Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change password encoder for bcrypt to pbkdf2 #424

Closed
3 of 4 tasks
btkobayashirun opened this issue Aug 21, 2018 · 1 comment
Closed
3 of 4 tasks

Change password encoder for bcrypt to pbkdf2 #424

btkobayashirun opened this issue Aug 21, 2018 · 1 comment
Assignees
@btkobayashirun
Labels
version: 5.5.0 version: 5.5.1
Milestone
5.5.1

Comments

@btkobayashirun
Copy link
Contributor

btkobayashirun commented Aug 21, 2018
edited by hirakuriy
Loading

Description

Change the bean of the PasswordEncoder defined in applicationContext.
https://github.com/terasolunaorg/terasoluna-gfw-web-multi-blank/blob/master/projectName-web/src/main/resources/META-INF/spring/applicationContext.xml#L12

The changed password encoder calls Pbkdf2PasswordEncoder via DelegatingPasswordEncoder.

Possible Solutions

1, Create a PasswordEncoder's FactoryBean
2, Set DelegatingPasswordEncoder to be encoded by Pbkdf2 algorithm to FactoryBean.
3, Define bean in applicationContext.xml

Affects Version/s

  • 5.X.X.RELEASE

Fix Version/s

  • 5.5.0
  • 1.6.0 (m-j/)
  • 1.6.0 (m-t/)

Final Solution

Password encoder that can be used with DelegatingPasswordEncoder is determined to be less than recommended by OWASP.

  • Pbkdf2PasswordEncoder (Encoding and matching)
  • BCryptPasswordEncoder (matching only)
  • SCryptPasswordEncoder (matching only)
    Note : SCryptPasswordEncoder only Comment out as dependency needs to be added.

https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet#Impose_infeasible_verification_on_attacker

Migrating Guide

  • Required

Issue Links
btkobayashirun added a commit that referenced this issue Aug 22, 2018
@btkobayashirun
change passwordencoder fot bcrypt to delegating(pbkdf2) #424
d997278
@btkobayashirun btkobayashirun mentioned this issue Aug 22, 2018
Merged
btkobayashirun added a commit that referenced this issue Aug 27, 2018
@btkobayashirun
fix definition method of password encoder #424
be08b82
btkobayashirun added a commit that referenced this issue Aug 27, 2018
@btkobayashirun
add encoder that can be used with delegatingPasswordEncoder #424
1c97cad
yoshikawaa pushed a commit that referenced this issue Aug 29, 2018
@btkobayashirun @yoshikawaa
change passwordencoder fot bcrypt to delegating(pbkdf2) #424 (#425)
25bcc4e 
* change passwordencoder fot bcrypt to delegating(pbkdf2) #424

* fix definition method of password encoder #424

* add encoder that can be used with delegatingPasswordEncoder #424
@hirakuriy hirakuriy added this to the Oct. Rv1 milestone Sep 3, 2018
btkobayashirun added a commit that referenced this issue Sep 7, 2018
@btkobayashirun
add comment out the definition of password encoder #424
4a7c00a
@btkobayashirun btkobayashirun mentioned this issue Sep 7, 2018
Merged
btkobayashirun added a commit that referenced this issue Sep 12, 2018
@btkobayashirun
fix comment out contents #424
5b48643
btkobayashirun added a commit that referenced this issue Sep 20, 2018
@btkobayashirun
add dependency of bouncycastle #424
753ac9f
btkobayashirun added a commit that referenced this issue Sep 27, 2018
@btkobayashirun
add description and move location #424
97b8049
btkobayashirun added a commit that referenced this issue Sep 28, 2018
@btkobayashirun
fix dependency of bouncycastle #424
49996b1
bttanakaysd pushed a commit that referenced this issue Sep 28, 2018
@btkobayashirun @bttanakaysd
add comment out the definition of password encoder #424 (#432)
aa9eeca 
* add comment out the definition of password encoder #424

* fix comment out contents #424

* add dependency of bouncycastle #424

* add description and move location #424

* fix dependency of bouncycastle #424
bttanakaysd added a commit that referenced this issue Sep 28, 2018
@bttanakaysd
Revert "add comment out the definition of password encoder #424 (#432)"
82052e1 
This reverts commit aa9eeca.
btkobayashirun added a commit that referenced this issue Oct 1, 2018
@btkobayashirun
change definition location from web to domain #424
fc8d9bd
@btkobayashirun btkobayashirun mentioned this issue Oct 1, 2018
Merged
bttanakaysd pushed a commit that referenced this issue Oct 2, 2018
@btkobayashirun @bttanakaysd
change definition location from web to domain #424 (#435)
5c0b8e8
@hirakuriy hirakuriy modified the milestones: Oct. Rv1, 5.5.0.RELEASE Dec 5, 2018
@hirakuriy
Copy link

@btkobayashirun @yoshikawaa
Reopen this issue.
See terasolunaorg/terasoluna-gfw-web-blank#370 (comment)

@hirakuriy hirakuriy reopened this Feb 21, 2019
@hirakuriy hirakuriy removed this from the 5.5.0.RELEASE milestone Feb 21, 2019
@hirakuriy hirakuriy added this to the 5.5.1.RELEASE milestone Feb 21, 2019
btkobayashirun added a commit that referenced this issue Mar 12, 2019
@btkobayashirun
remove SCryptPasswordEncoder #424
387a9f3
@btkobayashirun btkobayashirun mentioned this issue Mar 12, 2019
Merged
btkobayashirun added a commit that referenced this issue Mar 13, 2019
@btkobayashirun
delete difinition of bouncycastle #424
371434e
btkobayashirun added a commit that referenced this issue Mar 13, 2019
@btkobayashirun
delete bouncycastle for domain #424
d8ef35a
yoshikawaa pushed a commit that referenced this issue Mar 13, 2019
@btkobayashirun @yoshikawaa
remove dependency of bcprov-jdk15on #424 (#447)
0878a28 
* delete difinition of bouncycastle #424

* delete bouncycastle for domain #424
This was referenced Jan 17, 2020
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@btkobayashirun btkobayashirun

Labels
version: 5.5.0 version: 5.5.1
Projects
None yet
Milestone
5.5.1
Development

No branches or pull requests
3 participants
@yoshikawaa @btkobayashirun @hirakuriy