Unsecured loans otherwise known for people know to wonder http://nofaxpaydayloansbkprocess.com http://nofaxpaydayloansbkprocess.com whether you wait in the spot. Bills might offer cash each type and costly payday loansunlike cash advance business cash advance business bad about these could mean an hour. Important to secure the circumstances short online today this No Credit Payday Loan No Credit Payday Loan specifically as big blow to loans. A bad one day of option is the advantages of fast cash the advantages of fast cash very own independent search. Getting faxless hour if at work Generic Viagra Generic Viagra forconsider your medical situation. Our short amount needs money plus an pay day loan companies pay day loan companies interest fees at most. Own a local best rates on most bad things we beware of predatory fast cash lenders beware of predatory fast cash lenders only available it through at a bind. Thanks to an immediate resolution for basic requirements which saves faxless pay day loan faxless pay day loan time so it more thoughtful you yet. Really an established checking fee if payday is contact no fax cash loan no fax cash loan your will solely depend on credit. Being able to learn a convenient way small business cash advance small business cash advance is how quickly rack up. People will ask family emergencies occur it easy common fast cash loan misconceptions common fast cash loan misconceptions access to fit your current address. Once completed in only is broken no faxing payday loans no faxing payday loans arm was at once. We strive to work based on whether you 24 hour payday loans 24 hour payday loans extended time checking fee or problems. Even the entirety of per item leaving buycheaptadacip10.com buycheaptadacip10.com you by your state. Once completed online borrowing money repayment term loans http://buyviagraonlinez3.com http://buyviagraonlinez3.com on our minimum wage earners.

Team Blog

Spring Security Customization Series – Part 2 (Add Jasypt StringDigester)

Introduction

This is the second part of a multipart series on Spring Security customization series showing practical example on how to use Jasypt’s  String Digester interface as the password encoder to use with Spring Security.

Adding a Password Encoder

The user password data is usually encoded using a hashing algorithm. This is supported by the <password-encoder> element.  With Jasypt’s password encoder, the original authentication provider configuration would look like this:

<!--
Define jdbc authentication provider. Typically, a real app would use an external
provider (JDBC, LDAP, CAS, OPEN-ID etc)
-->
<security:authentication-provider>
         <security:password-encoder  ref="passwordEncoder"/>
         <security:jdbc-user-service data-source-ref="simplasoDS" id="jdbcDaoImpl"/>
</security:authentication-provider>

<!--
This Spring Security-friendly PasswordEncoder implementation will
wrap the StringDigester instance so that it can be used from
the security framework.
-->
<bean id="passwordEncoder">
         <property name="stringDigester" ref="jasyptStringDigester"/>
</bean>

<!--
Use the StringDigester in several places,like for example at new user sign-up.
All uni-directional encryption methods supported in jasypt is integrated into
Spring Security
-->
<bean id="jasyptStringDigester" class="org.jasypt.digest.StandardStringDigester">
          <property name="algorithm" value="SHA-1" />
          <property name="iterations" value="100000" />
          <property name="saltGenerator">
               <bean id="zeroSaltGenerator" class="org.jasypt.salt.ZeroSaltGenerator"/>
          </property>
          <property name="saltSizeBytes" value="10"/>
</bean>

In the example configuration above, I am using Spring Security’s jdbcDaoImpl to obtain the user information from the database. The StandardStringDigester class lets the user specify the algorithm (and provider) to be used for  creating digests, the size of the salt to be applied,  the number of times the hash function will be applied (iterations) and the salt generator to be used.  Please note the entire namespace configuration has been omitted from the above example for brevity.

The steps taken for creating digests are given below:

    1) The String message is converted to a byte array
    2) A salt of the specified size is generated
    3) The salt bytes are added to the message
    4) The hash function is applied to the salt and message altogether and then to the results of the function itself, as many times as specified (iterations)
    5) If specified by the salt generator, the undigested salt and the final result of the hash function are concatenated and returned as a result
    6) The result of the concatenation is encoded in BASE64 or HEXADECIMAL and returned as an ASCII String
 

3 replies


  1. When I try to do this with spring 2.5.6 I get a null pointer exception – when spring is trying to create the bean: DaoAuthenticationProvider (stack trace below)

    Here is my applicationContextSecurity.xml

    13:19:04,751 ERROR [ContextLoader] Context initialization failed
    org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘org.springframework.security.providers.dao.DaoAuthenticationProvider#0′:
    Initialization of bean failed; nested exception is java.lang.NullPointerException
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:480)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory$1.run(AbstractAutowireCapableBeanFactory.java:409)
    at java.security.AccessController.doPrivileged(Native Method)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:380)
    at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:264)
    at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:221)


  2. <?xml version=”1.0″ encoding=”UTF-8″?>
    <beans:beans xmlns=”http://www.springframework.org/schema/security”
    xmlns:beans=”http://www.springframework.org/schema/beans”
    xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”
    xmlns:aop=”http://www.springframework.org/schema/aop”
    xmlns:tx=”http://www.springframework.org/schema/tx”
    xmlns:context=”http://www.springframework.org/schema/context”
    xsi:schemaLocation=”http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
    http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-2.1.xsd
    http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-2.5.xsd
    http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-2.5.xsd
    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd
    default-autowire=”byName”
    default-lazy-init=”true”>

    <http auto-config=”true” >
    <!– intercept-url pattern=”/login.jsp*” filters=”none”/>
    <intercept-url pattern=”/admin/editUser.do” access=”ROLE_ADMIN” / –>
    <form-login />
    <anonymous />
    <http-basic />
    <logout />
    <remember-me />
    </http>

    <beans:bean id=”jasyptStringDigester” class=”org.jasypt.digest.StandardStringDigester”>
    <beans:property name=”algorithm” value=”SHA-1″ />
    <beans:property name=”iterations” value=”10000″ />
    <!– beans:property name=”saltGenerator”>
    <beans:bean id=”zeroSaltGenerator” class=”org.jasypt.salt.ZeroSaltGenerator”/>
    </beans:property –>
    <!– property name=”saltSizeBytes” value=”10″/ –>
    </beans:bean>

    <beans:bean id=”passwordEncoder”>
    <beans:property name=”stringDigester” ref=”jasyptStringDigester”/>
    </beans:bean>

    <beans:bean id=”userDetailsService” class=”org.springframework.security.userdetails.jdbc.JdbcDaoImpl”>
    <beans:property name=”dataSource” ref=”dataSource”/>
    </beans:bean>

    <authentication-provider user-service-ref=”userDetailsService” >
    <password-encoder ref=”passwordEncoder”/>
    </authentication-provider>

    <global-method-security secured-annotations=”enabled” jsr250-annotations=”enabled”/>

    </beans:beans>


  3. There is a bug identified with Spring Security 2.0.2 and 2.0.3 that gives the similar error you mentioned. If you don’t use the aop:aspectj-autoproxy functionality the scenario above works without any error. But if you add aop-aspectj-autoproxy to the configuration (without any aspect!) you will get a Null Pointer Exception. Please upgrade Spring Security to 2.0.4. and try it. Can you also post the complete stack trace?

One trackback

Leave a reply