4 Dealing with passwords

 

This chapter covers

  • Implementing and working with the PasswordEncoder.
  • Using the tools offered by the Spring Security Crypto Module.

In chapter 3, we discussed managing users in an application implemented with Spring Security. But what about the passwords? They’re certainly an essential piece in the authorization flow. In this chapter, you’ll learn how to manage passwords and secrets in an application implemented with Spring Security. We’ll discuss the PasswordEncoder contract and the tools offered by the Spring Security Crypto Module for the management of passwords.

4.1      Understanding the PasswordEncoder contract

From chapter 3, you should now have a clear image of what UserDetails interface is, and multiple ways to use its implementations. But as you learned in chapter 2, the user representation is managed during the authentication and authorization processes by different actors. You also learned that some of them have defaults, like the UserDetailsService and the PasswordEncoder. You noticed that you could override the defaults. We will continue with a deep understanding of these beans and ways to implement them, and in this section, we will analyze the PasswordEncoder. Figure 4.1 reminds you of the place taken by the PasswordEncoder in the authentication process.

Figure 4.1 The authentication process: The AuthenticationProvider uses the PasswordEncoder to validate the password of the user in the authentication process.

4.1.1   The definition of the PasswordEncoder contract

4.1.2   Implementing the PasswordEncoder contract

4.1.3   Choosing from the provided implementations of PasswordEncoder

4.1.4   Having multiple encoding strategies with DelegatingPasswordEncoder

4.2      More about the Spring Security Crypto Module

4.2.1   Using key generators

4.2.2   Using encryptors for encryption and decryption operations

4.3      Summary

sitemap