm? Does it automatically use the bcrypt algorithm when I use this method from the domain class generated by spring-security-core:
springSecurityService.encodePassword(params.password)
How do I check if bcrypt is working on my project?
You also need to add
grails.plugins.springsecurity.password.algorithm='bcrypt'
Related
I see that many using jasypt to encrypt the application.properties file in spring boot. Can I use my own algorithm for that? If yes then can you show me how, thanks.
From the Jasypt FAQ:
Jasypt by itself does not implement nor distribute in any of its forms any cryptographic algorithms. It simply uses the algorithms already present in the users' Java installations via the Java Cryptography Extension.
Here is a link to the official Java 9 documentation about How to Implement a Provider in the Java Cryptography Architecture and another link to an example of Building a custom Java Crypto Provider.
Why do Spring Security documentation and implementation rely on password and not password hash?
Isn't it a major security issue, that might cause issues in many products? Thanks.
Your understanding is wrong. The fact that something is called getPassword or the field password doesn't mean it isn't encrypted.
By default passwords are hashed using BCrypt in Spring Security. This is done through the BCryptPasswordEncoder. So what is stored (if anything is stored!) depends on the actual PasswordEncoder in use, next to ofcourse the authentication mechanism in use (for instance if you use X509 this would be empty).
I'm trying to improve the security of my Gradle project by making use of its dependency verification feature.
Out of the box, Gradle can generate hashes for each of my declared dependencies, but the docs suggest that I explicitly specify hashes provided by the developer if at all possible.
I've been looking around the Springboot website, docs, and GitHub repository, but I can't find a place where these hashes are documented. Are they available?
The Spring Boot team doesn't appear to publish SHA-256 nor SHA-512 currently. For example, here are the contents for various projects:
https://repo1.maven.org/maven2/org/springframework/boot/spring-boot-starter-web/2.4.3/
https://repo1.maven.org/maven2/org/springframework/boot/spring-boot/2.4.3/
https://repo1.maven.org/maven2/org/springframework/boot/spring-boot-actuator/2.4.3/
Only SHA-1 can be found.
I currently develop web application using spring boot, i want to ask what is the best way to store salt key for encryption
Currently i create encryption util class and i still doubt about how to store salt key.
i have to 2 options :
1. i create static final property on my encryption util
2. put at application.property file
or you have another suggestion
thanks
The simpliest is option 1 and it's IMO more secure than option 2 if you planned to put your key is in plain text in application.properties.
But the best would be to add your key in application.properties (option 2) and encrypt it, for example, with jasypt .
You can find samples with Spring boot here
In my grails application,i am using spring security core plugin for security,and email confirmation plugin for email validity,now i need to implement code for forget password.
Do i need to use spring security ui plugin or i can achiebe it with existing plugins?
With thanks,
Since passwords are stored with one-way encryption, there's no way to retrieve the original cleartext password (unless you store it unencrypted, which is a bad idea). So the workflow in the UI plugin involves resetting the password via email.
You can install that, but you don't have to use the UI plugin - feel free to copy the implementation and use it in your application.
I implemented a reset password feature using the email confirmation plugin. This was when I was using the Acegi security plugin (the Spring Security plugin's ancestor), but AFAIK it should work with the Spring Security plugin too.