Examples with BCryptPasswordEncoder org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder used on opensource projects

Example 41 with BCryptPasswordEncoder

use of org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder in project webofneeds by researchstudio-sat.

the class UserService method useRecoveryKey.

/**
 * Uses the recoveryKey to unlock the keystore password, then generates a new
 * keystore password and if that all works, changes the user's password and
 * deletes the recovery key.
 */
@Transactional(propagation = Propagation.REQUIRED)
public User useRecoveryKey(String username, String newPassword, String recoveryKey) throws UserNotFoundException, KeyStoreIOException, IncorrectPasswordException {
    logger.debug("using recoery key to reset password for user {}", username);
    PasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
    User user = getByUsernameWithKeystorePassword(username);
    if (user == null) {
        throw new UserNotFoundException("cannot change password: user not found");
    }
    KeystorePasswordHolder keystorePasswordHolder = user.getRecoverableKeystorePasswordHolder();
    String oldKeystorePassword = keystorePasswordHolder.getPassword(recoveryKey);
    logger.debug("re-encrypting keystore for user {} with new keystore password", username);
    String newKeystorePassword = changeKeystorePassword(user, oldKeystorePassword);
    user.setKeystorePasswordHolder(keystorePasswordHolder);
    user.getKeystorePasswordHolder().setPassword(newKeystorePassword, newPassword);
    // everything has worked so far, now we can also change the user's password
    user.setPassword(passwordEncoder.encode(newPassword));
    // we delete the recoverable keystore key as it will no longer work
    user.setRecoverableKeystorePasswordHolder(null);
    save(user);
    logger.debug("password changed for user {}", username);
    // persistent logins won't work any more as we changed the keystore password, so
    // let's delete them
    persistentLoginRepository.deleteByUsername(username);
    return user;
}

Example 42 with BCryptPasswordEncoder

use of org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder in project webofneeds by researchstudio-sat.

the class UserService method transferUser.

/**
 * Transfers the specific user to a non existant new user with password and an
 * optional role.
 *
 * @param newEmail
 * @param newPassword
 * @param privateUsername
 * @param privatePassword
 * @param role
 * @throws UserAlreadyExistsException when the new User already exists
 * @throws won.owner.service.impl.UserNotFoundException when the private User is
 * not found
 */
public User transferUser(String newEmail, String newPassword, String privateUsername, String privatePassword, String role) throws UserAlreadyExistsException, UserNotFoundException {
    User user = getByUsername(newEmail);
    if (user != null) {
        throw new UserAlreadyExistsException();
    }
    try {
        PasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
        User privateUser = getByUsernameWithKeystorePassword(privateUsername);
        if (privateUser == null) {
            throw new UserNotFoundException();
        }
        // change the username/email and keystorpw holder
        privateUser.setUsername(newEmail);
        privateUser.setPassword(passwordEncoder.encode(newPassword));
        privateUser.setEmail(newEmail);
        privateUser.setEmailVerified(false);
        privateUser.setPrivateId(null);
        // transfer only available when flag is set therefore we can
        privateUser.setAcceptedTermsOfService(true);
        // this to true (i think)
        if (role != null) {
            privateUser.setRole(role);
        }
        KeystorePasswordHolder privateKeystorePassword = privateUser.getKeystorePasswordHolder();
        String keystorePassword = privateKeystorePassword.getPassword(privatePassword);
        // ************************************************
        KeystorePasswordHolder newKeystorePassword = new KeystorePasswordHolder();
        // generate a newPassword for the keystore and save it in the database,
        // encrypted with a symmetric key
        // derived from the user's new password
        newKeystorePassword.setPassword(keystorePassword, newPassword);
        privateUser.setKeystorePasswordHolder(newKeystorePassword);
        // we delete the recoverable keystore key as it will no longer work
        privateUser.setRecoverableKeystorePasswordHolder(null);
        save(privateUser);
        return privateUser;
    } catch (DataIntegrityViolationException e) {
        throw new UserAlreadyExistsException();
    }
}

Example 43 with BCryptPasswordEncoder

use of org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder in project webofneeds by researchstudio-sat.

the class OwnerPersistenceTest method createUserWithAtom.

