bcrypt for passwords

Author: phasenraum2010

src/main/java/org/woehlke/greenshop/admin/service/AdministratorServiceImpl.java

@@ -2,6 +2,7 @@
 
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
+import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.transaction.annotation.Propagation;
 import org.springframework.transaction.annotation.Transactional;
 import org.woehlke.greenshop.admin.entities.Administrator;
@@ -24,6 +25,9 @@ public class AdministratorServiceImpl implements AdministratorService {
     @Inject
     private AdministratorRepository administratorRepository;
 
+    @Inject
+    private PasswordEncoder encoder;
+
     @Override
     public List<Administrator> findAllAdministrators() {
         return administratorRepository.findAll();
@@ -39,15 +43,15 @@ public Administrator findAdministratorById(long administratorId) {
     public void update(Administrator thisAdministrator) {
         Administrator original = administratorRepository.findOne(thisAdministrator.getId());
         if(original.getUserPassword().compareTo(thisAdministrator.getUserPassword())!=0){
-            thisAdministrator.setUserPassword(md5(thisAdministrator.getUserPassword()));
+            thisAdministrator.setUserPassword(encoder.encode(thisAdministrator.getUserPassword()));
         }
         thisAdministrator = administratorRepository.save(thisAdministrator);
     }
 
     @Override
     @Transactional(readOnly=false,propagation=Propagation.REQUIRES_NEW)
     public void create(Administrator thisAdministrator) {
-        thisAdministrator.setUserPassword(md5(thisAdministrator.getUserPassword()));
+        thisAdministrator.setUserPassword(encoder.encode(thisAdministrator.getUserPassword()));
         thisAdministrator = administratorRepository.save(thisAdministrator);
     }
 
@@ -64,6 +68,7 @@ public UserDetails loadUserByUsername(String username) throws UsernameNotFoundEx
         return new AdministratorBean(administrator);
     }
 
+    /*
     private String md5(String input){
         MessageDigest md = null;
         try {
@@ -79,4 +84,5 @@ private String md5(String input){
         }
         return sb.toString();
     }
+    */
 }

src/main/java/org/woehlke/greenshop/customer/CustomerServiceImpl.java

@@ -9,11 +9,9 @@
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-import org.springframework.data.domain.Sort;
-import org.springframework.security.authentication.encoding.Md5PasswordEncoder;
-import org.springframework.security.authentication.encoding.PasswordEncoder;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
+import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.transaction.annotation.Propagation;
 import org.springframework.transaction.annotation.Transactional;
 import org.woehlke.greenshop.catalog.entities.Language;
@@ -66,8 +64,10 @@ public class CustomerServiceImpl implements CustomerService {
     @Inject
     private ReviewRepository reviewRepository;
 
+	@Inject
+	private PasswordEncoder encoder;
 
-    @Override
+	@Override
 	@Transactional(readOnly=false,propagation=Propagation.REQUIRES_NEW)
 	public void createNewCustomer(
 			CreateNewCustomerFormBean createNewCustomerFormBean) {
@@ -114,9 +114,7 @@ private Customer createNewCustomerFormBean2Customer(CreateNewCustomerFormBean cr
 		customer.setGender(createNewCustomerFormBean.getGender());
 		customer.setLastname(createNewCustomerFormBean.getLastname());
 		customer.setNewsletter(createNewCustomerFormBean.getNewsletter());
-		//TODO: password encryption like in PHP
-		PasswordEncoder encoder = new Md5PasswordEncoder();
-		String codedPassword = encoder.encodePassword(createNewCustomerFormBean.getPassword(),null);
+		String codedPassword = encoder.encode(createNewCustomerFormBean.getPassword());
 		customer.setPassword(codedPassword);
 		customer.setTelephone(createNewCustomerFormBean.getTelephone());
 		return customer;

src/main/resources/security-context.xml

@@ -75,15 +75,20 @@
 		<security:custom-filter before="FORM_LOGIN_FILTER" ref="authenticationFilterCustomer" />
   	</security:http>
 
+	<!-- https://www.dailycred.com/article/bcrypt-calculator -->
+	<bean id="encoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder">
+		<constructor-arg name="strength" value="10" />
+	</bean>
+
 	<security:authentication-manager alias="authenticationManagerAdmin">
 		<security:authentication-provider user-service-ref="administratorService">
-			<security:password-encoder hash="md5"/>
+			<security:password-encoder ref="encoder"/>
 		</security:authentication-provider>
 	</security:authentication-manager>
 
   	<security:authentication-manager id="authenticationManagerCustomer">
     	<security:authentication-provider user-service-ref="customerService">
-    		<security:password-encoder hash="md5"/>
+    		<security:password-encoder ref="encoder"/>
     	</security:authentication-provider>
   	</security:authentication-manager>