4 Dealing with passwords

 

This chapter covers

  • Implementing and working with the PasswordEncoder

  • Using the tools offered by the Spring Security Crypto module

In chapter 3, we discussed managing users in an application implemented with Spring Security. But what about passwords? They’re certainly an essential piece in the authentication flow. In this chapter, you’ll learn how to manage passwords and secrets in an application implemented with Spring Security. We’ll discuss the PasswordEncoder contract and the tools offered by the Spring Security Crypto module (SSCM) for the management of passwords.

4.1 Understanding the PasswordEncoder contract

From chapter 3, you should now have a clear image of what the UserDetails interface is as well as multiple ways to use its implementation. But as you learned in chapter 2, different actors manage user representation during the authentication and authorization processes. You also learned that some of these have defaults, like UserDetailsService and PasswordEncoder. You now know that you can override the defaults. We continue with a deep understanding of these beans and ways to implement them, so in this section, we analyze the PasswordEncoder. Figure 4.1 reminds you of where the PasswordEncoder fits into the authentication process.

Figure 4.1 The Spring Security authentication process. The AuthenticationProvider uses the PasswordEncoder to validate the user’s password in the authentication process.

4.1.1 The definition of the PasswordEncoder contract

4.1.2 Implementing the PasswordEncoder contract

4.1.3 Choosing from the provided implementations of PasswordEncoder

4.1.4 Multiple encoding strategies with DelegatingPasswordEncoder

4.2 More about the Spring Security Crypto module

4.2.1 Using key generators

4.2.2 Using encryptors for encryption and decryption operations

Summary

sitemap