use of org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder in project entando-core by entando.
the class OAuthConsumerDAO method fillStatement.
private int fillStatement(ConsumerRecordVO consumer, int index, boolean add, PreparedStatement stat) throws SQLException {
int idx = index;
if (add || !StringUtils.isBlank(consumer.getSecret())) {
String encoded = new BCryptPasswordEncoder().encode(consumer.getSecret());
stat.setString(idx++, "{bcrypt}" + encoded);
}
stat.setString(idx++, consumer.getName());
stat.setString(idx++, consumer.getDescription());
stat.setString(idx++, consumer.getCallbackUrl());
stat.setString(idx++, consumer.getScope());
stat.setString(idx++, consumer.getAuthorizedGrantTypes());
if (null != consumer.getExpirationDate()) {
stat.setTimestamp(idx++, new Timestamp(consumer.getExpirationDate().getTime()));
} else {
stat.setNull(idx++, Types.TIMESTAMP);
}
if (add) {
Date now = new Date();
consumer.setIssuedDate(now);
stat.setTimestamp(idx++, new Timestamp(now.getTime()));
}
return idx;
}
use of org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder in project apollo by ctripcorp.
the class ApolloPasswordEncoderFactory method createDelegatingPasswordEncoder.
/**
* Creates a {@link DelegatingPasswordEncoder} with default mappings {@link
* PasswordEncoderFactories#createDelegatingPasswordEncoder()}, and add a placeholder encoder for
* oidc {@link PlaceholderPasswordEncoder}
*
* @return the {@link PasswordEncoder} to use
*/
@SuppressWarnings("deprecation")
public static PasswordEncoder createDelegatingPasswordEncoder() {
// copy from PasswordEncoderFactories, and it's should follow the upgrade of the PasswordEncoderFactories
String encodingId = "bcrypt";
Map<String, PasswordEncoder> encoders = new HashMap<>();
encoders.put(encodingId, new BCryptPasswordEncoder());
encoders.put("ldap", new org.springframework.security.crypto.password.LdapShaPasswordEncoder());
encoders.put("MD4", new org.springframework.security.crypto.password.Md4PasswordEncoder());
encoders.put("MD5", new org.springframework.security.crypto.password.MessageDigestPasswordEncoder("MD5"));
encoders.put("noop", org.springframework.security.crypto.password.NoOpPasswordEncoder.getInstance());
encoders.put("pbkdf2", new Pbkdf2PasswordEncoder());
encoders.put("scrypt", new SCryptPasswordEncoder());
encoders.put("SHA-1", new org.springframework.security.crypto.password.MessageDigestPasswordEncoder("SHA-1"));
encoders.put("SHA-256", new org.springframework.security.crypto.password.MessageDigestPasswordEncoder("SHA-256"));
encoders.put("sha256", new org.springframework.security.crypto.password.StandardPasswordEncoder());
encoders.put("argon2", new Argon2PasswordEncoder());
// placeholder encoder for oidc
encoders.put(PlaceholderPasswordEncoder.ENCODING_ID, new PlaceholderPasswordEncoder());
DelegatingPasswordEncoder delegatingPasswordEncoder = new DelegatingPasswordEncoder(encodingId, encoders);
// todo: adapt the old password, and it should be removed in the next feature version of the 1.9.x
delegatingPasswordEncoder.setDefaultPasswordEncoderForMatches(new PasswordEncoderAdapter(encoders.get(encodingId)));
return delegatingPasswordEncoder;
}
use of org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder in project webofneeds by researchstudio-sat.
the class UserService method generateRecoveryKey.
/**
* Generates a new recovery key for the user
*/
@Transactional(propagation = Propagation.REQUIRED)
public String generateRecoveryKey(String email, String password) throws UserNotFoundException, IncorrectPasswordException {
logger.debug("changing password for user {}", email);
User user = getByUsernameWithKeystorePassword(email);
if (user == null) {
throw new UserNotFoundException("cannot generate recovery key: user not found");
}
PasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
if (!passwordEncoder.matches(password, user.getPassword())) {
throw new IncorrectPasswordException("cannot generate recovery key: incorrect password");
}
KeystorePasswordHolder keystorePasswordHolder = user.getKeystorePasswordHolder();
KeystoreHolder keystoreHolder = user.getKeystoreHolder();
String keystorePassword = keystorePasswordHolder.getPassword(password);
StringBuilder sb = new StringBuilder();
sb.append("MY__").append(randomStringGenerator.nextString(4)).append("_").append(randomStringGenerator.nextString(4)).append("_").append(randomStringGenerator.nextString(4)).append("_").append(randomStringGenerator.nextString(4)).append("__KEY");
String recoveryKey = sb.toString();
KeystorePasswordHolder recoverableKeystorePasswordHolder = new KeystorePasswordHolder();
recoverableKeystorePasswordHolder.setPassword(keystorePassword, recoveryKey);
keystorePasswordRepository.save(recoverableKeystorePasswordHolder);
user.setRecoverableKeystorePasswordHolder(recoverableKeystorePasswordHolder);
userRepository.save(user);
return recoveryKey;
}
use of org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder in project webofneeds by researchstudio-sat.
