Spring Security 9: Password Encryption

Posted on

bcrypt

  • Performs one-way encrypted hashing
  • Adds a random salt to the password for additaional protection
  • Includes support to defeat brute force attacks

Spring Security Password Storage

  • In Spring Security 5, passwords are stored using a specific format.
    • {bcrypt}encodedPassword
    • Password column must be at least 68 chars wide:
      • {bcrypt} - 8 chars
      • encodedPassword - 60 chars

Modify DDL for Password Field

1
2
3
4
5
6
7
8
CREATE TABLE `users` (
    `username` varchar(50) NOT NULL,
    -- Password column must be at least 68 chars wide:
    `password` char(68) NOT NULL,
    `enabled` tinyint(1) NOT NULL,

    PRIMARY KEY(`username`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1;

Spring Security Login Porcess

User enters plaintext password and go through Spring Security Filters

  1. Retrieve password from db for the user
  2. Read the encoding algorithm id(bcrypt etc)
  3. For case of bcrypt, encrypt plaintext password from login form(using salt from db password)
  4. Compare encrypted password from login form WITH encrypted password from db
  5. If there is a match, login successful
  6. If no match, login NOT successful
    Note: The password from db is NEVER decrypted, because bcrypt is a one-way encryption algorithm