Authentication Fails when PasswordEncoder is being used.

[sagolsb]

The password returned (encrypted) from the userdetails object is as expected, the one stored in the database. the PasswordEncoder.isPasswordValid(..) fails; when I incrypt the raw password from the authentication object using the same encoder and salt, the outcome is different from the one in the userdetails object.

But I'm using the same encoder and salt for password encryption and authentication through spring injection, how can the salt be changed? As I mentioned, everything work fine if I don't use a salt. Any clue?

[karldmoore]

Ok, it all works if you don't use the salt. If you look at the SystemWideSaltSource code, all it does is hold a String....... that's it. I don't see how that can break your code. The only thing I can think is going wrong is that the password in the database isn't encoded with the salt. I'm presuming you have some code like the one below and you are injecting in the same passwordEncoder and saltSource. Other than that I'm at a loss, I can't see why it wouldn't work. Could you post your applicationContext.xml and the code that you've written for this?

Code:

public class MyClass {
    private PasswordEncoder passwordEncoder = new PlaintextPasswordEncoder();
    private SaltSource saltSource;

    public void setPasswordEncoder(PasswordEncoder passwordEncoder) {
        this.passwordEncoder = passwordEncoder;
    }

    public void setSaltSource(SaltSource saltSource) {
        this.saltSource = saltSource;
    }

    public String encode(String toEncode) {
        Object salt = null;
        if (this.saltSource != null) {
            salt = this.saltSource.getSalt(userDetails);
        }
        this.passwordEncoder.encodePassword(toEncode, saltSource);
    }
}

http://www.acegisecurity.org/multipr...altSource.html

[karldmoore]

Did you end up solving this? I'd be interested to find out!

[dsb]

I've seemed to run into this same issue also.

It seems the that salt used in salting the password is coming from SystemWideSaltSource.toString()

from BasePasswordEncoder.mergePasswordAndSalt():

if ((salt == null) || "".equals(salt)) {
return password;
} else {
return password + "{" + salt.toString() + "}";
}

Since SystemWideSaltSource has no implementation for toString() the resultant String has the object's hashcode which is not guaranteed to be the same between invocations of the JVM.

-db

[karldmoore]

I don't follow your thinking. There is difference between salt and saltSource. If you look at the code sample I posted, you ask the saltSource for the salt. For SystemWideSaltSource.getSalt(..) this is going to return the same value everytime. This is the thing that is passed into the encoder and is toString'd.

[hiteshlad]

Hi guys, I thought i would share my experience.

I'm having the same problem with Acegi 1.0.3.
So, after stepping through the code, I noticed the following:

1. In line 87 of BasePasswordEncoder, the password is salted as:
return password + "{" + salt.toString() + "}";
If I remove the '{' and '}', the encoder's digest output produces almost the same string as the one put in my database through an existing php application, with the difference being #2 below.

2. The difference with what i have in my db and what the encoder gives is my db for some reason has the password digest in all uppercase. I'm not sure why my db has it but i plan on changing my query to fix that.

I'm not sure if either #1 or #2 are real bugs or are caused by the legacy php app i'm integrating with. Anyway, as a workaround for me i should be able to subclass the MD5PasswordEncoder.

hope that helps someone.

- hitesh

[ajois4u]

Hi,
i am working on a project where we need to apply authentication with password encoded with the salt, without the salt it's working properly, but when i m applying salt it fails... says Bad credentials, so i was just wondering can anybody please help me .. this is the code which i m using for encoding with salt, with the relevant .xml snippet
IMP: we are using Linux ubunt 7.04
code:
String PASSWORD = "abc123";
Object salt = "1234";
String SALETEDPASS = PASSWORD + "{" + salt.toString() + "}";
.
.
Md5PasswordEncoder md5PasswordEncoder = new Md5PasswordEncoder();
String encdPswd = md5PasswordEncoder.encodePassword(PASSWORD, SALETEDPASS);

and agegi-security.xml .. code :
<bean id="daoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenti cationProvider">
<property name="userDetailsService" ref="jdbcDaoImpl"/>
<property name="passwordEncoder">
<bean class="org.acegisecurity.providers.encoding.Md5Pas swordEncoder"/>
</property>
<property name="saltSource" ref ="systemWideSalt"/>
</bean
</bean>

<bean id ="systemWideSalt"
class="org.acegisecurity.providers.dao.salt.System WideSaltSource">
<property name="systemWideSalt">
<value>"1234"</value>
</property>
</bean>
so, plz anybody could tell me where m i doing wrong..
any help would be highly appreciated..
regards,
ajois4u

[spring2007]

I am facing the same problem and I am using Jasypt Password Encoder.

To begin with I had plain text password. So I was nto getting authenticated.
So in getPassword of UserDetails I did a hack to return encrpted value of password[which I get as myDomain.getPassword()] and it let me pass .Inside application, I changed all other user's password and they all became encrypted. But when I log in back, I cant unless I return just myDO.getPassword() without any encryption.
In Jasypt, you do not have to deal with salt etc.It does it internally.

[otho]

Edit: Nevermind, what I wrote before here.

Just make a prominent note somewhere in the docs and examples maybe that you have to call encoder.encodePassword(rawPass, saltSource.getSalt(userDetails)); instead of encoder.encodePassword(rawPass, saltSource); to encode your passwords for the first time before storing them into database.

This mistake seems to be common.