I am working on a Spring-MVC application which uses Hibernate as the ORM and PostgreSQL as the database, in which I am looking for on-the-fly encryption decryption solution, but only for 2 columns in the database, the rest all can stay non-encrypted. I have a Person entity, which has a password and I am encrypting the password with BCrypt and saving them in database. I understand once the password is BCrypt encrypted I cannot decrypt it. I am planning to put an intermediate page temporarily where I would request the password once again and save it in some format which I can use for on the fly encryption-decryption.
If possible, I would like to use this password to encrypt/decrypt those 2 columns once the user logs in and does action on those 2 columns.
As I am using Spring-Security too, I am injecting the encoder bean so Spring-Security can login the user. Here is how I am saving the password and my security-application-context. As I am just starting with this problem, not that much progress to paste here :
Person model :
@Entity
@Table(name="person")
public class Person implements UserDetails{
@Id
@Column(name="id")
@GeneratedValue(strategy = GenerationType.SEQUENCE,generator = "person_seq_gen")
@SequenceGenerator(name = "person_seq_gen",sequenceName = "person_seq")
private int id;
@Valid
@Pattern(regexp = emailRegexp)
@Column(name = "username")
private String username;
@Valid
@NotEmpty(message = "Password may not be empty")
@Column(name = "password")
private String password;
// getters and setters ommitted }
PersonServiceImpl :
@Override
@Transactional
public boolean addPerson(Person p) {
Person existingUser = personDAO.findPersonByUsername(p.getUsername());
if(existingUser == null) {
this.personDAO.addPerson(p);
p.setAccountstatus(false);
p.setOnetimeemail(false);
p.setUsername(p.getUsername().toLowerCase());
// as you can see I am encrypting the password and saving in DB, I don't know how to access the plain password at this point to use in some algorithm for on-the-fly encryption/decryption
p.setPassword(BCrypt.hashpw(p.getPassword(), BCrypt.gensalt(11)));
p.setUsername(p.getUsername().toLowerCase());
this.personDAO.addPerson(p);
sendAccountActivationEmail(p.getUsername(), p.getFirstName());
return true;
} else {
return false;
}
}
Security-application-context.xml
<beans:bean id="encoder"
class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder">
<beans:constructor-arg name="strength" value="11" />
</beans:bean>
<beans:bean id="daoAuthenticationProvider"
class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<beans:property name="userDetailsService" ref="LoginServiceImpl"/>
<beans:property name="passwordEncoder" ref="encoder"/>
</beans:bean>
Any pointers, help would be nice. If there is anything unclear, kindly let me know. Thanks a lot.
Aucun commentaire:
Enregistrer un commentaire