using sha512 encoder with symfony2 in_memory security provider

2
votes

I'm trying to configure my symfony2 application to use the sha512 password encoder with the in_memory security provider, but I can't get it to work. I am getting the infamous "Bad credentials" error on login. Unlike most questions here, I do not want to get users from any database. I do not want to use FOSUserBundle. All I want is simply to replace the plaintext passwords in my security.yml with sha512 hashes.

According to http://symfony.com/doc/current/book/security.html#encoding-the-user-s-password this should be as simple as setting the encoder and replacing the plaintext password with the hash, so that is what I tried to do:

security.yml:

security:
    encoders:
        Symfony\Component\Security\Core\User\User: sha512

    providers:
        in_memory:
            memory:
                users:
                    admin: { password: $6$randomsalt$mbd3sS15ibE.W7hkLqfQ0LNEQsUod7BOUD67g/oIb8uhqGfyAzaga3vgGaRJZn67VdHHfn.tnkKY9ffDVXw3C., roles: [ 'ROLE_ADMIN' ] }

The password is "admin", the salt is "randomsalt" and the hash was generated by mkpasswd:

mkpasswd -m sha-512 admin randomsalt

Why is this not working? Does symfony2 expect the hash to be in some other format?

EDIT: things I've tried as well:

  • generating the hash through PHP using crypt($password, "$6$".$salt)
  • toggling encode_as_base64 true/false on the security encoder
  • specifying the number of iterations to use (default 5000)

Result is the same: "Bad credentials".

2
securitysymfonyencodingpasswordssha512
I'm not quite sure why would you use mkpasswd in this situation? Also, you might need to be using php and the sha512 function to generate the password hash, rather than calling mkpasswd? - tftd
I used mkpasswd as a quick way to generate default format hashes for testing. I have also tried with hashes generated by php: crypt($password, "$6".$salt) (comment edited for code brevity) - Rob

2 Answers

5
votes

After much trial and error, the only configuration I have been able to get working is the simplest case:

security:
    encoders:
        Symfony\Component\Security\Core\User\User:
            algorithm: sha512
            encode_as_base64: false
            iterations: 1

    providers:
        in_memory:
            memory:
                users:
                    admin: { password: c7ad44cbad762a5da0a452f9e854fdc1e0e7a52a38015f23f3eab1d80b931dd472634dfac71cd34ebc35d16ab7fb8a90c81f975113d6c7538dc69dd8de9077ec, roles: [ 'ROLE_ADMIN' ] }

That's a single sha512 iteration of the unsalted password obtained by echo -n admin | sha512sum or from any of the various online hash generators. I can't get it to work with anything created by PHP's standard crypt() or password_hash() functions. The docs don't specify a format. My app doesn't deal with users or passwords in any other way and I was rather hoping to use symfony's security component without writing custom user entities or password encoders. This is turning into an awful lot of work for what seems like a very basic thing.

1
votes

I found a solution which is not elegant but working and allows any number of iteration unlike the accepted answer:

It uses the following class: Symfony\Component\Security\Core\Encoder\MessageDigestPasswordEncoder

In any Controller (or whatever php file) add the following code:

use Symfony\Component\Security\Core\Encoder\MessageDigestPasswordEncoder;

...

$messageDigestPasswordEncoder= new MessageDigestPasswordEncoder;
var_dump($messageDigestPasswordEncoder); // you'll see the default options
var_dump($messageDigestPasswordEncoder->encodePassword('Hello', '')); // ouput the encoded password

In your security.yml, add the following code:

security:

encoders:
    Symfony\Component\Security\Core\User\User: sha512

providers:
    admin:
        memory:
            users:
                # password: Hello
                test:  { password: CYvx/IlZCmwdywJkE8X6FTAixdgaL1oq0u8Ij3o+2LIAyDkWHynQ5UCdWe78YQt5j4oMIIu7YjYYR2b3H7zbvg==, roles: 'ROLE_ADMIN' }