Carl Sziebert » Spring Framework

Using Bcrypt with Spring Security

Carl Sziebert — Sun, 10 May 2009 00:03:36 +0000

Password security is a popular topic. The most basic tenant of password security is to have no password at all. Wait, what? That’s right, no password should be stored in your database, ever. Instead, store it as a hash, along with the salt, and throw the original password away. Ask 10 different developers, and I’ll bet that MD5 would be offered as the most popular solution for this problem. Though, if you’ve explored the linked content, you’ll have undoubtedly noticed that Bcrypt is mentioned more than a few times.

“Bcrypt is a cross platform file encryption utility. Encrypted files are portable across all supported operating systems and processors. Passphrases must be between 8 and 56 characters and are hashed internally to a 448 bit key. However, all characters supplied are significant. The stronger your passphrase, the more secure your data.”

For us Java developers, there’s jBCrypt. It is an “implementation of OpenBSD’s Blowfish password hashing code” and offers a rather simple API. A quick web search yields a bit of information on using jBCrypt itself, but nothing on integrating it with the Spring Framework. Given that this is a topic of interest to me, I’ve put together a simple, yet comprehensive example web application to demonstrate an integration of jBCrypt, Spring MVC, Spring Security and Hibernate for hashing user passwords. There are three areas I’ve focused on in this example, user creation, user authentication and changing the user’s password.

Unlike other solutions, jBCrypt is surprisingly easy to use. When a new user registers for our simple application, the password is hashed using BCrypt.hashpw(rawPass, salt). You, the developer, are given a choice of providing a salt or generating a random salt with BCrypt.gensalt(). I’ve chosen to use a random salt for each hash, increasing the strength of the solution. Here’s a look at the code responsible for creating the new User object.

JoinController.java

@Controller
public class JoinController {
    ...
    @RequestMapping(value = "/join.do", method = RequestMethod.POST)
    public String processSubmit(@ModelAttribute("form") JoinForm form, BindingResult result) {
        logger.debug("Processing join form.");
        new JoinFormValidator().validate(form, result);
        if (!result.hasErrors()) {
            User user = new User(
                    form.getUsername(),
                    BCrypt.hashpw(form.getPassword(), BCrypt.gensalt()),
                    form.getEmail());
            service.create(user);
            return "join-success";
        }
        return "join";
    }
    ...
}

The astute observer might note that I could have used a Hibernate Interceptor to hash the password when the User is inserted into the database. And while that is a valid solution, I prefer to get rid of the original password sooner and keep the hashing routine along side the User creation code.

User authentication with Spring Security needs to use a PasswordEncoder implementation to hash and validate the supplied password. This is straight forward to do as is demonstrated in the example application.

BCryptPasswordEncoder.java

public class BCryptPasswordEncoder implements PasswordEncoder {

    public String encodePassword(String rawPass, Object salt) throws DataAccessException {
        logger.debug("Encoding password.");
        return BCrypt.hashpw(rawPass, BCrypt.gensalt());
    }

    public boolean isPasswordValid(String encPass, String rawPass, Object salt) throws DataAccessException {
        logger.debug("Validating password.");
        return BCrypt.checkpw(rawPass, encPass);
    }
}

As you can see, there really isn’t much to this. You’ll need to instruct Spring Security to use your PasswordEncoder by adding a bean definition and dependency to your context configuration file.

spring-security.xml

Changing the user’s password is no different, though it does have two parts to get it right. Because we require the user to supply their original password before updating it, we need to insure the input is correct.

ChangePasswordFormValidator.java

public class ChangePasswordFormValidator implements Validator {
    ...
    public void validate(Object obj, Errors errors) {
        logger.debug("Validating change password form.");
        ChangePasswordForm form = (ChangePasswordForm) obj;
        ...
        // Insure the specified original password actually matches the performer's current password.
        if (isNotBlank(form.getPassword())) {
            if (!BCrypt.checkpw(form.getOriginal(), user.getPassword())) {
                errors.rejectValue("original", "error.original.password.mismatch");
            }
        }
    }
}

Once the original validates correctly, we can then update the database with the a new hash. Like the previous examples, this is trivial to accomplish.

