Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/sius/pencil
Spring PasswordEncoders for LDAP encoded passwords
https://github.com/sius/pencil
ldap password-hash spring-boot spring-security
Last synced: about 2 months ago
JSON representation
Spring PasswordEncoders for LDAP encoded passwords
- Host: GitHub
- URL: https://github.com/sius/pencil
- Owner: sius
- License: apache-2.0
- Created: 2020-03-06T01:10:25.000Z (almost 5 years ago)
- Default Branch: master
- Last Pushed: 2023-12-05T22:44:39.000Z (about 1 year ago)
- Last Synced: 2024-05-29T17:18:43.305Z (7 months ago)
- Topics: ldap, password-hash, spring-boot, spring-security
- Language: Java
- Homepage:
- Size: 177 KB
- Stars: 2
- Watchers: 1
- Forks: 0
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- License: LICENSE
Awesome Lists containing this project
README
# Preliminary note
The salted secure hash algorithms used in this library do not meet today's security standards (and are deprecated or no longer supported in Spring Boot). They should therefore not be used. The library is intended only as support for developers who need to cope with legacy systems (LDAP) that still manage users with insecure password hashes and that cannot be easily removed from production use.
Before using this library, it should therefore be checked whether a password rotation procedure is possible, so that password hashes can always be generated or updated with a hash algorithm that complies with the current security standards.
## Additional Spring Boot PasswordEncoders for Salted SHA encoded passwords
The third-party Spring Boot starter library provides a custom DelegatingPasswordEncoder Bean
for the following PasswordEncoder encode Ids and aliases:
- bcrypt (`org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder`)
- scrypt (`org.springframework.security.crypto.scrypt.SCryptPasswordEncoder`)
- pbkdf2 (`org.springframework.security.crypto.password.Pbkdf2PasswordEncoder`)
- ldap, SHA, SSHA (SSHA1, SSHA-1) (`LdapShaPasswordEncoder` compatible implementation of the legacy/non secureSalted Secure Hash Algorithm)
- SSHA224 (SSHA-224), SSHA256 (SSHA-256), SSHA384 (SSHA-384), SSHA512 (SSHA-512)
The default PasswordEncoder for encoding is `BCryptPasswordEncoder`,
while a password matching challenge against the encoded password tries to retrieve
a suitable PasswordEncoder identified by it's leading encode identifier, e.g.: `{SSHA512}`, `{bcrypt}` etc.
The default PasswordEncoder for encoding can be changed with the `liquer.pencil.default-encode-id` property, e.g.:
`liquer.pencil.default-encode-id: SSHA512`
## Usage
Add `pencil-spring-boot-starter` dependency and inject the provided PasswordEncoder Bean.
```xml
io.liquer.pencil
pencil-spring-boot-starter
2.0.2
```
> __IMPORTANT__:
> __Please do not use older versions than 2.0.1__:
> - Version 2.0.0 leaks password hash to stdout
> - Version < 2.0.0 fails to match long passwords due an utf-8 encoding bug
> see [Changelog](./CHANGELOG.md)
_field injection example_
```java
import org.springframework.beans.factory.annotation.Autowired;
@Autowired
private PasswordEncoder passwordEncoder;
```
The auto-configuration and thus the loading of the provided passwordEncoder Bean
can be prevented by setting the environment property `liquer.pencil.enabled` to `false`.
```yaml
# application.yml
liquer.pencil.enabled: false
```
## Additional `DelegatingPasswordEncoder` options via Spring boot Properties
```yaml
liquer:
pencil:
enabled: true # (default true)
default-encode-id: SSHA512 # The default encode id for encoding passwords. (default: bcrypt)
uf-safe: false # Whether to base64 encode password hashes URL and file safe. (default: false)
no-padding: false # Whether to base64 encode password hashes without padding. (default: false)
salt-size: 8 # The salt size in bytes. (default: 8)
```
Use custom encoding identifier {SSHA512}, {SSHA-512} ... on direct PasswordEncoder construction.