the class UserService method registerUser.
/**
* Registers the specified user with password and an optional role. Assumes
* values have already been checked for syntactic validity.
*
* @param email
* @param password
* @param role
* @throws UserAlreadyExistsException
* @return the created User
*/
public User registerUser(String email, String password, String role, String privateId) throws UserAlreadyExistsException {
User user = getByUsername(email);
if (user != null) {
throw new UserAlreadyExistsException();
}
try {
PasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
user = new User(email, passwordEncoder.encode(password), role);
user.setEmail(email);
if (privateId != null) {
user.setPrivateId(privateId);
}
// transfer only available when flag is set therefore we can just set
user.setAcceptedTermsOfService(true);
// this
// to true (i think)
KeystorePasswordHolder keystorePassword = new KeystorePasswordHolder();
// generate a password for the keystore and save it in the database, encrypted
// with a symmetric key
// derived from the user's password
keystorePassword.setPassword(KeystorePasswordUtils.generatePassword(KeystorePasswordUtils.KEYSTORE_PASSWORD_BYTES), password);
// keystorePassword = keystorePasswordRepository.save(keystorePassword);
// generate the keystore for the user
KeystoreHolder keystoreHolder = new KeystoreHolder();
try {
// create the keystore if it doesnt exist yet
keystoreHolder.getKeystore(keystorePassword.getPassword(password));
} catch (Exception e) {
throw new IllegalStateException("could not create keystore for user " + email);
}
// keystoreHolder = keystoreHolderRepository.save(keystoreHolder);
user.setKeystorePasswordHolder(keystorePassword);
user.setKeystoreHolder(keystoreHolder);
return save(user);
} catch (DataIntegrityViolationException e) {
// username is already in database
throw new UserAlreadyExistsException();
}
}
use of org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder in project webofneeds by researchstudio-sat.
the class UserService method changePassword.
/**
* Changes the specified user's password from old to new, changes user's key
* store password and invalidates all persistent logins.
*
* @param username
* @param newPassword
* @param oldPassword
* @throws UserNotFoundException when the private User is not found
* @throws KeyStoreIOException if something goes wrong loading or saving the
* keystore
* @throws IncorrectPasswordException if the old password is not the actual old
* password of the user
*/
@Transactional(propagation = Propagation.REQUIRED)
public User changePassword(String username, String newPassword, String oldPassword) throws UserNotFoundException, KeyStoreIOException, IncorrectPasswordException {
logger.debug("changing password for user {}", username);
PasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
User user = getByUsernameWithKeystorePassword(username);
if (user == null) {
throw new UserNotFoundException("cannot change password: user not found");
}
if (!passwordEncoder.matches(oldPassword, user.getPassword())) {
throw new IncorrectPasswordException("cannot change password: old password is incorrect");
}
KeystorePasswordHolder keystorePasswordHolder = user.getKeystorePasswordHolder();
String oldKeystorePassword = keystorePasswordHolder.getPassword(oldPassword);
logger.debug("re-encrypting keystore for user {} with new keystore password", username);
String newKeystorePassword = changeKeystorePassword(user, oldKeystorePassword);
// everything has worked so far, now make the changes
user.setPassword(passwordEncoder.encode(newPassword));
keystorePasswordHolder.setPassword(newKeystorePassword, newPassword);
user.setKeystorePasswordHolder(keystorePasswordHolder);
// we delete the recoverable keystore key as it will no longer work
user.setRecoverableKeystorePasswordHolder(null);
save(user);
logger.debug("password changed for user {}", username);
// persistent logins won't work any more as we changed the keystore password, so
// let's delete them
persistentLoginRepository.deleteByUsername(username);
return user;
}
Aggregations