private void createUserWithAtom(URI atomUri, String email) {
    UserAtom a = new UserAtom();
    a.setUri(atomUri);
    a = userAtomRepository.save(a);
    String password = "password";
    String role = "SOMEROLE";
    PasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
    User user = new User(email, passwordEncoder.encode(password), role);
    user.setEmail(email);
    // transfer only available when flag is set therefore we can just set
    user.setAcceptedTermsOfService(true);
    // this
    // to true (i think)
    KeystorePasswordHolder keystorePassword = new KeystorePasswordHolder();
    // generate a password for the keystore and save it in the database, encrypted
    // with a symmetric key
    // derived from the user's password
    keystorePassword.setPassword(KeystorePasswordUtils.generatePassword(KeystorePasswordUtils.KEYSTORE_PASSWORD_BYTES), password);
    // keystorePassword = keystorePasswordRepository.save(keystorePassword);
    // generate the keystore for the user
    KeystoreHolder keystoreHolder = new KeystoreHolder();
    try {
        // create the keystore if it doesnt exist yet
        keystoreHolder.getKeystore(keystorePassword.getPassword(password));
    } catch (Exception e) {
        throw new IllegalStateException("could not create keystore for user " + email);
    }
    // keystoreHolder = keystoreHolderRepository.save(keystoreHolder);
    user.setKeystorePasswordHolder(keystorePassword);
    user.setKeystoreHolder(keystoreHolder);
    user = userRepository.save(user);
    user.addUserAtom(a);
    user = userRepository.save(user);
}

Example 44 with BCryptPasswordEncoder

use of org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder in project tutorials by eugenp.

the class PasswordStorageWebSecurityConfigurer method passwordEncoder.

@Bean
public PasswordEncoder passwordEncoder() {
    // set up the list of supported encoders and their prefixes
    PasswordEncoder defaultEncoder = new StandardPasswordEncoder();
    Map<String, PasswordEncoder> encoders = new HashMap<>();
    encoders.put("bcrypt", new BCryptPasswordEncoder());
    encoders.put("scrypt", new SCryptPasswordEncoder());
    encoders.put("noop", NoOpPasswordEncoder.getInstance());
    DelegatingPasswordEncoder passwordEncoder = new DelegatingPasswordEncoder("bcrypt", encoders);
    passwordEncoder.setDefaultPasswordEncoderForMatches(defaultEncoder);
    return passwordEncoder;
}

Example 45 with BCryptPasswordEncoder

use of org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder in project spring-security by spring-projects.

the class DaoAuthenticationProviderTests method IGNOREtestSec2056.

/**
 * This is an explicit test for SEC-2056. It is intentionally ignored since this test
 * is not deterministic and {@link #testUserNotFoundEncodesPassword()} ensures that
 * SEC-2056 is fixed.
 */
public void IGNOREtestSec2056() {
    UsernamePasswordAuthenticationToken foundUser = new UsernamePasswordAuthenticationToken("rod", "koala");
    UsernamePasswordAuthenticationToken notFoundUser = new UsernamePasswordAuthenticationToken("notFound", "koala");
    PasswordEncoder encoder = new BCryptPasswordEncoder(10, new SecureRandom());
    DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
    provider.setHideUserNotFoundExceptions(false);
    provider.setPasswordEncoder(encoder);
    MockUserDetailsServiceUserRod userDetailsService = new MockUserDetailsServiceUserRod();
    userDetailsService.password = encoder.encode((CharSequence) foundUser.getCredentials());
    provider.setUserDetailsService(userDetailsService);
    int sampleSize = 100;
    List<Long> userFoundTimes = new ArrayList<>(sampleSize);
    for (int i = 0; i < sampleSize; i++) {
        long start = System.currentTimeMillis();
        provider.authenticate(foundUser);
        userFoundTimes.add(System.currentTimeMillis() - start);
    }
    List<Long> userNotFoundTimes = new ArrayList<>(sampleSize);
    for (int i = 0; i < sampleSize; i++) {
        long start = System.currentTimeMillis();
        assertThatExceptionOfType(UsernameNotFoundException.class).isThrownBy(() -> provider.authenticate(notFoundUser));
        userNotFoundTimes.add(System.currentTimeMillis() - start);
    }
    double userFoundAvg = avg(userFoundTimes);
    double userNotFoundAvg = avg(userNotFoundTimes);
    assertThat(Math.abs(userNotFoundAvg - userFoundAvg) <= 3).withFailMessage("User not found average " + userNotFoundAvg + " should be within 3ms of user found average " + userFoundAvg).isTrue();
}