ChangePasswordController.java

@Controller
public class ChangePasswordController {
    ...
    @RequestMapping(value = "/password.do", method = POST)
    public String processSubmit(HttpServletRequest request,
                                @ModelAttribute("form") ChangePasswordForm form,
                                BindingResult result) {
        logger.debug("Processing change password form.");
        User user = service.findByUsername(getCurrentUsername());
        new ChangePasswordFormValidator(user).validate(form, result);
        if (!result.hasErrors()) {
            user.setPassword(BCrypt.hashpw(form.getPassword(), BCrypt.gensalt()));
            service.update(user);
            request.getSession().setAttribute("message", "You have successfully changed your password.");
            return "redirect:/home.do";
        }
        return "change-password";
    }
    ...
}

As with all of my posts, I invite you to download the example application and give it a try. Make sure that you’ve got all of the dependencies and have compiled the source by running ant compile. Let me know if you’ve got questions or feedback.

The example source code for this post can be downloaded here.

Red5 + Hibernate Revisited

Carl Sziebert — Fri, 30 Jan 2009 22:13:06 +0000

It’s hard to believe that I wrote the first version of this tutorial almost a year and a half ago. That’s too long to wait for an update in my opinion and is much needed in this case. My apologies for not tending to the garden sooner. While the original article illustrated a simple method for integrating Red5[1] and Hibernate[2], by today’s standards it’s design is overly verbose and somewhat out of fashion. Not to mention the 3 major components used in this tutorial have all gone through major revisions. The primary goal for this iteration was simplification of the code as well as the XML configuration elements and results in a smaller code footprint. This is a big win in my book.

*Note: If you are not familiar with my first post on this topic, please give it a read before continuing here.

Getting started, the only item left untouched by the refactoring is the User object. Given that I originally defined the class using the Hibernate annotations there is nothing to change other than to use the annotation based SessionFactory by default. I should note that the Hibernate mapping (HBM) file for the User object no longer exists in the source tree.

User.java

@Entity
@Table(name = "users")
public class User {

    @Id
    @GeneratedValue
    @Column(name = "id", nullable = false)
    private Long id;

    @Column(name = "user_name", nullable = false, length = 32, unique = true)
    private String userName;

    @Column(name = "password", nullable = false)
    private String password;

    @Column(name = "first_name", length = 64)
    private String firstName;

    @Column(name = "last_name", length = 64)
    private String lastName;

    @Column(name = "email", nullable = false)
    private String email;

    ...
}

HibernateApplicationDAO has been given a new name and is now HibernateApplicationRepository. This is one of the biggest changes here and removes the dependency on Spring’s HibernateTemplate. HibernateTemplate was originally created to work around the limitations of Hibernate 2′s usage of checked exceptions. Because Hibernate now uses unchecked runtime exceptions, it is no longer necessary. Injection of the SessionFactory into the repository object gives us direct access to the current HibernateSession. The @Repository annotation has been added to support transactions and persistence exception translation.

HibernateApplicationRepository.java

@Repository
public class HibernateApplicationRepository implements ApplicationRepository {

    private static final Logger logger = Red5LoggerFactory.getLogger(HibernateApplicationRepository.class, "hibernate");

    private SessionFactory sessionFactory;

    public User getUser(String user, String pass) {
        logger.debug("Retrieving user from the database.");
        // Ask Hibernate to query for the user based upon the specified user/pass.
        Criteria crit = sessionFactory.getCurrentSession().createCriteria(User.class);
        crit.add(Restrictions.eq("userName", user));
        crit.add(Restrictions.eq("password", pass));
        User u = (User) crit.uniqueResult();
        // Insure that we got something back from Hibernate.
        if (null == u) {
            logger.warn("User does not exist for credentials: {}/{}", user, pass);
            throw new ObjectRetrievalFailureException(User.class, user);
        }
        // Return the results.
        return u;
    }

    @Required
    public void setSessionFactory(SessionFactory sessionFactory) {
        this.sessionFactory = sessionFactory;
    }
}

ApplicationServiceImpl is now annotated with the @Service and @Transactional annotations. With these annotations, we no longer need to proxy ApplicationServiceImpl and can eliminate several lines of XML in the configuration file while maintaining full transaction support.

ApplicationServiceImpl.java

@Service
@Transactional
public class ApplicationServiceImpl implements ApplicationService {

    private static final Logger logger = Red5LoggerFactory.getLogger(ApplicationServiceImpl.class, "hibernate");

    private ApplicationRepository repository;

    @Transactional(readOnly = true)
    public User getUser(String user, String pass) throws ServiceException {
        logger.debug("Looking up user for user/pass of: {}/{}", user, pass);
        try {
            // Return the result of the data access call.
            return repository.getUser(user, pass);
        }
        catch (Exception e) {
            logger.error("Could not load user with credentials: {}/{}", user, pass);
            throw new ServiceException("Could not load user!", e);
		}
	}

    @Required
    public void setApplicationRepository(ApplicationRepository repository) {
        this.repository = repository;
    }
}

