4 Managing passwords

 

This chapter covers

  • Implementing and working with the PasswordEncoder
  • Using the tools offered by the Spring Security Crypto module

In chapter 3, we discussed managing users in an application implemented with Spring Security. But what about passwords? They’re certainly an essential piece in the authentication flow. In this chapter, you’ll learn how to manage passwords and secrets in an application implemented with Spring Security. We’ll discuss the PasswordEncoder contract and the tools offered by the Spring Security Crypto module (SSCM) for the management of passwords.

4.1 Using password encoders

From chapter 3, you should now have a clear image of what the UserDetails interface is as well as multiple ways to use its implementation. But as you learned in chapter 2, different actors manage user representation during the authentication and authorization processes. You also learned that some of these have defaults, like UserDetailsService and PasswordEncoder. You now know that you can override the defaults. We continue with a deep understanding of these beans and ways to implement them, so in this section, we analyze the PasswordEncoder. Figure 4.1 reminds you of where the PasswordEncoder fits into the authentication process.

Figure 4.1 The Spring Security authentication process. The AuthenticationProvider uses the PasswordEncoder to validate the user’s password in the authentication process.

4.1.1 The PasswordEncoder contract

4.1.2 Implementing your PasswordEncoder

4.1.3 Choosing from the provided PasswordEncoder implementations

4.1.4 Multiple encoding strategies with DelegatingPasswordEncoder

4.2 Take advantage of the Spring Security Crypto module

4.2.1 Using key generators

4.2.2 Encrypt and decrypt secrets using encryptors

4.3 Summary

sitemap