{"id":89051,"date":"2019-03-02T15:15:41","date_gmt":"2019-03-02T13:15:41","guid":{"rendered":"https:\/\/www.javacodegeeks.com\/?p=89051"},"modified":"2019-03-01T09:28:07","modified_gmt":"2019-03-01T07:28:07","slug":"password-encoder-migration-spring-security-5","status":"publish","type":"post","link":"https:\/\/www.javacodegeeks.com\/2019\/03\/password-encoder-migration-spring-security-5.html","title":{"rendered":"Password Encoder Migration with Spring Security 5"},"content":{"rendered":"

Recently I was working in a project that used a custom PasswordEncoder<\/code> and there was a requirement to migrate it to bcrypt<\/a>. The current passwords are stored as hash<\/code> which means it\u2019s not possible to revert it to the original String<\/code> – at least not in an easy way.<\/p>\n

The challenge here was how to support both implementations, the old hash solution along with the new bcrypt<\/code> implementation. After a little research I could find Spring Security 5\u2019s<\/a> DelegatingPasswordEncoder<\/code>.<\/p>\n

Meet DelegatingPasswordEncoder<\/h2>\n

The DelegatingPasswordEncoder<\/code> class makes it possible to support multiple password encoders<\/code> based on a prefix<\/em>. The password is stored like this:<\/p>\n

{bcrypt}$2a$10$vCXMWCn7fDZWOcLnIEhmK.74dvK1Eh8ae2WrWlhr2ETPLoxQctN4.\n{noop}plaintextpassword<\/pre>\n
Spring Security 5<\/a> brings the handy PasswordEncoderFactories<\/code> class, currently this class supports the following encoders:<\/p>\n
public static PasswordEncoder createDelegatingPasswordEncoder() {\n    String encodingId = \"bcrypt\";\n    Map<String, PasswordEncoder> encoders = new HashMap<>();\n    encoders.put(encodingId, new BCryptPasswordEncoder());\n    encoders.put(\"ldap\", new org.springframework.security.crypto.password.LdapShaPasswordEncoder());\n    encoders.put(\"MD4\", new org.springframework.security.crypto.password.Md4PasswordEncoder());\n    encoders.put(\"MD5\", new org.springframework.security.crypto.password.MessageDigestPasswordEncoder(\"MD5\"));\n    encoders.put(\"noop\", org.springframework.security.crypto.password.NoOpPasswordEncoder.getInstance());\n    encoders.put(\"pbkdf2\", new Pbkdf2PasswordEncoder());\n    encoders.put(\"scrypt\", new SCryptPasswordEncoder());\n    encoders.put(\"SHA-1\", new org.springframework.security.crypto.password.MessageDigestPasswordEncoder(\"SHA-1\"));\n    encoders.put(\"SHA-256\", new org.springframework.security.crypto.password.MessageDigestPasswordEncoder(\"SHA-256\"));\n    encoders.put(\"sha256\", new org.springframework.security.crypto.password.StandardPasswordEncoder());\n\n    return new DelegatingPasswordEncoder(encodingId, encoders);\n}<\/pre>\n
Now instead of declaring a single PasswordEncoder<\/code> we can use the PasswordEncoderFactories<\/code>, like this snippet of code:<\/p>\n
@Bean\npublic PasswordEncoder passwordEncoder() {\n    return PasswordEncoderFactories.createDelegatingPasswordEncoder();\n}<\/pre>\n
Adding a Custom Encoder<\/h2>\n
Now, getting back to my initial problem, for legacy reasons there is a homegrown password encoding<\/code> solution, and the handy PasswordEncoderFactories<\/code> knows nothing about it, to solve that I\u2019ve created a class similar to the PasswordEncoderFactories<\/code> and I\u2019ve added all the built-in encoders along with my custom one, here\u2019s a sample implementation:
 
<\/div> <\/div><\/p>\n
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;\nimport org.springframework.security.crypto.password.DelegatingPasswordEncoder;\nimport org.springframework.security.crypto.password.PasswordEncoder;\nimport org.springframework.security.crypto.password.Pbkdf2PasswordEncoder;\nimport org.springframework.security.crypto.scrypt.SCryptPasswordEncoder;\n\nimport java.util.HashMap;\nimport java.util.Map;\n\nclass DefaultPasswordEncoderFactories {\n\n    @SuppressWarnings(\"deprecation\")\n    static PasswordEncoder createDelegatingPasswordEncoder() {\n        String encodingId = \"bcrypt\";\n        Map<String, PasswordEncoder> encoders = new HashMap<>();\n        encoders.put(encodingId, new BCryptPasswordEncoder());\n        encoders.put(\"ldap\", new org.springframework.security.crypto.password.LdapShaPasswordEncoder());\n        encoders.put(\"MD4\", new org.springframework.security.crypto.password.Md4PasswordEncoder());\n        encoders.put(\"MD5\", new org.springframework.security.crypto.password.MessageDigestPasswordEncoder(\"MD5\"));\n        encoders.put(\"noop\", org.springframework.security.crypto.password.NoOpPasswordEncoder.getInstance());\n        encoders.put(\"pbkdf2\", new Pbkdf2PasswordEncoder());\n        encoders.put(\"scrypt\", new SCryptPasswordEncoder());\n        encoders.put(\"SHA-1\", new org.springframework.security.crypto.password.MessageDigestPasswordEncoder(\"SHA-1\"));\n        encoders.put(\"SHA-256\", new org.springframework.security.crypto.password.MessageDigestPasswordEncoder(\"SHA-256\"));\n        encoders.put(\"sha256\", new org.springframework.security.crypto.password.StandardPasswordEncoder());\n        encoders.put(\"custom\", new CustomPasswordEncoder());\n\n        return new DelegatingPasswordEncoder(encodingId, encoders);\n    }\n}<\/pre>\n
And then I declared my @Bean<\/code> using the DefaultPasswordEncoderFactories<\/code> instead.<\/p>\n
After my first run I realized another problem, I would have to run a SQL<\/code> script to update all the existing passwords adding the {custom}<\/code> prefix so the framework could properly bind the prefix with the right PasswordEncoder<\/code>, don\u2019t get me wrong it\u2019s an fine solution but I really did not want to mess around with existing passwords in the database and luckily for us the DelegatingPasswordEncoder<\/code> class allows us to set a default<\/em> PasswordEncoder<\/code>, it means whenever the framework tries doesn\u2019t find a prefix in the stored password it will fallback to the default<\/code> one to try to decode it.<\/p>\n
Then I changed my implementation to the following:<\/p>\n
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;\nimport org.springframework.security.crypto.password.DelegatingPasswordEncoder;\nimport org.springframework.security.crypto.password.PasswordEncoder;\nimport org.springframework.security.crypto.password.Pbkdf2PasswordEncoder;\nimport org.springframework.security.crypto.scrypt.SCryptPasswordEncoder;\n\nimport java.util.HashMap;\nimport java.util.Map;\n\nclass DefaultPasswordEncoderFactories {\n\n    @SuppressWarnings(\"deprecation\")\n    static PasswordEncoder createDelegatingPasswordEncoder() {\n        String encodingId = \"bcrypt\";\n        Map<String, PasswordEncoder> encoders = new HashMap<>();\n        encoders.put(encodingId, new BCryptPasswordEncoder());\n        encoders.put(\"ldap\", new org.springframework.security.crypto.password.LdapShaPasswordEncoder());\n        encoders.put(\"MD4\", new org.springframework.security.crypto.password.Md4PasswordEncoder());\n        encoders.put(\"MD5\", new org.springframework.security.crypto.password.MessageDigestPasswordEncoder(\"MD5\"));\n        encoders.put(\"noop\", org.springframework.security.crypto.password.NoOpPasswordEncoder.getInstance());\n        encoders.put(\"pbkdf2\", new Pbkdf2PasswordEncoder());\n        encoders.put(\"scrypt\", new SCryptPasswordEncoder());\n        encoders.put(\"SHA-1\", new org.springframework.security.crypto.password.MessageDigestPasswordEncoder(\"SHA-1\"));\n        encoders.put(\"SHA-256\", new org.springframework.security.crypto.password.MessageDigestPasswordEncoder(\"SHA-256\"));\n\n        DelegatingPasswordEncoder delegatingPasswordEncoder = new DelegatingPasswordEncoder(encodingId, encoders);\n        delegatingPasswordEncoder.setDefaultPasswordEncoderForMatches(new CustomPasswordEncoder());\n        return delegatingPasswordEncoder;\n    }\n\n}<\/pre>\n
And the @Bean<\/code> declaration is now:<\/p>\n
@Bean\npublic PasswordEncoder passwordEncoder() {\n    return DefaultPasswordEncoderFactories.createDelegatingPasswordEncoder();\n}<\/pre>\n
Conclusion<\/h2>\n
Migration password encoders is a real life problem and Spring Security 5<\/a> gives a quite handy way to easily handle it by supporting multiple PasswordEncoder<\/code>s at once.<\/p>\n
Footnote<\/h2>\n