As you can see from the following bean declaration, we’ve cut down on the XML configuration significantly by taking advantage of these annotations.

red5-web.xml

For the sake of direct comparison, here is the original bean declaration:

red5-web.xml

    
        
    

    
        
            
        
        
            
                PROPAGATION_REQUIRED,readOnly
                PROPAGATION_REQUIRED
                PROPAGATION_REQUIRED
                PROPAGATION_REQUIRED

All classes now use the improved Red5 logging support which is backed by SLF4J and Logback by default. Here is an example from the ApplicationAdapter subclass:

Application.java

public class Application extends ApplicationAdapter {

    private static final Logger logger = Red5LoggerFactory.getLogger(Application.class, "hibernate");

    private ApplicationService service;

    /* ----- ApplicationAdapter delegate methods ----- */

    @Override
    public boolean roomConnect(IConnection conn, Object[] params) {
        logger.debug("New connection attempt from {}...", conn.getRemoteAddress());
        // Parse the user/pass out of the connection parameters
        String userName = (String) params[0];
        String password = (String) params[1];
        // Get the User object for this connection
        User user = null;
        // Insure that we have received the proper set of parameters.
        if (isNotBlank(userName) &&
                isNotBlank(password)) {
            user = authenticate(userName, password);
        }
        // If we got a valid user object, then allow the connection. Otherwise,
        // the user could not be found or something bad happened. In either
        // case, we do not want to allow the connection.
        return user != null && super.roomConnect(conn, params);
    }

    ...
}

The flash client code has been rewritten entirely in ActionScript 3 and was reduced down to a single class for the entire application. For those of you following along with the source, you’ll note that there are actually 2 classes. The second one is a simple dynamic class used to store runtime related resources and could be easily removed from the implementation. It was a design decision on my part to keep it. ActionScript 3 is much more object-oriented than it’s predecessor and leverages the new keyword for constructing components.

Hibernate.as

package net.sziebert.tutorials {

	import com.adobe.crypto.MD5;

	import fl.controls.Button;
	import fl.controls.Label;
	import fl.controls.TextArea;
	import fl.controls.TextInput;
	import fl.managers.StyleManager;
	import flash.display.Sprite;
	import flash.display.StageAlign;
	import flash.display.StageScaleMode;
	import flash.events.Event;
	import flash.events.MouseEvent;
	import flash.events.NetStatusEvent;
	import flash.events.SecurityErrorEvent;
	import flash.net.NetConnection;
	import flash.net.ObjectEncoding;
	import flash.net.registerClassAlias;
	import flash.text.TextFieldAutoSize;
	import flash.text.TextFormat;

	import net.sziebert.tutorials.Runtime;

	public class Hibernate extends Sprite {

		private var connect:Button;
		private var pass:TextInput;
		private var passLbl:Label;
		private var runtime:Runtime;
		private var textArea:TextArea;
		private var user:TextInput;
		private var userLbl:Label;

		public function Hibernate():void {
			trace("Starting Hibernate application...");
			runtime = Runtime.getInstance();
			stage.align = StageAlign.TOP_LEFT;
			stage.scaleMode = StageScaleMode.NO_SCALE;
			stage.addEventListener(Event.RESIZE, onResize);
			createChildren();
		}

		/* ----- Utility functions ----- */

		private function createChildren():void {
			// Create the username label.
			userLbl = new Label();
			userLbl.text = "Username:";
			userLbl.autoSize = TextFieldAutoSize.LEFT;
			addChild(userLbl);
			// Create the username input field.
			user = new TextInput();
			user.maxChars = 255;
			user.restrict = "A-Za-z 0-9:;()|.,?!$&*{}[]+=_-'"";
			addChild(user);
			// Create the password label,
			passLbl = new Label();
			passLbl.text = "Password:";
			passLbl.autoSize = TextFieldAutoSize.LEFT;
			addChild(passLbl);
			// Create the password input field.
			pass = new TextInput();
			pass.maxChars = 255;
			pass.displayAsPassword = true;
			addChild(pass);
			// Create the connect button.
			connect = new Button();
			connect.label = "Connect";
			connect.addEventListener(MouseEvent.CLICK, onClick);
			addChild(connect);
			// Create the text area to display the log information.
			textArea = new TextArea();
			textArea.editable = false;
			textArea.wordWrap = true;
			addChild(textArea);
			// Remove the avatar.
			removeChildAt(0);
			// Size the elements.
			setSize(stage.stageWidth, stage.stageHeight);
		}

