On a previous post we added password encoding to our spring security configuration using jdbc and md5 password encoding.
However in case of custom UserDetailsServices we need to make some tweeks to our security configuration.
We need to create a DaoAuthenticationProvider bean and set it to the AuthenticationManagerBuilder.
Since we need a Custom UserDetailsService I will use use the Spring Security/MongoDB example codebase.
What we have to do is to change our Spring Security configuration.
package com.gkatzioura.spring.security.config;
import com.gkatzioura.spring.security.service.CustomerUserDetailsService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Profile;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.authentication.encoding.Md5PasswordEncoder;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import javax.sql.DataSource;
/**
* Created by gkatzioura on 10/5/16.
*/
@EnableWebSecurity
@Profile("encodedcustompassword")
public class PasswordCustomEncodedSecurityConfig extends WebSecurityConfigurerAdapter {
@Bean
public UserDetailsService mongoUserDetails() {
return new CustomerUserDetailsService();
}
@Bean
public DaoAuthenticationProvider authProvider() {
DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider();
authProvider.setUserDetailsService(mongoUserDetails());
authProvider.setPasswordEncoder(new BCryptPasswordEncoder());
return authProvider;
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(authProvider());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/public").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.permitAll()
.and()
.logout()
.permitAll();
}
}
In most cases this works ok. However we might as well want to roll our own PasswordEncoder, which is pretty easy.
package com.gkatzioura.spring.security.encoder;
import org.springframework.security.crypto.bcrypt.BCrypt;
import org.springframework.security.crypto.password.PasswordEncoder;
/**
* Created by gkatzioura on 10/5/16.
*/
public class CustomPasswordEncoder implements PasswordEncoder {
@Override
public String encode(CharSequence rawPassword) {
String hashed = BCrypt.hashpw(rawPassword.toString(), BCrypt.gensalt(12));
return hashed;
}
@Override
public boolean matches(CharSequence rawPassword, String encodedPassword) {
return BCrypt.checkpw(rawPassword.toString(), encodedPassword);
}
}
So we will change our configuration in order to use the new PasswordEncoder
@Bean
public DaoAuthenticationProvider authProvider() {
DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider();
authProvider.setUserDetailsService(mongoUserDetails());
authProvider.setPasswordEncoder(new CustomPasswordEncoder());
return authProvider;
}
Next step will be to create the encoded password.
@Test
public void customEncoder() {
CustomPasswordEncoder customPasswordEncoder = new CustomPasswordEncoder();
String encoded = customPasswordEncoder.encode("custom_pass");
LOGGER.info("Custom encoded "+encoded);
}
Then add a user with a hashed password to our mongodb database.
db.users.insert({"name":"John","surname":"doe","email":"john2@doe.com","password":"$2a$12$qB.L7buUPi2RJHZ9fYceQ.XdyEFxjAmiekH9AEkJvh1gLFPGEf9mW","authorities":["user","admin"]})
All that we need is to change the default profile on our gradle script and we are good to go.
bootRun {
systemProperty "spring.profiles.active", "encodedcustompassword"
}
You can find the sourcecode on github.
Emmanouil Gkatziouras 