Spring Security
  1. Spring Security
  2. SEC-1472

Add support for bcrypt password encoding

    Details

    • Type: New Feature New Feature
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Complete
    • Affects Version/s: 3.0.2
    • Fix Version/s: 3.1.0
    • Component/s: None
    • Labels:
      None
    • Environment:
      Spring Security 3.0.2+

      Description

      It would be great to have build-in support for bcrypt hashing in Spring Security. I would foresee the usage to be something similar to below and then add a BcryptPasswordEncoder (similar to ShaPasswordEncoder).

      <password-encoder hash="bcrypt" rounds="10">
      <salt-source user-property="someProperty" />
      </password-encoder>

      This is a good example of custom bcrypt usage with Spring Security: http://sziebert.net/posts/using-bcrypt-with-spring-security/

        Activity

        Hide
        Luke Taylor added a comment -

        I'm against doing this for the time being. We get requests from time to time to support less mainstream password-encoding algorithms but I don't want to add additional external core dependencies for what is really a niche requirement. It's also significant that the bCrypt implementation referred to had a serious vulnerability as recently as February of this year. If we are adding external dependencies on cryptography libraries I would prefer them to have seen more mainstream usage/scrutiny.

        People tend to focus too much on issues like "which hashing/encryption algorithm is 'best'" when this is unlikely to be the main vulnerability of a system. If you are using SHA hashes with random salt values then this should not be a major focus area.

        It is also trivial to implement the PasswordEncoder interface if users have specific requirements, and custom implementations are easily used with the namespace.

        Show
        Luke Taylor added a comment - I'm against doing this for the time being. We get requests from time to time to support less mainstream password-encoding algorithms but I don't want to add additional external core dependencies for what is really a niche requirement. It's also significant that the bCrypt implementation referred to had a serious vulnerability as recently as February of this year. If we are adding external dependencies on cryptography libraries I would prefer them to have seen more mainstream usage/scrutiny. People tend to focus too much on issues like "which hashing/encryption algorithm is 'best'" when this is unlikely to be the main vulnerability of a system. If you are using SHA hashes with random salt values then this should not be a major focus area. It is also trivial to implement the PasswordEncoder interface if users have specific requirements, and custom implementations are easily used with the namespace.
        Hide
        Taylor Leese added a comment -

        Understandable. What about support for SHA-512? It doesn't look like that is currently supported.

        Show
        Taylor Leese added a comment - Understandable. What about support for SHA-512? It doesn't look like that is currently supported.
        Hide
        Udai Gupta added a comment -

        latest bcrypt 0.3 has solved the issue reported in feb

        Show
        Udai Gupta added a comment - latest bcrypt 0.3 has solved the issue reported in feb
        Hide
        Dave Syer added a comment -

        I sent a pull request.

        Show
        Dave Syer added a comment - I sent a pull request.
        Hide
        Luke Taylor added a comment -

        Implementation added by Dave Syer.

        Show
        Luke Taylor added a comment - Implementation added by Dave Syer.
        Hide
        Taylor Leese added a comment -

        It would be nice to have bcrypt as a password-encocer hash. Looks like it needs to be added to the schema definition in spring-security-3.1.xsd. I'm sure there are other corresponding changes as well.

        <xs:attributeGroup name="hash">
        <xs:attribute name="hash" use="required">
        <xs:annotation>
        <xs:documentation>Defines the hashing algorithm used on user passwords. We recommend strongly against using MD4, as it is a very weak hashing algorithm.</xs:documentation>
        </xs:annotation>
        <xs:simpleType>
        <xs:restriction base="xs:token">
        <xs:enumeration value="plaintext"/>
        <xs:enumeration value="sha"/>
        <xs:enumeration value="sha-256"/>
        <xs:enumeration value="md5"/>
        <xs:enumeration value="md4"/>
        <xs:enumeration value="

        {sha}

        "/>
        <xs:enumeration value="

        {ssha}

        "/>
        </xs:restriction>
        </xs:simpleType>
        </xs:attribute>
        </xs:attributeGroup>

        Show
        Taylor Leese added a comment - It would be nice to have bcrypt as a password-encocer hash. Looks like it needs to be added to the schema definition in spring-security-3.1.xsd. I'm sure there are other corresponding changes as well. <xs:attributeGroup name="hash"> <xs:attribute name="hash" use="required"> <xs:annotation> <xs:documentation>Defines the hashing algorithm used on user passwords. We recommend strongly against using MD4, as it is a very weak hashing algorithm.</xs:documentation> </xs:annotation> <xs:simpleType> <xs:restriction base="xs:token"> <xs:enumeration value="plaintext"/> <xs:enumeration value="sha"/> <xs:enumeration value="sha-256"/> <xs:enumeration value="md5"/> <xs:enumeration value="md4"/> <xs:enumeration value=" {sha} "/> <xs:enumeration value=" {ssha} "/> </xs:restriction> </xs:simpleType> </xs:attribute> </xs:attributeGroup>

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Taylor Leese
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: