Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add SHA256 as an algorithm option for Remember Me token hashing #11464

Merged
merged 2 commits into from Jul 15, 2022
Merged

Add SHA256 as an algorithm option for Remember Me token hashing #11464

merged 2 commits into from Jul 15, 2022

Conversation

marcusdacoregio
Copy link
Contributor

Closes gh-8549

@marcusdacoregio marcusdacoregio added status: duplicate A duplicate of another issue in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement labels Jul 5, 2022
@marcusdacoregio marcusdacoregio self-assigned this Jul 5, 2022
@marcusdacoregio marcusdacoregio mentioned this pull request Jul 5, 2022
Closed
skjelmo
skjelmo reviewed Jul 7, 2022
View reviewed changes
Copy link

@skjelmo skjelmo left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I love it that this PR offers the possibility to configure a secure hashing algorithm for the Remember Me token 🙌

The possibility to use a secure hashing algorithm is way more important than the concern I'm raising here, but I assume this is the time and place to ask the following question.

I see from the previous PR that there was a suggestion to use setter ingestion with the argument that the hashing algorithm is an optional parameter.

I agree with the argument, and the parameter is obviously optional from the code's point of view. However, I'm not confident that the assumption holds when the default option is cryptographically insecure.

Would it not be better for users who needs a cryptographically secure hashing algorithm to have it be set as a final field with constructor injection, so that it could not be changed (downgraded to an insecure hashing algorithm) by a setter during runtime? Or is my concern way off?

The configuration would still be optional without a breaking change so that it doesn't have to wait until Spring Security 6.

Lastly, I really hope this PR makes it through the review process and into Spring Security. From what I can see, there has been 1, 2, 3, 4 PRs before this attempt to address #8549.

jzheaux
jzheaux requested changes Jul 11, 2022
View reviewed changes
Copy link
Contributor

@jzheaux jzheaux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great, @marcusdacoregio! I've left some inlined feedback.

docs/modules/ROOT/pages/servlet/authentication/rememberme.adoc Outdated Show resolved Hide resolved
...org/springframework/security/web/authentication/rememberme/TokenBasedRememberMeServices.java Outdated Show resolved Hide resolved
...org/springframework/security/web/authentication/rememberme/TokenBasedRememberMeServices.java Show resolved Hide resolved
@marcusdacoregio marcusdacoregio added this to the 5.8.0-M1 milestone Jul 13, 2022
@marcusdacoregio
Copy link
Contributor Author

Thanks @jzheaux and @skjelmo.

The PR is updated with the suggested changes.

@marcusdacoregio
Add SHA256 as an algorithm option for Remember Me token hashing
b14ec91 
Closes spring-projectsgh-8549
@marcusdacoregio
Polish
baf330c 
Make encodingAlgorithm final and add it to the constructor
Add since tags
Add more tests
@marcusdacoregio marcusdacoregio merged commit dda98f3 into spring-projects:main Jul 15, 2022
@basil basil mentioned this pull request Nov 21, 2022
Merged
11 tasks
basil added a commit to jenkinsci/jenkins that referenced this pull request Nov 21, 2022
@basil
Adapt to spring-projects/spring-security#11464
c11db2a
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@skjelmo skjelmo skjelmo left review comments

@jzheaux jzheaux jzheaux approved these changes

Assignees

@marcusdacoregio marcusdacoregio

Labels
in: web An issue in web modules (web, webmvc) status: duplicate A duplicate of another issue type: enhancement A general enhancement
Projects
None yet
Milestone
5.8.0-M1
Development

Successfully merging this pull request may close these issues.

Provide alternative for MD5 hashing in remember me token
3 participants
@marcusdacoregio @jzheaux @skjelmo