Monday, February 23, 2015

Spring Security + Basic Auth + MD5Password encoding with salt all stored in Cassandra

I've just put together a simple Spring boot application that has REST endpoints secured by basic auth  with the users stored in Cassandra. I want the application to be completely stateless and will assume access is over HTTPS.

I found it surprisingly difficult to plug all this together with Java config, there are very few complete examples so I ended up spending more time looking at the Spring source than I expected. Ah well that just confirms my love of using open source libraries and frameworks.

Essentially you need an extension of the WebSecurityConfigurerAdapter class where you can programatically add your own UserDetailsService.

Here's my example, I'll explain it below.

Line 11: I've injected the MD5PasswordEncoder as I also use in the code that handles the creation of users in the database.

Line 14-22: Here is where we configure our custom UserDetailsService which I'll show later. We don't want to store user's passwords directly so we use the built in MD5PasswordEncoder. Just using a one way hash isn't good enough as people can break this with reverse lookup tables so we also want to sprinkle in some salt. Our implementation of the UserDetailsService will have a field called Salt and we use the ReflectiveSaltSource to pick it up. Given how common salting passwords is I was surprised there wasn't a separate interface where this was explicit, but ah well.

Line 25-34: Here we define what type of security we want, we tell Spring security to be stateless so it doesn't try and store anything in the container's session store. Then we enable BasicAuth and define the URLs we want to be authorised. The API for creating users is not authorised for obvious reasons.

Next we want to build an implementation of the UserDetailsService interface that checks Cassandra.

I won't go through the Cassandra code in the blog but just assume we have a DAO with the following interface:

If you're interested in the Cassandra code then checkout the while project from GitHub.

With that interface our UserDetailsService looks like this:

Here we use the awesome Optional + Lambda to throw if the user doesn't exist. Our DAO interface doesn't use Runtime exceptions as I like type systems, but this is a nice pattern to convert between a Optional and a library expecting exceptions.

The UserWithSalt is an extension of the Spring's User, with one extra field that the ReflectiveSaltSource will pick up for salting passwords.

That's pretty much it, when a request comes in Spring security will check if the path is authorised, if it is it will get the user details from our UserDetailsService and check the password my using the ReflectiveSaltSource and MD5PasswordEncoder. So our database only has the MD5 password and the salt used to generate it. The salt is self is generated using the Java SecureRandom when users are created.

Full source code is at GitHub and I've created the branch blog-spring-security in case you're reading this in the future and it has all changed!


Rathinam said...

It is very beneficial information for me, I really impressed. This is very nice article and continues sharing with us...
Unix Training in Chennai
Unix Training
Excel Training in Chennai
Oracle DBA Training in Chennai
Tableau Training in Chennai
Graphic Design Courses in Chennai
Placement Training in Chennai
Oracle Training in Chennai
Power BI Training in Chennai
Pega Training in Chennai
Advanced Excel Training in Chennai

hakocanss said...

hbar coin hangi borsada
btcst coin hangi borsada
vet coin hangi borsada
via coin hangi borsada
tron hangi borsada
juventus coin hangi borsada
beta coin hangi borsada
auto coin hangi borsada
mtl coin hangi borsada

Saisatcharitra said...

Amazing blog.
Sai satcharitra pdf
Sai Satcharitra Telugu Pdf
Sai Satcharitra Tamil Pdf
Sai Satcharitra Hindi Pdf
Sai Satcharitra Bengali Pdf

bharanidevi said...

Very nice post. Thank you for sharing with us.
Marriage matching in tamil
Rasi Natchathiram
Numerology Calculator in Tamil

hanumanchalisa said...

Very informative blog

Hanuman Chalisa Lyrics pdf
Hanuman Chalisa Tamil pdf
Hanuman Chalisa English Pdf
Hanuman Chalisa Hindi Pdf
Hanuman Chalisa Bengali Pdf
Hanuman Chalisa Malayalam Pdf
Hanuman Chalisa Gujarati Pdf
Hanuman Chalisa Kannada Pdf

hanumanchalisa said...

thanks for this post
Hanuman Chalisa Lyrics pdf

noorr said...

شركة مكافحة حشرات بالقصيم
شركة مكافحة حشرات بالاحساء