Jump to content
  • Setting the password encryption algorithm to MD5 or SHA

    • Features: JasperReports Server, User Authorization Audience: Administrator, Developer, Systems Integrator Skill: Expert

    By default passwords are stored in the repository database with Triple DES encoding, thus the default passwordEncoder/passwordValidator is for Triple DES encoding. If you are authenticating from and external database and store passwords using MD5 or SHA here's how to configure JasperReports Server for those encryption algorithms:

    For pre-v5.1 versions the password encryption configuration is in .../jasperserver-pro/WEB-INF/applicationContext-security.xml. Starting with v5.1 the configuration moved one of two sample files located in jasperreports-server-5.x-bin/samples/externalAuth-sample-config, sample-applicationContext-externalAuth-db-mt.xml or sample-applicationContext-externalAuth-CAS-db-mt.xml (see External Database Authentication for complete documentation of current external database authentication). Prior to v5.1 the bean to configure was passwordEncoder, starting with v5.1 it is named passwordValidator. Other than the file and bean name changes the procedure is exactly the same. I'll describe >v5.1 procedure.

    Select one of the two sample configuration files, remove "sample-" from the file name and move it to the .../jasperserver-pro/WEB-INF folder. Search for the passwordValidator bean and comment it out. Copy and paste the appropriate MD5 or SHA passwordValitor bean and save the file. The configuration will look similar to this:

    <bean class="com.jaspersoft.jasperserver.multipleTenancy.security.externalAuth.db.MTExternalDaoAuthenticationProvider"       id="externalDaoAuthenticationProvider">    <property name="userDetailsService">        <ref bean="externalUserTenantDetailsService"></ref>    </property>    <property name="passwordValidator">        <ref local="passwordValidator"></ref>    </property></bean><!--  <bean id="passwordValidator"         class="com.jaspersoft.jasperserver.api.metadata.common.service.impl.PasswordValidator"         lazy-init="false">      <property name="keyInPlainText">          <value>false</value>      </property>      <property name="secretKey">          <value>0xC8 0x43 0x29 0x49 0xAE 0x25 0x2F 0xA1 0xC1 0xF2 0xC8 0xD9 0x31 0x01 0x2C 0x52 0x54 0x0B 0x5E 0xEA 0x9E 0x37 0xA8 0x61</value>      </property>      <property name="secretKeyAlgorithm">          <value>DESede</value>      </property>      <property name="cipherTransformation">          <value>DESede/CBC/PKCS5Padding</value>      </property>  </bean>--><!-- MD5 --><bean class="org.springframework.security.providers.encoding.Md5PasswordEncoder"      id="passwordValidator">    <property name="encodeHashAsBase64">        <value>false</value>    </property></bean><!-- or for SHA --><bean class="org.springframework.security.providers.encoding.ShaPasswordEncoder"       id="passwordValidator">    <property name="encodeHashAsBase64">        <value>false</value>    </property></bean>[/code]

    User Feedback

    Recommended Comments

    The default DES encryption is reversable which is really bad idea for password storage.  Has anyone had success moving to a form of encryption that is appropriate for passwords such as BCrypt, PDKDF2, or SCrypt?


    BCryptPasswordEncoder (https://docs.spring.io/spring-security/site/docs/4.2.4.RELEASE/apidocs/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.html),

    Pbkdf2PasswordEncoder (https://docs.spring.io/spring-security/site/docs/4.2.4.RELEASE/apidocs/org/springframework/security/crypto/password/Pbkdf2PasswordEncoder.html)

    SCryptPasswordEncoder (https://docs.spring.io/spring-security/site/docs/4.2.4.RELEASE/apidocs/org/springframework/security/crypto/scrypt/SCryptPasswordEncoder.html)

    Link to comment
    Share on other sites

    This is now closed for further comments

  • Create New...