-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Password salting does not work with a property on customer or AdminUser #441
Comments
Slightly more complicated than originally anticipated, because the salt source should operate on the primary key of customer (which will never change), rather than just operating on the username field. For maximum portability and cleanest integration with Spring, I think that the following should happen:
<!-- The BLC Authentication manager. -->
<sec:authentication-manager alias="blAuthenticationManager">
<sec:authentication-provider user-service-ref="blUserDetailsService">
<sec:password-encoder ref="blPasswordEncoder">
<sec:salt-source ref="blSaltSource" />
</sec:password-encoder>
</sec:authentication-provider>
</sec:authentication-manager>
<bean id="blSaltSource" class="org.springframework.security.authentication.dao.ReflectionSaltSource">
<property name="userPropertyToUse" value="id" />
</bean>
The same types of modifications should be made to the AdminUser domain and applicationContext-security-admin.xml. Also, all of the changes that I referenced should be just fine to make in the 3.0.x line. |
@phillipuniverse IMO, our customer should not depend on spring security. Using the username is fine (typical) as a salt. Implementors should require a password change if the username is being changed. |
@phillipuniverse This is also helpful and suggests using a Random salt. http://security.stackexchange.com/questions/8015/what-should-be-used-as-a-salt |
Rather than implement the Spring Security interfaces on our Broadleaf services and domain (like CustomerService and Customer), individual implementors can provide implementations of Springs UserDetailsService and UserDetails object so they can override the salting mechanism themselves. If they wanted to extend it they would just have to override what we did in the framework anyway; makes more sense for them to override what's already provided in Spring Security rather than another layer. Note that I changed the issue title here to reflect problems in the admin as well. In general, our password approach is:
I also provided some default Sha1 admin passwords and the Spring Security config via BroadleafCommerce/DemoSite#43 for all demo sites going forward. |
This works fine with a global salt but if you try to use a specific salt on a per-customer basis then you won't be able to login successfully.
The current salt paradigm (which only exists in CustomerService and AdminUserService) should be refactored to utilize Spring's SaltSource.
The text was updated successfully, but these errors were encountered: