JCH
Java Community | Help. Code. Learn.16mo ago
Pseudow

Spring Security

Hi is it possible to modify how spring security deals with passwords? Actually I would like my password to stay only in my database and never retrieve it just checking if for the account the password matches. But everywhere including in UserDetails I have to give access to the password to Spring.
26 Replies
JavaBot
JavaBot16mo ago
This post has been reserved for your question.
Hey @Pseudow! Please use /close or the Close Post button above when your problem is solved. Please remember to follow the help guidelines. This post will be automatically closed after 300 minutes of inactivity.
TIP: Narrow down your issue to simple and precise questions to maximize the chance that others will reply in here.
straightface
straightface16mo ago
you could write a custom authenticatio provider autowire your database and run a function call on database
Pseudow
PseudowOP16mo ago
but how can I deal with the UsernamePasswordAuthenticationToken then? Even if I modify the authentification provider it will still have some internal objects that require this password field right?
Unknown User
Unknown User16mo ago
Message Not Public
Sign In & Join Server To View
Pseudow
PseudowOP16mo ago
but I mean the password hash not the password itself
Unknown User
Unknown User16mo ago
Message Not Public
Sign In & Join Server To View
Pseudow
PseudowOP16mo ago
don't worry bro I am already using Argon2 to protect my passwords in my database
straightface
straightface16mo ago
 @Override
    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        String username = authentication.getName();
        String password = authentication.getCredentials().toString();
        // Perform your custom authentication logic here
        // Retrieve user details from userDetailsService and validate the credentials
        // You can throw AuthenticationException if authentication fails
        // Example: retrieving user details by username from UserDetailsService
        boolean authenticated = authenticationService.authenticate(username, password);
        if (!authenticated ) {
            throw new UsernameNotFoundException("User not found");
        }
       
        // Create a fully authenticated Authentication object
        Authentication authenticated = new UsernamePasswordAuthenticationToken(
                userDetails, password, userDetails.getAuthorities());
        return authenticated;
    }
 @Override
    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        String username = authentication.getName();
        String password = authentication.getCredentials().toString();
        // Perform your custom authentication logic here
        // Retrieve user details from userDetailsService and validate the credentials
        // You can throw AuthenticationException if authentication fails
        // Example: retrieving user details by username from UserDetailsService
        boolean authenticated = authenticationService.authenticate(username, password);
        if (!authenticated ) {
            throw new UsernameNotFoundException("User not found");
        }
       
        // Create a fully authenticated Authentication object
        Authentication authenticated = new UsernamePasswordAuthenticationToken(
                userDetails, password, userDetails.getAuthorities());
        return authenticated;
    }
Pseudow
PseudowOP16mo ago
but It would be so much better not to have the password in my JVM somewhere in its memory
straightface
straightface16mo ago
something like this
Pseudow
PseudowOP16mo ago
but again in UsernamePasswordAuthenticationToken I have to specify the password can I let it be null?
straightface
straightface16mo ago
i dont remember try and see
Pseudow
PseudowOP16mo ago
okay
Unknown User
Unknown User16mo ago
Message Not Public
Sign In & Join Server To View
Pseudow
PseudowOP16mo ago
because it feels so much weirder having a hashed password somewhere in my application I think its much safer if its only in the database
Unknown User
Unknown User16mo ago
Message Not Public
Sign In & Join Server To View
Pseudow
PseudowOP16mo ago
I know but it just doesn't feel right. But ig Spring won't let me do that
Unknown User
Unknown User16mo ago
Message Not Public
Sign In & Join Server To View
straightface
straightface16mo ago
i mean you still getting password in jvm from the user no getting around that unless oAuth or something
Unknown User
Unknown User16mo ago
Message Not Public
Sign In & Join Server To View
Pseudow
PseudowOP16mo ago
yes I would like to do that but I just have to implement the AuthenticationProvider myself? because even UsernamePasswordAuthenticationToken requires this field
straightface
straightface16mo ago
just pass in null
Pseudow
PseudowOP16mo ago
okay ill try to do that
straightface
straightface16mo ago
i am not a security expert do not use in prod without testing
Pseudow
PseudowOP16mo ago
yes I was gonna test that anyway but I am far away from prod lol
JavaBot
JavaBot16mo ago
💤 Post marked as dormant
This post has been inactive for over 300 minutes, thus, it has been archived. If your question was not answered yet, feel free to re-open this post or create a new one. In case your post is not getting any attention, you can try to use /help ping. Warning: abusing this will result in moderative actions taken against you.

Did you find this page helpful?