84 lines
2.2 KiB
Plaintext
84 lines
2.2 KiB
Plaintext
include::../summary.adoc[]
|
|
|
|
== Why is this an issue?
|
|
|
|
include::../rationale.adoc[]
|
|
|
|
include::../impact.adoc[]
|
|
|
|
== How to fix it in Spring
|
|
|
|
=== Code examples
|
|
|
|
==== Noncompliant code example
|
|
|
|
The following code is vulnerable because it uses a legacy digest-based password
|
|
encoding that is not considered secure.
|
|
|
|
[source,java,diff-id=1,diff-type=noncompliant]
|
|
----
|
|
@Autowired
|
|
public void configureGlobal(AuthenticationManagerBuilder auth, DataSource dataSource) throws Exception {
|
|
auth.jdbcAuthentication()
|
|
.dataSource(dataSource)
|
|
.usersByUsernameQuery("SELECT * FROM users WHERE username = ?")
|
|
.passwordEncoder(new StandardPasswordEncoder()); // Noncompliant
|
|
}
|
|
----
|
|
|
|
==== Compliant solution
|
|
|
|
[source,java,diff-id=1,diff-type=compliant]
|
|
----
|
|
@Autowired
|
|
public void configureGlobal(AuthenticationManagerBuilder auth, DataSource dataSource) throws Exception {
|
|
auth.jdbcAuthentication()
|
|
.dataSource(dataSource)
|
|
.usersByUsernameQuery("SELECT * FROM users WHERE username = ?")
|
|
.passwordEncoder(new BCryptPasswordEncoder());
|
|
}
|
|
----
|
|
|
|
=== How does this work?
|
|
|
|
include::../common/fix/password-hashing.adoc[]
|
|
|
|
In the previous example, the ``BCryptPasswordEncoder`` is a password hashing
|
|
function in Java that is designed to be secure and resistant to various types
|
|
of attacks, including brute-force and rainbow table attacks. It is slow,
|
|
adaptative, and automatically implements a salt.
|
|
|
|
include::../common/fix/plaintext-password.adoc[]
|
|
|
|
=== Pitfalls
|
|
|
|
include::../common/pitfalls/pre-hashing.adoc[]
|
|
|
|
|
|
== Resources
|
|
|
|
=== Documentation
|
|
|
|
* Spring Framework Security Documentation - https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.html[Class BCryptPasswordEncoder]
|
|
* OWASP CheatSheet - https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html[Password Storage Cheat Sheet]
|
|
|
|
include::../common/resources/standards.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
Use a secure password hashing algorithm.
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
include::../comments-and-links.adoc[]
|
|
|
|
endif::env-github,rspecator-view[]
|