How to use salt from a database field in Spring Security
I am using spring-security-3.1.0 with spring-framework-3.0.6. I use salt to test the security of the login. But the problem with salt in salt is the source. if i use beans: property name = "userPropertyToUse" value = "username" then everything is fine but the problem is <beans:property name="userPropertyToUse" value="lalt">
even hardcoded I have configured all the necessary configuration for "salt"
. It is throwing this message
Cannot find salt method on user object. Is the class "org.springframework.security.core.userdetails.User" has a method or getter named "salt"?
My spring-security.xml looks like this
<beans:bean id="saltSource" class="org.springframework.security.authentication.dao.ReflectionSaltSource">
<beans:property name="userPropertyToUse" value="salt" />
</beans:bean>
<beans:bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.ShaPasswordEncoder"/>
<beans:bean id="loggerListener" class="org.springframework.security.authentication.event.LoggerListener" />
<authentication-manager>
<authentication-provider user-service-ref="jdbcUserService">
<password-encoder ref="passwordEncoder">
<salt-source ref="saltSource"/>
</password-encoder>
</authentication-provider>
</authentication-manager>
<beans:bean id="jdbcUserService" class="controllers.CustomJdbcDaoImpl">
<beans:property name="dataSource" ref="dataSource"/>
<beans:property name="usersByUsernameQuery">
<beans:value>SELECT U.userid AS username,
U.userpassword as password,
'true' AS enabled,
U.userpasswordsalt AS salt
FROM users U WHERE U.userid=?
</beans:value>
</beans:property>
<beans:property name="authoritiesByUsernameQuery">
<beans:value>SELECT U.userid AS username,
U.userrole as authority
FROM users U
WHERE U.userid=?
</beans:value>
</beans:property>
</beans:bean>
My jdbcUserService.java for salt
public class CustomJdbcDaoImpl extends JdbcDaoImpl {
@Override
protected List<UserDetails> loadUsersByUsername(String username) {
return getJdbcTemplate().query(getUsersByUsernameQuery(),new String[] {username},
new RowMapper<UserDetails>() {
public UserDetails mapRow(ResultSet rs, int rowNum)throws SQLException {
String username = rs.getString(1);
String password = rs.getString(2);
boolean enabled = rs.getBoolean(3);
String salt = rs.getString(4);
System.out.println("CustomJdbcDaoImpl Salt : "+salt);
return new SaltedUser(username, password,enabled, true, true, true,AuthorityUtils.NO_AUTHORITIES, salt);
}
});
}
}
And My SaltedUser.java
public class SaltedUser extends User{
private String salt;
public SaltedUser(String username, String password,boolean enabled,
boolean accountNonExpired, boolean credentialsNonExpired,
boolean accountNonLocked, List<GrantedAuthority>authorities, String salt) {
super(username, password, enabled,accountNonExpired, credentialsNonExpired,accountNonLocked, authorities);
this.salt = salt;
System.out.println("SaltedUser Salt : "+salt);
}
public String getSalt() {
return salt;
}
public void setSalt(String salt) {
this.salt = salt;
}
}
Anyone can help me ....?
source to share
You need to override the method createUserDetails
that creates the final implementation UserDetails
returned by the class. Take a look at the source JdbcDaoImpl
.
Note that if you are not building this for a legacy system that already has a password hashing system installed, using something like BCrypt to encode your passwords would be a simpler and easier option.
source to share