I have a web application that was built on Spring Security 4.2.17 and uses Md5PasswordEncoder. I plan to upgrade it to Spring Security 5.3.3.RELEASE. I understand that Md5PasswordEncoder is removed from Spring Security 5.x. Let's put aside the strength of the MD5 algorithm. I would like to continue to use it, the exactly same way of how MD5 works in Spring 4.x. Here is how I use Md5PasswordEncoder in the app based on Spring Security 4.2.17:
Md5PasswordEncoder passwordEncoder = new Md5PasswordEncoder();
String encryptedPassword = passwordEncoder.encodePassword(plainTextPassword, salt);
I understand that in Spring Security 5.x, I can continue use MD5 in this way (I understand it is deprecated)
MessageDigestPasswordEncoder passwordEncoder = new MessageDigestPasswordEncoder("MD5");
However, I don't see a way to add the "salt" in encryption because this class (MessageDigestPasswordEncoder) does't seem to use "salt" the same way as in Spring 4.x.
Related
https://www.kb.cert.org/vuls/id/475445 has just been disclosed.
Is this impacting Spring Security SAML2?
I can't see the XML parser used on Spring Security SAML2 on the list of affected APIs.
Let us know.
I am the Spring Security project lead and I have verified that the exploit does not work against Spring Security SAML with the default settings. This was verified by a colleague as well.
If you change the default settings (set ignoreComments = false), your application becomes vulnerable.
Update: See https://spring.io/blog/2018/03/01/spring-security-saml-and-this-week-s-saml-vulnerability
Using Spring Boot, SpringMVC and Spring Security I can configure the security part of my Spring Boot app as follows: ...requestMatchers(EndpointRequest.to("status", "info")).....
Now I'm migrating from SpringMVC to Spring WebFlux. I see that I've to use pathMatchers() instead of requestMatchers. However, EndpointRequest is depending on HttpServletRequest (and thus on Spring MVC). Any hint is appreciated.
I'm just prototyping the migration from Spring MVC to Spring WebFlux using the latest milestone releases (also Spring Boot, Spring Data, and Spring Security). Using the Maven module spring-security-webflux I was able to setup BASIC authentication. However, I didn't find how to define a realm. Any hint is appreciated.
I'm in the process of moving my application from Spring Security's CAS client to JASIG's Java CAS client. This was due to our security group adding some custom functionality to the JASIG version.
I've seen on JASIG's website the examples of how to configure the CAS client using Spring's configuration. I've used this example:
https://wiki.jasig.org/display/CASC/Using+the+CAS+Client+3.1+with+Spring+Security
I'm using STS and it complains about numerous lines being incorrect or deprecated. Also, when using the spring security CAS client I configured my roles as part of the <sec:http> block using intercept-url tags like this:
<sec:intercept-url pattern="/api/**" access="hasAnyRole('ROLE_OPERATOR', 'ROLE_ADMINISTRATOR')" method="GET" />
However, in the example the roles are configured in the FilterSecurityInterceptor bean and while it uses the sec:intercept-url tags the expressions don't work.
I believe the issue is that the example is from an earlier version of spring security but I'm using a newer version.
Does anyone know of an updated version of the configuration for the above sample? I know I need to upgrade my config from what the example shows but I'm not a full time security guy, just a developer tasked with doing this move, so I don't live an breath this stuff every day. Any help would be greatly appreciated.
My env:
Spring Source Framework v3.2.2
Spring Security v3.1.4
JASIG CAS Client v3.2.1
-Richard Ward
We are using spring acegi security for user password encoding and authentication, in past we were using SHAPasswordEncoder but our need it to make it AES compliant, I don't find any AES PasswordEncoder in Spring acegi security, please suggest somebody if spring supports AES or it has some plan in future to support AES. Thanks, Shailendra Singh