Oracle PL/SQL HMAC_SHA1 question (vs SHA-1 (ShaPasswordEncoder))
We currently have a pre-existing user repository in our database (Oracle 10g) where we store our users' hashed passwords.
When we hash the passwords in PL/SQL initially, we use:
I'm currently trying to implement a Spring Security prototype project (hacking the Spring Social Showcase XML project) to authenticate against our database of existing users/passwords).Code:... vHashingAlgorithm PLS_INTEGER := 2; --PLS_INTEGER 2 == HMAC_SHA1 ... RETURN DBMS_CRYPTO.Mac(UTL_I18N.string_to_raw(p_password_txt,'AL32UTF8'), vHashingAlgorithm, p_salt);
I think I'm very close...
This is what I'm seeing in the logs when I try to authenticate/login:
DEBUG: org.springframework.security.web.authentication.Us ernamePasswordAuthenticationFilter - Request is to process authentication
DEBUG: org.springframework.security.authentication.Provid erManager - Authentication attempt using org.springframework.security.authentication.dao.Da oAuthenticationProvider
INFO : org.springframework.social.showcase.signin.CustomJ dbcDaoImpl - Getting Info For User: me@test.com
INFO : org.springframework.social.showcase.signin.CustomJ dbcDaoImpl - org.springframework.social.showcase.signin.LocalSa ltedUser@651127ba: Username: me@test.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER
INFO : org.springframework.social.showcase.signin.CustomJ dbcDaoImpl - createUserDetails is searching for: me@test.com, returnUserName: me@test.com
INFO : org.springframework.social.showcase.signin.LocalSa ltedUser - My salt was requested!!!, returning: 6868699ECACB7365672DE749608CA63F47943456
INFO : org.springframework.social.showcase.signin.LocalSa ltedUser - My salt was requested!!!, returning: 6868699ECACB7365672DE749608CA63F47943456
DEBUG: org.springframework.security.authentication.dao.Da oAuthenticationProvider - Authentication failed: password does not match stored value
DEBUG: org.springframework.security.web.authentication.Us ernamePasswordAuthenticationFilter - Authentication request failed: org.springframework.security.authentication.BadCre dentialsException: Bad credentials
Here's my configuration in security xml:
Code:<?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:beans="http://www.springframework.org/schema/beans" xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd"> <http pattern="/resources/**" security="none" /> <http use-expressions="true"> <!-- Authentication policy --> <form-login login-page="/signin" login-processing-url="/signin/authenticate" authentication-failure-url="/signin?param.error=bad_credentials" /> <logout logout-url="/signout" delete-cookies="JSESSIONID" /> <intercept-url pattern="/favicon.ico" access="permitAll" /> <intercept-url pattern="/resources/**" access="permitAll" /> <intercept-url pattern="/signin/**" access="permitAll" /> <intercept-url pattern="/signup/**" access="permitAll" /> <intercept-url pattern="/disconnect/facebook" access="permitAll" /> <intercept-url pattern="/**" access="isAuthenticated()" /> </http> <beans:bean class="org.springframework.security.authentication.dao.ReflectionSaltSource" id="saltSource"> <beans:property name="userPropertyToUse" value="salt"/> </beans:bean> <beans:bean id="jdbcUserService" class="org.springframework.social.showcase.signin.CustomJdbcDaoImpl"> <beans:property name="dataSource" ref="dataSource"></beans:property> <beans:property name="usersByUsernameQuery"> <beans:value> select t1.email_addr_desc as "username", t2.hashed_passwd as "password", 1 as "enabled", t2.salt as "salt" from table1 t1, table2 t2 where t1.id = t2.id and t1.email_addr_desc = ? </beans:value> </beans:property> </beans:bean> <authentication-manager alias="authenticationManager"> <authentication-provider user-service-ref="jdbcUserService"> <password-encoder ref="passwordEncoder"> <salt-source ref="saltSource"/> </password-encoder> </authentication-provider> </authentication-manager> </beans:beans>
Here's where I think I'm defining my password encoder in MainConfig.java (using SHA1 by default, right?):
I *believe* my issue is that Spring Security is using SHA-1 and my Oracle hashing algorithm is using HMAC_SHA1?Code:@Bean(name="passwordEncoder") //overly explicit public ShaPasswordEncoder passwordEncoder() { return new ShaPasswordEncoder(); }
I'm not sure where to proceed from here and I'm not seeing any smoking gun statements in the logs either.
Is there a way I can tell Spring Security to call my hashing function via the injected datasource and use that to compare to what's stored as the hashed_password in the database, vs Spring Security hashing the password itself and then comparing that to what's stored in the database?
Turning to the experts for some advice/input...
Thanks in advance.
Reply With Quote