Password Encoding issue

[anand1975]

Hi friends,

I need to apply password encoding in our application using ShawPassword Encoder. I have to get the user login name convert to lower case and use it as salt.

Code:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd">
<beans>
	<bean id="placeholderConfig"
		class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
		<property name="location">
			<value>WEB-INF/lib/jdbc.properties</value>
		</property>
	</bean>
	<bean id="filterChainProxy"
		class="org.acegisecurity.util.FilterChainProxy">
		<property name="filterInvocationDefinitionSource">
			<value>
				CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
				PATTERN_TYPE_APACHE_ANT
				/**=ConcurrentSessionFilter,httpSessionContextIntegrationFilter,logoutFilter,authenticationProcessingFilter,securityContextHolderAwareRequestFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor
			</value>
		</property>
	</bean>

	<bean id="httpSessionContextIntegrationFilter"
		class="org.acegisecurity.context.HttpSessionContextIntegrationFilter" />

	<bean id="logoutFilter"
		class="org.acegisecurity.ui.logout.LogoutFilter">
		<constructor-arg value="/index.jsp" />
		<constructor-arg>
			<list>
				<bean
					class="org.acegisecurity.ui.logout.SecurityContextLogoutHandler" />
			</list>
		</constructor-arg>
	</bean>

	<bean id="authenticationProcessingFilter"
		class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
		<property name="authenticationManager"
			ref="authenticationManager" />
		<property name="authenticationFailureUrl"
			value="/dcecontroller/loginAction?action=defaultUser" />
		<!-- <property name="defaultTargetUrl" value="/acegilogin.jsp" />-->
		<property name="defaultTargetUrl" value="/dcecontroller/loginAction?action=registeredUser" />	
		<property name="filterProcessesUrl"><value>/dcecontroller/j_acegi_security_check</value></property>

	</bean>

	<bean id="securityContextHolderAwareRequestFilter"
		class="org.acegisecurity.wrapper.SecurityContextHolderAwareRequestFilter" />
	
	<bean id="anonymousProcessingFilter"
		class="org.acegisecurity.providers.anonymous.AnonymousProcessingFilter">
		<property name="key" value="changeThis" />
		<property name="userAttribute"
			value="anonymousUser,ROLE_ANONYMOUS" />
	</bean>

	<bean id="exceptionTranslationFilter"
		class="org.acegisecurity.ui.ExceptionTranslationFilter">
		<property name="authenticationEntryPoint">
			<bean
				class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">
				<property name="loginFormUrl" value="/dcecontroller/loginAction?action=defaultUser" />
			</bean>
		</property>
		<property name="accessDeniedHandler">
			<bean
				class="org.acegisecurity.ui.AccessDeniedHandlerImpl">
				<property name="errorPage" value="/accessDenied.jsp" />
			</bean>
		</property>
	</bean>

	<bean id="filterInvocationInterceptor"
		class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
		<property name="authenticationManager" ref="authenticationManager" />
		<property name="accessDecisionManager" ref="accessDecisionManager" />
		<property name="objectDefinitionSource">
			<value>
				CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
				PATTERN_TYPE_APACHE_ANT 
				/**defaultuser=IS_AUTHENTICATED_ANONYMOUSLY
				/**registereduser=ROLE_ADMIN
				/dcecontroller/regaction**=ROLE_ADMIN
				/dcecontroller/listviewaction**=ROLE_ADMIN
				/dcecontroller/linkviewaction**=ROLE_ADMIN
				/**=IS_AUTHENTICATED_ANONYMOUSLY
			</value>
		</property>
	</bean>
		
	<bean id="authenticationManager"
		class="org.acegisecurity.providers.ProviderManager">
		<property name="providers">
			<list>
				<ref local="daoAuthenticationProvider" />
			</list>
		</property>
		<property name="sessionController"><ref bean="concurrentSessionController"/></property>
	</bean>

	<bean id="accessDecisionManager" class="org.acegisecurity.vote.AffirmativeBased">
		<property name="allowIfAllAbstainDecisions"
				value="false" />
			<property name="decisionVoters">
				<list>
					<bean class="org.acegisecurity.vote.RoleVoter" />
					<bean class="org.acegisecurity.vote.AuthenticatedVoter" />
				</list>
			</property>
	</bean>
		
	<bean id="daoAuthenticationProvider"
		class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">
		<property name="userDetailsService" ref="jdbcDaoImpl" />
		<!-- UserCache property will activate the cache, it is not 
		mandatory but increases performance by cacheing the user 
		details retrieved from user-base -->
		<property name="userCache" ref="userCache"/>
	</bean>
	<bean id="jdbcDaoImpl" class="org.acegisecurity.userdetails.jdbc.JdbcDaoImpl">
		<property name="dataSource">
			<ref local="dataSource"/>
		</property>
    	<property name="usersByUsernameQuery">
        <value>
        select LTRIM(RTRIM(LoginNAME)) as username, 
               LTRIM(RTRIM(PASSWORD)),
               STATUS as ENABLED 
          from DCE_USERS
         where LoginNAME=? 
        </value>
    </property>
    <property name="authoritiesByUsernameQuery">
        <value>
        select LOGINNAME as username,
               LTRIM(RTRIM(ROLENAME)) as authority 
          from DCE_USERS,
               DCE_ROLES,
               USERNROLES 
         where USERNROLES.USERID=DCE_USERS.USERID 
           and USERNROLES.ROLEID=DCE_ROLES.ROLEID 
           and DCE_USERS.LOGINNAME =?
        </value>
    </property>		
		
