How do I get Spring security to generate the same password as what the Jasypt command line tool generates?

StackOverflow https://stackoverflow.com/questions/13831621

  •  07-12-2021
  •  | 
  •  

Question

I'm using Jasypt 1.9.0, Spring 3.1.1.RELEASE, and Maven 3.0.3. Using the Jasypt command line tool, I generate passwords like so …

./digest.sh input=admin providerClassName=org.bouncycastle.jce.provider.BouncyCastleProvider algorithm=SHA-256  saltGeneratorClassName=org.jasypt.salt.ZeroSaltGenerator

However, when I configure Spring security to attempt to match a password someone entered at the login screen …

<beans:bean id="bcProvider" class="org.bouncycastle.jce.provider.BouncyCastleProvider" />

<beans:bean id="jasyptStringDigester" class="org.jasypt.digest.StandardStringDigester">
    <beans:property name="algorithm">
        <beans:value>SHA-256</beans:value>
    </beans:property>
    <beans:property name="provider">
        <beans:ref bean="bcProvider" />
    </beans:property>
    <beans:property name="saltGenerator">
        <beans:bean id="saltGenerator" class="org.jasypt.salt.ZeroSaltGenerator"/>
    </beans:property>
</beans:bean>

<!-- This Spring Security-friendly PasswordEncoder implementation will -->
<!-- wrap the StringDigester instance so that it can be used from -->
<!-- the security framework. -->
<beans:bean id="passwordEncoder" class="org.jasypt.spring.security3.PasswordEncoder">
    <property name="stringDigester">
        <ref bean="jasyptStringDigester" />
    </property>
</beans:bean>

<authentication-manager alias="authenticationManager" id="authenticationManager">
    <authentication-provider user-service-ref="sbdUserDetailsService">
        <password-encoder ref="passwordEncoder" />
    </authentication-provider>
</authentication-manager>

Spring is generating a different password than what is stored, and hence I'm not able to authenticate my user. Is there some configuration I'm missing? Why, during authentication, does SPring generate something different than what Jasypt has?

Was it helpful?

Solution

if you run digest.sh multiple times you will get different hashes for same input values. i assume Jasypt uses a timestamp or a random string as a salt.

to be able to generate same hash, you must know the salt, which is used or control the way it is generated. There is a cli parameter called saltGeneratorClassName. By providing a class, which implements the SaltGenerator interface you can control the salt generation.

UPDATE:

forget what i said about position of the salt. you just need to change the jasyptStringDigester a little bit:

<beans:bean id="jasyptStringDigester" class="org.jasypt.digest.StandardStringDigester">
    <beans:property name="algorithm">
        <beans:value>SHA-256</beans:value>
    </beans:property>
    <beans:property name="provider">
        <beans:ref bean="bcProvider" />
    </beans:property>
    <beans:property name="saltGenerator">
        <beans:ref bean="saltGenerator" />
    </beans:property>
</beans:bean>

<beans:bean class="impl.of.your.SaltGenerator" id="saltGenerator" />

and then you need to provide impl.of.your.SaltGenerator to digest.sh:

./digest.sh input=admin \
    providerClassName=org.bouncycastle.jce.provider.BouncyCastleProvider \
    algorithm=SHA-256 \
    saltGeneratorClassName=impl.of.your.SaltGenerator
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top