0

i am using spring security for login authorization. in my security-config.xml i am using the following code:

 <authentication-manager> <authentication-provider> <password-encoder hash="md5"/> <jdbc-user-service data-source-ref="dataSource" users-by- username-query="SELECT username, password,1 as enabled FROM users WHERE username=?" authorities-by- username-query="SELECT username, authority,1 as enabled FROM users WHERE username =?" /> </authentication-provider> </authentication-manager>

but in my database i already have an encrypted password using a customized function that is not a pure md5 hash. my question is can i call this function from my security-config.xml instead of

<password-encoder hash="md5"/>

or if there another way?

thank you in advance.

Improve this question
1
  • WRT "customized function": "Schneier's Law": "Anyone, from the most clueless amateur to the best cryptographer, can create an algorithm that he himself can't break." When saving a password verifier use a peer reviewed and recommended function such as PBKDF2 (recommended by NIST), Rfc2898DeriveBytes, password_hash, Bcrypt, passlib.hash or similar functions. The point is to make the attacker spend a lot of time finding passwords by brute force. Commented Jul 25, 2017 at 16:19

1 Answer 1

Reset to default
1

You can register your custom password encoder (create a class that implements PasswordEncoder) which will call your customiwed function.

In your XML, change :

<password-encoder hash="md5"/>

with :

<password-encoder ref="passwordEncoder">

which passwordEncoder is the name of your class/bean implementing PasswordEncoder.

More details here or here.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.