Spring | How to encode login password before sending to server

Question

I am using spring security for my web application. I want to encode password text before sending it to server. Here below is my code:

spring-security.xml

<!-- AUTHENTICATION MANAGER -->
    <authentication-manager alias="authenticationManager">

        <!-- AUTHENTICATION PROVIDERS -->
        <!-- Remember-Me Authentication Provider -->
        <authentication-provider ref="rememberMeAuthenticationProvider"></authentication-provider>

        <!--
            Authentication Provider to make use of spring security provided Jdbc
            user management service
        -->
        <authentication-provider user-service-ref="jdbcUserService">
            <!--SHA-1 Password Encoding scheme to secure user credential-->
            <password-encoder ref="sha2PasswordEncoder"  />
        </authentication-provider>
    </authentication-manager>


<!--  SHA-1 Password Encoder -->
    <bean id="sha2PasswordEncoder"
        class="org.springframework.security.authentication.encoding.ShaPasswordEncoder">
        <constructor-arg value="256" />
    </bean>

Even after using this I am getting password in plain text form at server side, I want to have password in encoded form at server side using spring security.

I have stored password in database in encrypted form. I am beginner to Spring, So may be this question is simple one and I am missing some basic thing.Any reference implementation will be helpful.

Thanks in advance.

Answer 1

Below is the solution I have applied for above issue.

<script type="text/javascript"
    src="<%=request.getContextPath()%>/tp/web/console/include/js/security/sha256.js"></script>
<script type="text/javascript"
    src="<%=request.getContextPath()%>/tp/web/console/include/js/security/base64.js"></script>
<script type="text/javascript"
    src="<%=request.getContextPath()%>/tp/web/console/include/js/security/crypto.js"></script>
<script type="text/javascript">
    function setPassword() {
        document.getElementById("
    j_password").value = CryptoJS.SHA256(document
                .getElementById("j_password").value);

    }
</script>

As above code I encoded password text using sha256 encoder. And at server side I have disabled spring encoder which is encoding password coming form client. So at server it is directly matching hashed value coming from client to db hashed value.

Answer 2

Try encrypting the password in browser using something like http://www.webtoolkit.info/javascript-sha256.html

But do make sure to use some kind of salt based on user (which you can retrieve using AJAX) for hashing the password.

Refer last para on http://www.plynt.com/blog/2006/06/sending-salted-hashes-just-got/ see the possible approaches.

PS: If you're not using TLS/SSL, even doing this doesnt make sense, and if you're already using this, I think there is no need to put in effort for this unless your application requires almost cynical level of security.

Ref : https://softwareengineering.stackexchange.com/a/76947 https://stackoverflow.com/a/3391275/876142

Answer 3

This is how Spring works - the form transfers the password in plain text to backend, but this is POST in HTTPS - how hacker can hack the password?

(Later on, Spring encrypts the password and compares to the DB, where the password is encrypted as well)

Answer 4

What you should really be looking at is running the URL which the login form is submitted under HTTPS. Almost all other schemes you can come up with will be insecure.

Using HTTPS the browser and the Web Server will handle the encryption according to the TLS standard and all the data in the form will be submitted safely with little chance of an eavesdropper being able to obtain the username/password by listening on the wire (or the air traffic).

If you are using a database to store the passwords, that is where Spring Security's password hashing comes into play, since you should never store passwords in clear text