	</bean>
		<bean id="dataSource"
		class="org.apache.commons.dbcp.BasicDataSource">
		<property name="driverClassName">
			<value>${db.driverClassName}</value>
		</property>
		<property name="url">
			<value>${db.url}</value>
		</property>
		<property name="username">
			<value>${db.username}</value>
		</property>
		<property name="password">
			<value>${db.password}</value>
		</property>
	</bean>	

	<bean id="userCache" class="org.acegisecurity.providers.dao.cache.EhCacheBasedUserCache">
				<property name="cache">
					<bean
						class="org.springframework.cache.ehcache.EhCacheFactoryBean">
						<property name="cacheManager">
							<bean
								class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean" />
						</property>
						<property name="cacheName" value="userCache" />
					</bean>
				</property>
	</bean>
	
	<!-- This bean is optional; it isn't used by any other bean as it only listens and logs -->
	<bean id="loggerListener" class="org.acegisecurity.event.authentication.LoggerListener" />
	
	<!--Concurrent Session Handling  -->
		<bean id="ConcurrentSessionFilter" class="org.acegisecurity.concurrent.ConcurrentSessionFilter">
		<property name="sessionRegistry"> <ref local="sessionRegistry"/></property>
		<property name="expiredUrl" value="/accessDenied.jsp"/>
	</bean>
	<bean id="concurrentSessionController" class="org.acegisecurity.concurrent.ConcurrentSessionControllerImpl">
	  <property name="maximumSessions"><value>1</value></property>
	 <!--   <property name="exceptionIfMaximumExceeded"><value>true</value></property>-->
	  <property name="sessionRegistry"><ref local="sessionRegistry"/></property>
	</bean>

	<bean id="sessionRegistry" class="org.acegisecurity.concurrent.SessionRegistryImpl"/>
	<!--Concurrent Session Handling  -->

	
</beans>

Plz help me to configure in this regard.

If i need to implement Sha256 or Sha512 Encoding how to do in Acegi

[karldmoore]

I'm not quite sure what the question was.
http://www.acegisecurity.org/multipr...rdEncoder.html

[anand1975]

I'm not quite sure what the question was.
http://www.acegisecurity.org/multipr...rdEncoder.html

The user may enter his Login Name in any case Lowe/Upper/mixed. We need to allow him to login if the password is correct. To generate the password hash I have to convert the login name into lowercase and provide it as salt. As the hash stored in the database is generated with his Login name converted into lowercase and then use it as salt.


As of now I configured the daoAuthenticationProvider as below

Code:

	<bean id="daoAuthenticationProvider"
		class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">
		<property name="userDetailsService" ref="jdbcDaoImpl" />
		<!-- UserCache property will activate the cache, it is not 
		mandatory but increases performance by cacheing the user 
		details retrieved from user-base -->
		<property name="userCache" ref="userCache"/>
		<property name="passwordEncoder"><ref bean="passwordEncoder"/></property>
		
	</bean>
<bean id="passwordEncoder" class="org.acegisecurity.providers.encoding.ShaPasswordEncoder"></bean>

[johnhunsley]

Not sure if you guys have solved your problem I had a similar issue when trying to implement the ShaPasswordEncoder to work with my user credentials migrated from an older db.

My passwords were hashed using the Bouncy Castle SHA1 Digest. I wrote a simple test class to see what the ShaPasswordEncoder was dishing out and what my db passwords looked like.

Then I used the commons.codec.Base64 encoder to ensure my passwords I got from the db were base 64 encoded when hibernate pulled them out the db, in the setPassword() method of my UserDetails implementation bean I have:

Base64.encodeBase64(myhasedByteArrayPassword);

Then in my acegiSecurityContext.xml I ensured that the ShaPasswordEncoder was also encoding the details in Base64, you set the encoder and the DAO, (UserDetailsService) in the daoAuthenticationProvider:

Code:

<bean id="passwordEncoder" class="org.acegisecurity.providers.encoding.ShaPasswordEncoder">
        <property name="encodeHashAsBase64"><value>true</value></property>
    </bean>

    <bean id="daoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">
		<!--<property name="userDetailsService" ref="userDetailsService"/>-->
        <property name="userDetailsService" ref="userDAO"/>
        <property name="passwordEncoder"><ref bean="passwordEncoder"/></property>
    </bean>

works just great, no need to migrate my old passwords to new values :-)