0

EDIT: This issue turns out to have been user error, the passwords had been changed, so the hash was never going to match

I'm using a simple authentication in Spring 4.2.2's toolkit, using a DAO which reads a (Postgres) database table for user's name, password, and authorities

@EnableWebSecurity
@Configuration
class X extends WebSecurityConfigurerAdapter{

    ...
    @Autowired
    private SessionRegistry sessionRegistry;

    @Autowired
    private SessionAuthenticationStrategy sessionAuthenticationStrategy;


    @Override
    protected void configure(HttpSecurity http){
       http.sessionManagement().sessionAuthenticationStrategy(sessionAuthenticationStrategy).maximumSessions(1).sessionRegistry(sessionRegistry).expiredUrl("/login.jsp");

    //presumably unrelated additional code related to matchers, roles, https
    }

    @Bean
    public SessionRegistry sessionRegistry(){
        return new SessionRegistryImpl();
    }

    @Bean
    public SessionAuthenticationStrategy sessionAuthenticationStrategy(){
        return new ConcurrentSessionControlAuthenticationStrategy(sessionRegistry);
    }

    @Bean 
    public PasswordEncoder passwordEncoder(){
       return new StandardPasswordEncoder();   
    }

   ...
}

Recently I restored an old copy of the database, the old database comes from a Redhat 6 server, the new one is CentOS 7, though realistically since this is all database backed, it shouldn't matter. The authentication portion of our code hasn't changed at all, but since I restored the database despite entering the correct credentials I get

BadCredentialsException: Bad credentials at 
org.springframework.security.authentication.dao.DaoAuthenticationProvider.additionalAuthenticationChecks(DaoAuthenticationProvider.java:98) at
org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:165) at   org.springframework.security.authentication.ProvideManager.authenticate(ProviderManager.java:167) at
....

The rest of the stack trace is all more standard spring/catalina/java bits of the stack trace, nothing custom.

It's not expired, I've deleted cookies, it's not disabled....

This code hasn't changed in literal years neither have the backing database tables or Spring libraries. Debugging I can confirm that the correct user is retrieved by username as it goes towards authentication that the user object is correctly constructed with the password hash and authorities. Since so much of this is done by the default behavior of Spring classes, I can't step through very much of the code as it happens so it's very difficult to identify where the actual bad credentials have occurred and what the heck might have changed.

Googling around, I find many users have problems, but almost of them deal with initial bad configuration. This isn't such a problem, since this code used to work.

Are there any known gotchas related to Spring security that I might test?

Failing that, how can I triage this further?

Improve this question
2
  • May be helpful to mention the database product - e.g. MySQL, PostgreSQL, etc. Commented May 30, 2019 at 23:47
  • @Catchwa good thinking, Postgres for the record, I will edit as soon as I get back to a keyboard Commented May 31, 2019 at 1:20

1 Answer 1

Reset to default
1

Some more things to try:

  1. Verify that the database collation and character-set matches across both old and new environments
  2. Do you have a way within your application (or could you write some simple code to) reset a password then try and login with the newly-reset password (or just write some quick code to generate a new one that you know is correct and then set it directly against the database)? If that works, have a look at the format of the new password against the others in the database.
  3. Wire in your own custom DaoAuthenticationProvider that enables you to set a breakpoint (or just logs to the console/file) the generated vs. database password hash
  4. Implement your own custom StandardPasswordEncoder (from here), but again add more logging/breakpoints
Improve this answer
Sign up to request clarification or add additional context in comments.

10 Comments

Oh man I hope it's not as obnoxious as the default character encoding changed between two minor versions of the database, but it's a good thought
Confirmed both old and new are in UTF-8, so it's not a simple encoding issue
Recreating the user did do the job, unfortunately that's not a viable option because the cascading delete blew away too much of his original data.
Inserting myself into the process, It seems to be failing because it rejects teh hash, but unfortunately I can't see why. I assume it has something to do with the salt, but it's not clear to me why that would be true, since I thought the salt used was appended as the last few bytes of the hashcode
I'd suggest creating your own version of the StandardPasswordEncoder and add more debugging/logging elements: github.com/spring-projects/spring-security/blob/4.2.x/crypto/…
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.