java - How do I configure REST service to manually check encrypted passwords with Spring Security? -


a restful spring boot service needs manually login users credentials sent via json angularjs front end. code below accomplishes using unencrypted passwords, want passwords encrypted when stored in database. when add bcryptpasswordencoder().matches... code below, still not able match encrypted user password. what specific changes need made code below /login1 method able perform manual password checking , able perform custom login procedures?

here 4 lines of login process failing password match currently, though failure may due way passwords encrypted in registration process: 

userdetails user = users.loaduserbyusername(uname); passwordencoder encoder = new bcryptpasswordencoder(); string encpwd = encoder.encode(rphon.getencpwd());//takes json unencoded string value `password` , encodes using encoder.encode(...) if(encoder.matches(user.getpassword(), encpwd)){//this encoder.matches check fails

here complete relevant code 2 rest services in spring boot app handle registration (password encryption) , authentication (password matching), respectively. note in present configuration, client app sending password value password in unencrypted text, through ssl connection: 

@requestmapping(value = "/register", method = requestmethod.post) public @responsebody resultmessage getpin(@requestbody resultmessage rmsg) {      string uname = rmsg.getname(); weblead wld = myrepo.findbyemailaddress(uname);     user newusr = new user();     newusr.setname(wld.getemailaddress());     passwordencoder encoder = new bcryptpasswordencoder();     string pwd = encoder.encode("password");     newusr.setpassword(pwd);     users.createuser(newusr); // bunch of unrelated code     return something; }  @requestmapping(value = "/login1", method = requestmethod.post) public @responsebody resultmessage login1(httpsession session, httpservletresponse response, @requestbody resultmessage rphon) {     resultmessage resmess = new resultmessage(); string uname = rphon.getname(); resmess.setname(uname); userdetails user = users.loaduserbyusername(uname); passwordencoder encoder = new bcryptpasswordencoder(); string encpwd = encoder.encode(rphon.getencpwd());//takes json unencoded string value `password` , encodes using encoder.encode(...) if(encoder.matches(user.getpassword(), encpwd)){     list<grantedauthority> auth = authorityutils.commaseparatedstringtoauthoritylist("role_user");     authentication authentication = new usernamepasswordauthenticationtoken(user, null, auth);     securitycontextholder.getcontext().setauthentication(authentication);     response.addcookie(new cookie("auth", "yes")); }     return resmess; }

here relevant parts of spring security config: 

@suppresswarnings("deprecation") @configuration @order(securityproperties.access_override_order) @enablewebmvcsecurity @enableglobalmethodsecurity(prepostenabled = true) protected static class securityconfiguration extends websecurityconfigureradapter {      @override     protected void configure(httpsecurity http) throws exception {         http             .formlogin()                 .successhandler(new myauthenticationsuccesshandler())                 .and()             .httpbasic().and()             .authorizerequests()                 .antmatchers("/register").permitall()                 .antmatchers("/login1").permitall()                 .antmatchers("/index.html", "/", "/gui_route_1", "/gui_route_2", "/gui_route_n").permitall()                 .anyrequest().authenticated()                 .and()             .csrf()                 .csrftokenrepository(csrftokenrepository())                 .and()             .addfilterafter(csrfheaderfilter(), csrffilter.class);     }  }

the interface passwordencoder has method defined below. 

boolean matches(charsequence rawpassword,           string encodedpassword)

verify encoded password obtained storage matches submitted raw password after encoded. returns true if passwords match, false if not. stored password never decoded.

parameters:

  • rawpassword - raw password encode , match
  • encodedpassword - encoded password storage compare with

returns:

  • true if raw password, after encoding, matches encoded password storage

it expecting passed raw password(either json has raw or may have decode based on how encoded, convert raw) first parameter , encoded password comes db second parameter.


Comments

Post a Comment

Popular posts from this blog

java - pagination of xlsx file to XSSFworkbook using apache POI -

right in code, reading xlsx file, xssfworkbook, , writing database. but, when size of xlsx file increases, causes outofmemory error. can not increase server size, or divide xlsx file pieces. tried loading workbook using file (instead of inputstream), didn't either. i looking way read 10k rows @ time (instead of entire file @ once) , iteratively write workbook , database. is there way apache poi? poi contains called "eventmodel" designed purpose. it's mentioned in faq : the ss eventmodel package api reading excel files without loading whole spreadsheet memory. require more knowledge on part of user, reduces memory consumption more tenfold. based on awt event model in combination sax. if need read-only access, best way it. however, may want double check first if issue somewhere else. check out this item : i think poi using memory! can do? 1 comes quite lot, reason isn't might think. so, first thing check - what's source of prob...
Read more

Unlimited choices in BASH case statement -

consider simple bash snippet: case $option in 1) image=${options[0]%.tar} ;; 2) image=${options[1]%.tar} ;; 3) image=${options[2]%.tar} ;; 4) image=${options[3]%.tar} ;; *) echo "invalid option" exit 1 esac in real script numbers goes 30. makes pretty long. can somehow specify cases variable? something this: case $option in $i) image=${options[$(($i-1))]%.tar} any pointer appreciated. you can match against multiple patterns in single clause: case $option in 1|2|3: echo "$option one, 2 or three" ;; esac if still typing you, can use simple pattern matching: case $option in # following matches # - single-digit numbers 0-9 # - two-digit numbers starting either 1 or 2 # - number 30 [0-9]|[12][0-9]|30) image=${options[$(($option-1))]%.tar} ;; *) echo "invalid option" 1>&2 exit 1 esac
Read more

apache - How do I stop my index.php being run twice for every user -

we've got webapp initial html served using apache , php. i noticed index.php being run twice every request. seems caused / effected rewrite rules in our .htaccess - rewritecond %{http_host} ^(www\.|hotels\.)ourdomain\.com$ [nc,or] rewritecond %{server_name} ^(www\.|hotels\.)ourdomain\.com$ [nc] rewriterule (.*) http://ourdomain.com/$1 [r=301] rewriterule ^hotels/([^/]+)/?\??(.*)$ ?d=$1&$2 [qsa] the final rule moving parameter url path query string. i.e. http://ourdomain.com/hotels/vegas?someparam=1 becomes http://ourdomain.com?d=vegas&someparam=1 if go directly query string version index.php run once. if use url redirected, index.php run twice (i'm checking adding error_log('end of index.php') file). so example going http://ourdomain.com/hotels/paris hits file twice http://ourdomain.com?d=paris hits once. i've seen this question , had @ blog mentioned , , can't find empty string url's (i've tried using yslow process). ...
Read more