Implement SHA-256 in token based Remember-Me services #10675
Conversation
A hashing algorithm property is added to TokenBasedRememberMeServices to choose which algorithm is used when creating new Remember Me tokens. This implementation is intended to preserve compatibility both with Remember Me tokens that do not specify a hashing algorithm, and with subclasses of TokenBasedRememberMeServices. Closes spring-projectsgh-8549
marcusdacoregio
added
status: duplicate
| * @return the {@link RememberMeConfigurer} for further customization | ||
| * @since 5.7 | ||
| */ | ||
| public RememberMeConfigurer<H> hashingAlgorithm(RememberMeHashingAlgorithm hashingAlgorithm) { |
There was a problem hiding this comment.
Since RememberMeServices can be constructed with relative ease, I'd recommend leaving this out of the DSL for the time being.
| @@ -1,5 +1,5 @@ | |||
| /* | |||
| * Copyright 2004, 2005, 2006 Acegi Technology Pty Limited | |||
There was a problem hiding this comment.
The ones that say "Acegi Technology Pty Limited", we leave as-is
| * or, if a hashing algorithm is configured, the form: | ||
| * | ||
| * <pre> | ||
| * username + ":" + expiryTime + ":" + algorithmName + ":" |
There was a problem hiding this comment.
I wonder if this should be thought of in the same way as how Spring Security deals with passwords.
For example, you might consider having an algorithm-for-matches and an algorithm-for-encoding, both defaulting to MD5.
- When encoding, encode with the algorithm-for-encoding, adding the prefix either way (even if the app hasn't configured it directly)
- When decoding
** if there is no algorithm in the cookie, use the algorithm-for-matches
** if there is an algorithm in the cookie, use that algorithm
This will allow folks to safely upgrade to SHA-256 without losing their old MD5 hash cookies.
| * @param hashingAlgorithm the hashing algorithm to use in the Cookie value | ||
| */ | ||
| public TokenBasedRememberMeServices(String key, UserDetailsService userDetailsService, | ||
| RememberMeHashingAlgorithm hashingAlgorithm) { |
There was a problem hiding this comment.
I think that since this is an optional parameter, it would be ideal as a setter.
| @@ -1798,6 +1798,11 @@ Specifies the period in seconds for which the remember-me cookie should be valid | |||
| By default it will be valid for 14 days. | |||
|
|
|||
|
|
|||
| [[nsa-remember-me-hashing-algorithm]] | |||
| * **hashing-algorithm** | |||
There was a problem hiding this comment.
Likewise, would recommend that this be left out for now in favor of applications using services-ref.
marcusdacoregio
added
the
status: declined
Closes gh-8549