Monday, November 29, 2010

Spring Security : Combining Basic and Form based Authentication

There are many use cases where you would want to combine both basic and form based authentication when using Spring Security. This was possible with earlier releases of Spring Security but a lot more involved. However, if you can wait for a couple of months for Spring Security 3.1.0 to be released, it can be done by defining multiple http elements in your Spring Security application context file. Multiple http elements couldn't be defined in Spring Security 3.0.X.

The use case we had was to support basic authentication for our REST services, and form based authentication for the same application with a WEB interface.

If you download the Spring Security 3.1.0 M1 release, the PDF also has an example with the same use case scenario.

Add the following http elements in your application context file, change the URL patterns accordingly and you are all set:

Isn't this so simple and easy? 

Thursday, November 4, 2010

Generating SHA256 passwords in Python

n my last post I had a small example showing how to secure your passwords using Spring Security 3.0.4. We needed a simple client written in Python to do the same from a command line. Of course, if you were using Java, it would have been four lines written in a simple Main class and you could run it in either Eclipse or NetBeans and get the hash of the password.

    public static String passwordEncoder(String plainText) {
        MessageDigest digest;
        try {
            digest = MessageDigest.getInstance("SHA-256");

            byte rawPassword[] = digest.digest(plainText.getBytes("UTF-8"));
            String hash = (new BASE64Encoder()).encode(rawPassword);
            return hash;
        } catch (Exception e) {
            return null;
Since we needed a simple command line utility to do the same, to write the same in Python was even more simpler. This example was run on my Ubuntu Virtual machine.

import getpass
from hashlib import sha256
import base64
    def main(self):
    def generate_hash_password(self):
        print "Enter password to hash :",
        password1 = getpass.getpass()
        print "Confirm :",
        password2 = getpass.getpass()
        if password1 == password2:
            print "Both passwords matched"
            hash = sha256(password1).digest()
            encoded = base64.b64encode(hash)
            print " SHA 256 base 64 encoded password ", ":", encoded
            print "Both passwords do not match"

if __name__ == "__main__":
        password_encoder = PASSWORD_ENCODER()
    except KeyboardInterrupt:

Now run this from a command line as shown below:

The getpass library doesn't echo the password on the command line. Simple and easy.

Wednesday, November 3, 2010

Spring Security 3.0.4 and PasswordEncoder

We needed to encode our passwords stored in a simple properties file using SHA 256, and also later base64 encode this hash. A few searches in the Spring documentation, and downloading the sources did the trick.
So, attached below are the configuration changes you need to make for the same:

Add the following entries to your Spring Application Context file:

The property encodeHashAsBase64 if enabled, will give us the base64 encoded string of the hash.  The should now have the username, based 64 encoded password, and all the roles associated to that user.

Simple , easy and elegant.

I will keep posting as and when I discover new things about Spring Security 3.0.4

Tuesday, November 2, 2010

Spring Security 3.0.4

I started using the latest Spring Security 3.0.4 for my current project. Spring Security is being used to secure our REST Services. I didn't find any good tutorials or samples on the web for this latest version.

With a lot of trial and error, I was finally able to get Authetication and Authorization working. Of course, I did read the SpringSecurity.pdf which comes with the download and worked on some samples before implementing the same in my project.

Have you used Spring Security, the latest version? Are there any books which cover this version? I did see "Spring in Action" for this new release. However, it is still in MEAP release.

Share your thoughts. I will write a detailed post of Securing REST with Spring Security.