2024-02-29 15:36:57 +01:00
|
|
|
include::../summary.adoc[]
|
2023-09-29 09:07:00 +02:00
|
|
|
|
2023-05-03 11:06:20 +02:00
|
|
|
== Why is this an issue?
|
|
|
|
|
|
2024-02-29 15:36:57 +01:00
|
|
|
include::../rationale.adoc[]
|
2023-09-29 09:07:00 +02:00
|
|
|
|
2024-02-29 15:36:57 +01:00
|
|
|
include::../impact.adoc[]
|
2023-09-29 09:07:00 +02:00
|
|
|
|
|
|
|
|
== How to fix it in Spring
|
|
|
|
|
|
|
|
|
|
=== Code examples
|
2021-02-23 01:11:03 +00:00
|
|
|
|
2023-09-29 09:07:00 +02:00
|
|
|
==== Noncompliant code example
|
2021-02-23 01:11:03 +00:00
|
|
|
|
2024-02-29 15:36:57 +01:00
|
|
|
The following code is vulnerable because it uses a legacy digest-based password
|
|
|
|
|
encoding that is not considered secure.
|
2023-09-29 09:07:00 +02:00
|
|
|
|
|
|
|
|
[source,java,diff-id=1,diff-type=noncompliant]
|
2021-02-23 01:11:03 +00:00
|
|
|
----
|
|
|
|
|
@Autowired
|
|
|
|
|
public void configureGlobal(AuthenticationManagerBuilder auth, DataSource dataSource) throws Exception {
|
|
|
|
|
auth.jdbcAuthentication()
|
|
|
|
|
.dataSource(dataSource)
|
|
|
|
|
.usersByUsernameQuery("SELECT * FROM users WHERE username = ?")
|
|
|
|
|
.passwordEncoder(new StandardPasswordEncoder()); // Noncompliant
|
|
|
|
|
}
|
|
|
|
|
----
|
|
|
|
|
|
2023-09-29 09:07:00 +02:00
|
|
|
==== Compliant solution
|
2021-02-23 01:11:03 +00:00
|
|
|
|
2023-09-29 09:07:00 +02:00
|
|
|
[source,java,diff-id=1,diff-type=compliant]
|
2021-02-23 01:11:03 +00:00
|
|
|
----
|
|
|
|
|
@Autowired
|
|
|
|
|
public void configureGlobal(AuthenticationManagerBuilder auth, DataSource dataSource) throws Exception {
|
|
|
|
|
auth.jdbcAuthentication()
|
|
|
|
|
.dataSource(dataSource)
|
2024-02-29 15:36:57 +01:00
|
|
|
.usersByUsernameQuery("SELECT * FROM users WHERE username = ?")
|
2021-02-23 01:11:03 +00:00
|
|
|
.passwordEncoder(new BCryptPasswordEncoder());
|
|
|
|
|
}
|
|
|
|
|
----
|
|
|
|
|
|
2023-09-29 09:07:00 +02:00
|
|
|
=== How does this work?
|
|
|
|
|
|
2024-02-29 15:36:57 +01:00
|
|
|
include::../common/fix/password-hashing.adoc[]
|
|
|
|
|
|
|
|
|
|
In the previous example, the ``BCryptPasswordEncoder`` is a password hashing
|
|
|
|
|
function in Java that is designed to be secure and resistant to various types
|
|
|
|
|
of attacks, including brute-force and rainbow table attacks. It is slow,
|
|
|
|
|
adaptative, and automatically implements a salt.
|
|
|
|
|
|
|
|
|
|
include::../common/fix/plaintext-password.adoc[]
|
2023-09-29 09:07:00 +02:00
|
|
|
|
2024-03-18 17:37:51 +01:00
|
|
|
=== Pitfalls
|
|
|
|
|
|
|
|
|
|
include::../common/pitfalls/pre-hashing.adoc[]
|
|
|
|
|
|
|
|
|
|
|
2023-09-29 09:07:00 +02:00
|
|
|
== Resources
|
|
|
|
|
|
|
|
|
|
=== Documentation
|
|
|
|
|
|
|
|
|
|
* Spring Framework Security Documentation - https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.html[Class BCryptPasswordEncoder]
|
2024-02-29 15:36:57 +01:00
|
|
|
* OWASP CheatSheet - https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html[Password Storage Cheat Sheet]
|
2023-09-29 09:07:00 +02:00
|
|
|
|
2025-02-19 17:19:00 +01:00
|
|
|
include::../common/resources/standards-mobile.adoc[]
|
2021-06-02 20:44:38 +02:00
|
|
|
|
2021-06-03 09:05:38 +02:00
|
|
|
ifdef::env-github,rspecator-view[]
|
2021-09-20 15:38:42 +02:00
|
|
|
|
|
|
|
|
'''
|
|
|
|
|
== Implementation Specification
|
|
|
|
|
(visible only on this page)
|
|
|
|
|
|
2023-09-29 09:07:00 +02:00
|
|
|
=== Message
|
|
|
|
|
|
|
|
|
|
Use a secure password hashing algorithm.
|
2021-09-20 15:38:42 +02:00
|
|
|
|
2021-06-08 15:52:13 +02:00
|
|
|
'''
|
2021-06-02 20:44:38 +02:00
|
|
|
== Comments And Links
|
|
|
|
|
(visible only on this page)
|
|
|
|
|
|
|
|
|
|
include::../comments-and-links.adoc[]
|
2023-06-22 10:38:01 +02:00
|
|
|
|
2021-06-03 09:05:38 +02:00
|
|
|
endif::env-github,rspecator-view[]
|
