Example 11 with PasswordEncoder
use of org.springframework.security.crypto.password.PasswordEncoder in project spring-security by spring-projects.
the class DaoAuthenticationProviderTests method testUserNotFoundNullCredentials.
@Test
public void testUserNotFoundNullCredentials() {
UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("missing", null);
PasswordEncoder encoder = mock(PasswordEncoder.class);
DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
provider.setHideUserNotFoundExceptions(false);
provider.setPasswordEncoder(encoder);
provider.setUserDetailsService(new MockAuthenticationDaoUserrod());
try {
provider.authenticate(token);
fail("Expected Exception");
} catch (UsernameNotFoundException success) {
}
verify(encoder, times(0)).matches(anyString(), anyString());
}
Also used :
UsernameNotFoundException(org.springframework.security.core.userdetails.UsernameNotFoundException)
BCryptPasswordEncoder(org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder)
ShaPasswordEncoder(org.springframework.security.authentication.encoding.ShaPasswordEncoder)
PasswordEncoder(org.springframework.security.crypto.password.PasswordEncoder)
UsernamePasswordAuthenticationToken(org.springframework.security.authentication.UsernamePasswordAuthenticationToken)
Test(org.junit.Test)
Example 12 with PasswordEncoder
use of org.springframework.security.crypto.password.PasswordEncoder in project spring-security by spring-projects.
the class DaoAuthenticationProviderTests method IGNOREtestSec2056.
/**
* This is an explicit test for SEC-2056. It is intentionally ignored since this test
* is not deterministic and {@link #testUserNotFoundEncodesPassword()} ensures that
* SEC-2056 is fixed.
*/
public void IGNOREtestSec2056() {
UsernamePasswordAuthenticationToken foundUser = new UsernamePasswordAuthenticationToken("rod", "koala");
UsernamePasswordAuthenticationToken notFoundUser = new UsernamePasswordAuthenticationToken("notFound", "koala");
PasswordEncoder encoder = new BCryptPasswordEncoder(10, new SecureRandom());
DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
provider.setHideUserNotFoundExceptions(false);
provider.setPasswordEncoder(encoder);
MockAuthenticationDaoUserrod userDetailsService = new MockAuthenticationDaoUserrod();
userDetailsService.password = encoder.encode((CharSequence) foundUser.getCredentials());
provider.setUserDetailsService(userDetailsService);
int sampleSize = 100;
List<Long> userFoundTimes = new ArrayList<Long>(sampleSize);
for (int i = 0; i < sampleSize; i++) {
long start = System.currentTimeMillis();
provider.authenticate(foundUser);
userFoundTimes.add(System.currentTimeMillis() - start);
}
List<Long> userNotFoundTimes = new ArrayList<Long>(sampleSize);
for (int i = 0; i < sampleSize; i++) {
long start = System.currentTimeMillis();
try {
provider.authenticate(notFoundUser);
fail("Expected Exception");
} catch (UsernameNotFoundException success) {
}
userNotFoundTimes.add(System.currentTimeMillis() - start);
}
double userFoundAvg = avg(userFoundTimes);
double userNotFoundAvg = avg(userNotFoundTimes);
assertThat(Math.abs(userNotFoundAvg - userFoundAvg) <= 3).withFailMessage("User not found average " + userNotFoundAvg + " should be within 3ms of user found average " + userFoundAvg).isTrue();
}
Also used :
UsernameNotFoundException(org.springframework.security.core.userdetails.UsernameNotFoundException)
BCryptPasswordEncoder(org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder)
ShaPasswordEncoder(org.springframework.security.authentication.encoding.ShaPasswordEncoder)
PasswordEncoder(org.springframework.security.crypto.password.PasswordEncoder)
ArrayList(java.util.ArrayList)
SecureRandom(java.security.SecureRandom)
UsernamePasswordAuthenticationToken(org.springframework.security.authentication.UsernamePasswordAuthenticationToken)
BCryptPasswordEncoder(org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder)
Aggregations
PasswordEncoder (org.springframework.security.crypto.password.PasswordEncoder)12
Test (org.junit.Test)9
PasswordEncoderProperties (org.apereo.cas.configuration.model.core.authentication.PasswordEncoderProperties)5
BCryptPasswordEncoder (org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder)5
StandardPasswordEncoder (org.springframework.security.crypto.password.StandardPasswordEncoder)5
UsernamePasswordAuthenticationToken (org.springframework.security.authentication.UsernamePasswordAuthenticationToken)4
ShaPasswordEncoder (org.springframework.security.authentication.encoding.ShaPasswordEncoder)4
UsernameNotFoundException (org.springframework.security.core.userdetails.UsernameNotFoundException)4
SecureRandom (java.security.SecureRandom)2
ArrayList (java.util.ArrayList)1
HandlerResult (org.apereo.cas.authentication.HandlerResult)1
UsernamePasswordCredential (org.apereo.cas.authentication.UsernamePasswordCredential)1
DefaultPasswordEncoder (org.apereo.cas.util.crypto.DefaultPasswordEncoder)1
PrefixSuffixPrincipalNameTransformer (org.apereo.cas.util.transforms.PrefixSuffixPrincipalNameTransformer)1
Audit (org.apereo.inspektr.audit.annotation.Audit)1
Matchers.anyString (org.mockito.Matchers.anyString)1
BeanCreationException (org.springframework.beans.factory.BeanCreationException)1
SpringBootTest (org.springframework.boot.test.context.SpringBootTest)1
NoOpPasswordEncoder (org.springframework.security.crypto.password.NoOpPasswordEncoder)1
Pbkdf2PasswordEncoder (org.springframework.security.crypto.password.Pbkdf2PasswordEncoder)1