		private function setSize(w:Number, h:Number):void {
			// Move and size the username components
			userLbl.move(18, 18);
			//userLabel.setSize(50, 22);
			user.move(96, 18);
			user.setSize((w - 226), 22);
			// Move and size the password components
			passLbl.move(18, 50);
			//passLabel.setSize(50, 22);
			pass.move(96, 50);
			pass.setSize((w - 226), 22);
			// Move and size the connect button
			connect.move(w - 118, 18);
			connect.setSize(100, 54);
			// Move and size the textarea
			textArea.move(18, 82);
			textArea.setSize((w - 36), (h - 100));
		}

		private function initConnection(username:String, password:String):void {
			if (username == "" || password == "") {
				throw new Error("You must enter a valid username and/or password.");
			}
			// Create the new connection object.
			runtime.conn = new NetConnection();
			runtime.conn.addEventListener(NetStatusEvent.NET_STATUS, onNetStatus);
			runtime.conn.addEventListener(SecurityErrorEvent.SECURITY_ERROR, onSecurityError);
			log("Connecting to Red5...");
			runtime.conn.connect("rtmp://localhost/hibernate/test", username, MD5.hash(password));
		}

		private function log(msg:String):void {
			// Update the chat window with the message
			textArea.text += (msg + "n");
			textArea.verticalScrollPosition = textArea.maxVerticalScrollPosition;
		}

		/* ----- Event handlers ----- */

		private function onResize(event:Event):void {
			setSize(stage.stageWidth, stage.stageHeight);
		}

		private function onClick(event:MouseEvent):void {
			var button:Button = event.target as Button;
			// We are currently connected, so disconnect.
			if (runtime.conn && runtime.conn.connected) {
				runtime.conn.close();
				return;
			}
			try {
				// Initialize the connection
				initConnection(user.text, pass.text);
			} catch (err:Error) {
				// Otherwise we need to show an alert indicating the need for proper user input.
				log("Error: You must enter a valid username and/or password.");
			}
		}

		private function onNetStatus(event:NetStatusEvent):void {
			trace("onNetStatus: " + event.info.code);
			switch (event.info.code) {
			        case "NetConnection.Connect.Success":
					log("Connection attempt successful.");
					connect.label = "Disconnect";
                                        break;
				case "NetConnection.Connect.Rejected":
					log("Connection attempt rejected.");
					break;
				case "NetConnection.Connect.Closed":
					log("Connection closed.");
					connect.label = "Connect";
					break;
				case "NetConnection.Connect.Failed":
					log("Connection failure.");
					break;
		        }
		}

		private function onSecurityError(event:SecurityErrorEvent):void {
        		trace("onSecurityError: " + event);
        	}
	}
}

Lastly, the tutorial now relies upon Ant and Ivy to define and retrieve the necessary dependencies. There’s nothing terribly magical about it, the build script should take care of everything for you. Keep in mind that the Red5 JAR dependency is pulled directly from the continuous integration server and should be up to date with the latest found in the Subversion repository at googlecode. If you aren’t running on the latest from trunk, you should strongly consider replacing this JAR with the one found in your Red5 install.

ivy.xml

That covers the significant changes to the tutorial code. As with the first version, you’ll need to configure MySQL to allow Red5 to talk to it. (Notes on this can be found in the README file with the examples.) You’ll also need to add your user data to the tables once Hibernate has generated the schema.

The example source code for this post can be downloaded here.

1. http://osflash.org/red5 For those that aren’t up on Red5, it is a robust Flash Media Server alternative written entirely in Java that supports multi-user video chat, video streaming and real-time, multi-player gaming.

2. http://hibernate.org Hibernate lets you develop persistent classes following object-oriented idiom – including association, inheritance, polymorphism, composition, and collections. It allows you to express queries in its own portable SQL extension (HQL), as well as in native SQL.

3. http://springframework.org Spring is a layered Java/JEE application framework founded on the simple concepts that any tool should be a pleasure to use, that your application code should not depend on Spring APIs and that it should not compete with existing solutions, but should foster integration.

4. http://mysql.com The MySQL database has become the world’s most popular open source database because of its consistent fast performance, high reliability and ease of use.

RESTful URLs with Spring MVC and UrlRewriteFilter

Carl Sziebert — Fri, 29 Aug 2008 23:05:00 +0000

While Spring 3.0 promises to support REST style URLs out of the box, it won’t ship until sometime later this year. Spring 3.0 M1 will offer this functionality for anyone brave enough to work with potentially unstable technologies and should be available soon. And while this is good news for those starting out on new projects (or those willing to undergo a significant refactoring), most won’t want to migrate their applications just for RESTful URLs. All hope is not lost though, thanks to Paul Tuckey’s UrlRewriteFilter.

