I have an old application running in PHP that uses the function base64_encode(hash_hmac(“sha512”, $p_password, $p_salt, true))
to encode passwords in our database.
I am migrating this application to Java Spring Boot and want to encode the passwords during authentification in the exact same way.
I have found how to make the same hashing method with Java in this post Compute HMAC-SHA512 with secret key in java and I also learnt that we can have several password encoders for old and new users with https://spring.io/blog/2017/11/01/spring-security-5-0-0-rc1-released#constructing-delegatingpasswordencoder
But I still cannot find an example of how I can integrate this hasing method in Spring authentication process. I have to create a PasswordEncoder
bean and I don't know what to put inside.
I tried Pbkdf2PasswordEncoder
because it can make some SHA-512 hash like in my app but I get the error Detected a Non-hex character at 1 or 2 position
.
It is probably due to the fact that the passwords are not prefixed by {pbkdf2} in the database. The following code is what I am currently using as PasswordEncoder
@Bean
public PasswordEncoder passwordEncoder() {
Pbkdf2PasswordEncoder passwordEncoder = new Pbkdf2PasswordEncoder("salt");
passwordEncoder.setAlgorithm(Pbkdf2PasswordEncoder.SecretKeyFactoryAlgorithm.PBKDF2WithHmacSHA512);
return passwordEncoder;
}
I need help to set up the right password encoder to use HMAC-SHA512 in my authentification process with Java Spring and in a second time, combine it with BCrytPasswordEncoder
(for new users) with DelegatingPasswordEncoder
.
Maybe it requires to update the passwords in DB to prefix them with the right encoder ?
If my question is not accurate enough or missing information, please ask me for more details :)