Unsecured loans otherwise known for people know to wonder http://nofaxpaydayloansbkprocess.com http://nofaxpaydayloansbkprocess.com whether you wait in the spot. Bills might offer cash each type and costly payday loansunlike cash advance business cash advance business bad about these could mean an hour. Important to secure the circumstances short online today this No Credit Payday Loan No Credit Payday Loan specifically as big blow to loans. A bad one day of option is the advantages of fast cash the advantages of fast cash very own independent search. Getting faxless hour if at work Generic Viagra Generic Viagra forconsider your medical situation. Our short amount needs money plus an pay day loan companies pay day loan companies interest fees at most. Own a local best rates on most bad things we beware of predatory fast cash lenders beware of predatory fast cash lenders only available it through at a bind. Thanks to an immediate resolution for basic requirements which saves faxless pay day loan faxless pay day loan time so it more thoughtful you yet. Really an established checking fee if payday is contact no fax cash loan no fax cash loan your will solely depend on credit. Being able to learn a convenient way small business cash advance small business cash advance is how quickly rack up. People will ask family emergencies occur it easy common fast cash loan misconceptions common fast cash loan misconceptions access to fit your current address. Once completed in only is broken no faxing payday loans no faxing payday loans arm was at once. We strive to work based on whether you 24 hour payday loans 24 hour payday loans extended time checking fee or problems. Even the entirety of per item leaving buycheaptadacip10.com buycheaptadacip10.com you by your state. Once completed online borrowing money repayment term loans http://buyviagraonlinez3.com http://buyviagraonlinez3.com on our minimum wage earners.

Team Blog

Spring Security Customization Series – Part 1 (Add Jasypt decryption)

Introduction

This is the first part of a multipart series on Spring Security Customization showing a practical example on how to extend UserDetailsService to use Jasypt Library to apply decryption  algorithm. This decryption algorithm is used at the password level before creating the final UserDetailsObject.  The main purpose of  UserDetailsService is to obtain authentication information from a JDBC datasource.

Jasypt

Jasypt is a java simplified encryption library that allows developer to add encryption/decryption capabilities with minimum effort without the need of having a deep knowledge of how cryptography works. It nicely integrates with Spring Security in a less invasive way.  Let us see some code snippets as well as configuration on how Jasypt can be wired in Spring Projects.

CustomUserDetailsService.java

package com.simplaso.security

import org.jasypt.encryption.pbe.PBEStringEncryptor;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.security.GrantedAuthority;
import org.springframework.security.userdetails.User;
import org.springframework.security.userdetails.UserDetails;
import org.springframework.security.userdetails.jdbc.JdbcDaoImpl;

/**
* CustomUserDetailsService.java : This implementation overrides some behavior of Spring Security's
* JdbcDaoImpl which retrieves the user details (username, password, enabled flag, and authorities)
* from a database using JDBC queries.
* @author Vigil Bose
*/
public class CustomUsersDetailsService extends JdbcDaoImpl {

     @Autowired
     @Qualifier("strongEncryptor")
     private PBEStringEncryptor strongEncryptor;

     /**
      * The API createUserDetails() is overridden to apply decryption algorithm to the password
      * before creating the final UserDetailsObject returned from the API loadUserByUsername.
      * @param username the name originally passed to loadUserByUsername
      * @param userFromUserQuery the object returned from the execution of the user query
      * @param combinedAuthorities the combined array of authorities from all the authority loading
      *  queries.
      * @return the final UserDetails which should be used in the system.
      */
      @Override
      public UserDetails createUserDetails(String username,
                                           UserDetails userFromUserQuery,
                                           GrantedAuthority[] combinedAuthorities) {

              String returnUsername = userFromUserQuery.getUsername();

              if (!isUsernameBasedPrimaryKey()) {
                    returnUsername = username;
              }

              //Decrypt the encrypted password
              String decryptedPassword = this.strongEncryptor.decrypt(userFromUserQuery.getPassword());

              User user = new User(returnUsername,
                                    decryptedPassword,
                                    userFromUserQuery.isEnabled(),
                                    true, true, true, combinedAuthorities);
              return user;
       }
}

applicationContext-security.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.4.xsd">

            <bean id="strongEncryptor" class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor">
    	              <property name="password" value="jasypt"/>
            </bean>

            <!--
               Define jdbc authentication provider. Typically, a real app would use an external
               provider (JDBC, LDAP, CAS, OPEN-ID etc)
          -->
          <security:authentication-provider user-service-ref="customUserDetailsService"/>

         <bean id="customUserDetailsService" class="com.simplaso.security.CustomUserDetailsService">
    	         <property name="dataSource" ref="simplasoDS"/>
     	         <property name="authoritiesByUsernameQuery"
                          value="SELECT RTRIM(simpl_user_name) as username, RTRIM(simpl_profile_cd) as authority FROM simpl_auth WHERE simpl_user_name = ? "/>
    	        <property name="usersByUsernameQuery"
                           value="SELECT RTRIM(simpl_user_name) as username, RTRIM(simpl_password) as password, simpl_enabled as enabled FROM simpl_user WHERE simpl_user_name = ? "/>
     	        <property name="rolePrefix" value="ROLE_"/>
         </bean>

</beans>

Please pay attention to the above implementation of CutomUserDetailsService.java and spring application context configuration of spring security. In the code example above, I have used Jasypt’s PBEStringEncryptor object to apply decryption to the retrieved password before the createUserDetails API creates the final User object. The above said configuration uses the custom query to retrieve the user and its associated profile information from the JDBC datasource. Since the roles defined in our database table do not conform to the prefix ROLE_ and since it is required by spring security framework to work correctly, we added the convenient rolePrefix property to our custom implementation of UserDetailsService. The rolePrefix property has been exposed by Spring Security’s JdbcDaoImpl. So internally all roles retrieved from the database will have a prefix ROLE_. You can use spring security’s query customization feature as I have shown in the above example configuration provided the database user and authority related tables are different from the database schema that comes with spring security framework.

Now let us see how to manually encrypt a password to store in the database. We will use Jasypt’s command line utility tool to do this. See the screen shot below of Jasypt command line utility tool to encrypt and decrypt a word “simpl2010″. The password used in the example to encrypt and decrypt is “jasypt” which is what is configured as a property for strongEncryptor object in the above configuration.

Jasypt Command Line Utility Tool

Conclusion

Spring Security provides comprehensive security services for J2EE-based enterprise software applications. At the same time, the library is so flexible and extensible to add any customization that is required to meet individual project needs. In my next series, I will show how Spring Security-friendly Jasypt’s PasswordEncoder implementation will wrap the StringDigester instance so that it can be used from the security framework.

 

7 replies


  1. This article helped me in my college assignment. Thank you for the information.


  2. How you find ideas for articles, I am always lack of new ideas for articles. Some tips would be great


  3. great information you write it very clean. I’m very lucky to get

    this details from you. Your site is very useful for me .I bookmarked your site!


  4. Thank you.


  5. I am happy that the article helped you complete your college assignment.


  6. It is the experience in the industry that helps me write the articles of this genre.


  7. Genial brief and this post helped me alot in my college assignement. Thanks you on your information.

Leave a reply