With this short tutorial, I’ll demonstrate how easy it is to configure UrlRewriteFilter for use within your Spring MVC application. I should mention that this technique will work well for just about any Java-based web framework, like JSF or Struts.

For those of you that want to skip to the end, I’ve created a small, functional sample application which demonstrates the techniques described in this tutorial. It can be downloaded here.

Getting started, we need to register the filter within our application’s web.xml file.

web.xml

    
    
        UrlRewriteFilter
        
            org.tuckey.web.filters.urlrewrite.UrlRewriteFilter
        
        
            logLevel
            WARN
        
    

    
    
        UrlRewriteFilter
        /*

That out of the way, we can dig into the application itself. Let’s review an example controller class as it might exist in your application today.

SprocketsController.java

@Controller
public class SprocketsController {

    private final SprocketService service;

    @Autowired
    public SprocketsController(SprocketService service) {
        this.service = service;
    }

    @RequestMapping("/sprockets/list.do")
    public String list(ModelMap model) {
        model.addAttribute("sprockets", service.list());
        return "sprocket/list";
    }

    @RequestMapping("/sprocket/display.do")
    public String display(@RequestParam("sprocketId") int sprocketId, ModelMap model) {
        model.addAttribute("sprocket", service.find(sprocketId));
        return "sprocket/display";
    }

    @RequestMapping("/sprocket/edit.do")
    public String edit(@RequestParam("sprocketId") int sprocketId, ModelMap model) {
        model.addAttribute("sprocket", service.find(sprocketId));
        return "sprocket/edit";
    }
}

Our controller contains actions for displaying a list of sprockets, drilling down into each sprocket’s details and editing an individual sprocket. Each action is mapped to a URI path via the @RequestMapping annotation and, as you can see, all three defined here handle requests mapped to the *.do extension. The beauty of the solution I’m demonstrating here is that you should not need to make any changes to your application code at all. That in mind, let’s move on to the interesting part, configuring our application to respond to a REST style URL like http://localhost:8080/sprocket/1234/edit instead of what we’ve got now: http://localhost:8080/sprocket/edit.do?sprocketId=1234. You’ll need to create a new configuration file named urlrewrite.xml and make it available on the classpath. (For those with a distaste for XML based configuration, the latest version of the filter offers a means to generate the configuration via annotations. Details on that can be found here.) We’ll start our configuration by defining a few rules to handle the incoming requests.

urlrewrite.xml

    
        ^/sprockets/$
        /sprockets/list.do
    
    
        ^/sprocket/([a-z0-9]+)/$
        /sprocket/display.do?sprocketId=$1
    
    
        ^/sprocket/([a-z0-9]+)/edit$
        /sprocket/edit.do?sprocketId=$1

Let’s take a look at what each one of these rules does. The first rule states that the UrlRewriteFilter should transparently forward each request for http://localhost:8080/sprockets/ to the existing application URL of http://localhost:8080/sprockets/list.do. The second and third rules handle the display and edit requests. These 2 rules define simple regular expressions that are parsed out and appended to the destination URI as query string parameters. If you have more than 1 query string parameter, you’ll need to use & XML entity. (It should be noted that you can use wildcard matching (*) instead, however it lacks some of the flexibility offered by regular expressions.)

That takes care of the inbound URLs, but we still have a problem. Within our application, we have a number of links which point to the old URL structure. No worries, UrlRewriteFilter tackles this issue with ease. By examining the response, the filter can rewrite the existing links defined within anchor tags, i.e. Return to the list.. Let’s take a look at the rule definitions to handle this.

urlrewrite.xml

    
        ^/sprockets/list.do$
        /sprockets/
    
    
        ^/sprocket/display.do\?sprocketId=([a-z0-9]+)$
        /sprocket/$1/
    
    
        ^/sprocket/edit.do\?sprocketId=([a-z0-9]+)$
        /sprocket/$1/edit

More or less, these outbound rules are just the inverse of the inbound rule definitions. All it takes is a simple regular expression to parse out the sprocketId. One common gotcha to note here is that you need to add the \ character before the start of the query string marked by the question mark. If you don’t do this, the filter won’t be able to process your links.

Pretty easy, right? With your rules in place, fire up your application and give it a try. You can always examine the status of the filter by visiting http://127.0.0.1:8080/rewrite-status. If you’re a bit hesitant to try this out on your own app, fret not, I’ve created a simple, yet functional sample application which you can use to experiment with.

The example source code can be downloaded here.