Uploaded image for project: 'Spring Security'
  1. Spring Security
  2. SEC-1472

Add support for bcrypt password encoding

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Minor
    • Resolution: Complete
    • Affects Version/s: 3.0.2
    • Fix Version/s: 3.1.0
    • Component/s: None
    • Labels:
      None
    • Environment:
      Spring Security 3.0.2+

      Description

      It would be great to have build-in support for bcrypt hashing in Spring Security. I would foresee the usage to be something similar to below and then add a BcryptPasswordEncoder (similar to ShaPasswordEncoder).

      <password-encoder hash="bcrypt" rounds="10">
      <salt-source user-property="someProperty" />
      </password-encoder>

      This is a good example of custom bcrypt usage with Spring Security: http://sziebert.net/posts/using-bcrypt-with-spring-security/

        Activity

        Hide
        luke Luke Taylor added a comment -

        I'm against doing this for the time being. We get requests from time to time to support less mainstream password-encoding algorithms but I don't want to add additional external core dependencies for what is really a niche requirement. It's also significant that the bCrypt implementation referred to had a serious vulnerability as recently as February of this year. If we are adding external dependencies on cryptography libraries I would prefer them to have seen more mainstream usage/scrutiny.

        People tend to focus too much on issues like "which hashing/encryption algorithm is 'best'" when this is unlikely to be the main vulnerability of a system. If you are using SHA hashes with random salt values then this should not be a major focus area.

        It is also trivial to implement the PasswordEncoder interface if users have specific requirements, and custom implementations are easily used with the namespace.

        Show
        luke Luke Taylor added a comment - I'm against doing this for the time being. We get requests from time to time to support less mainstream password-encoding algorithms but I don't want to add additional external core dependencies for what is really a niche requirement. It's also significant that the bCrypt implementation referred to had a serious vulnerability as recently as February of this year. If we are adding external dependencies on cryptography libraries I would prefer them to have seen more mainstream usage/scrutiny. People tend to focus too much on issues like "which hashing/encryption algorithm is 'best'" when this is unlikely to be the main vulnerability of a system. If you are using SHA hashes with random salt values then this should not be a major focus area. It is also trivial to implement the PasswordEncoder interface if users have specific requirements, and custom implementations are easily used with the namespace.
        Hide
        tleese22 Taylor Leese added a comment -

        Understandable. What about support for SHA-512? It doesn't look like that is currently supported.

        Show
        tleese22 Taylor Leese added a comment - Understandable. What about support for SHA-512? It doesn't look like that is currently supported.
        Hide
        ugupta Udai Gupta added a comment -

        latest bcrypt 0.3 has solved the issue reported in feb

        Show
        ugupta Udai Gupta added a comment - latest bcrypt 0.3 has solved the issue reported in feb
        Hide
        david_syer Dave Syer added a comment -

        I sent a pull request.

        Show
        david_syer Dave Syer added a comment - I sent a pull request.
        Hide
        luke Luke Taylor added a comment -

        Implementation added by Dave Syer.

        Show
        luke Luke Taylor added a comment - Implementation added by Dave Syer.
        Hide
        tleese22 Taylor Leese added a comment -

        It would be nice to have bcrypt as a password-encocer hash. Looks like it needs to be added to the schema definition in spring-security-3.1.xsd. I'm sure there are other corresponding changes as well.

        <xs:attributeGroup name="hash">
        <xs:attribute name="hash" use="required">
        <xs:annotation>
        <xs:documentation>Defines the hashing algorithm used on user passwords. We recommend strongly against using MD4, as it is a very weak hashing algorithm.</xs:documentation>
        </xs:annotation>
        <xs:simpleType>
        <xs:restriction base="xs:token">
        <xs:enumeration value="plaintext"/>
        <xs:enumeration value="sha"/>
        <xs:enumeration value="sha-256"/>
        <xs:enumeration value="md5"/>
        <xs:enumeration value="md4"/>
        <xs:enumeration value="

        {sha}

        "/>
        <xs:enumeration value="

        {ssha}

        "/>
        </xs:restriction>
        </xs:simpleType>
        </xs:attribute>
        </xs:attributeGroup>

        Show
        tleese22 Taylor Leese added a comment - It would be nice to have bcrypt as a password-encocer hash. Looks like it needs to be added to the schema definition in spring-security-3.1.xsd. I'm sure there are other corresponding changes as well. <xs:attributeGroup name="hash"> <xs:attribute name="hash" use="required"> <xs:annotation> <xs:documentation>Defines the hashing algorithm used on user passwords. We recommend strongly against using MD4, as it is a very weak hashing algorithm.</xs:documentation> </xs:annotation> <xs:simpleType> <xs:restriction base="xs:token"> <xs:enumeration value="plaintext"/> <xs:enumeration value="sha"/> <xs:enumeration value="sha-256"/> <xs:enumeration value="md5"/> <xs:enumeration value="md4"/> <xs:enumeration value=" {sha} "/> <xs:enumeration value=" {ssha} "/> </xs:restriction> </xs:simpleType> </xs:attribute> </xs:attributeGroup>

          People

          • Assignee:
            luke Luke Taylor
            Reporter:
            tleese22 Taylor Leese
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: