BCRYPT won't validate PHP generated passwords
240 views
Skip to first unread message
Christian Axel Schmidt Dick
Oct 2, 2017, 4:29:06 AM10/2/17
to CAS Community
Hi there,
I have an issue between CAS and Moodle (a PHP LMS) where the passwords generated by PHP are encrypted with the fixed version of blowfish ($2y...) but in CAS 5.1.x that is using Spring security the blowfish version is not the fixed one ($2a...). Therefore I cant validate users. A manual fix is to change the $2y for $2a in the password and this works. Problem is that this can't be implemented. I've been trying to replace the Spring Security Bcrypt library for JBcrypt library but I am new to the springframework and can't make it work. Tried to add it as a dependency on the project file and in the cas config as a custom password encoder but no luck. What would be the best way to solve this? What is your advice and how should I proceed?
I am using CAS overlay 5.1.4
Thanks in advance,
Christian
I am using CAS overlay 5.1.4
Thanks in advance,
Christian
cas.authn.jdbc.query[0].sql=SELECT * FROM user WHERE username=?
cas.authn.jdbc.query[0].url=jdbc:mysql://localhost:3306/db
cas.authn.jdbc.query[0].dialect=org.hibernate.dialect.MySQLDialect
cas.authn.jdbc.query[0].user=root
cas.authn.jdbc.query[0].password=password
cas.authn.jdbc.query[0].driverClass=com.mysql.cj.jdbc.Driver
cas.authn.jdbc.query[0].fieldPassword=password
cas.authn.jdbc.query[0].autocommit=falsecas.authn.jdbc.query[0].passwordEncoder.type=org.mindrot.jbrcyptcas.authn.jdbc.query[0].passwordEncoder.encodingAlgorithm=BLOWFISH
cas.authn.jdbc.query[0].passwordEncoder.characterEncoding=UTF-8
Sandor Juhasz
Oct 3, 2017, 4:56:06 AM10/3/17
to CAS Community
Hey,
we had the exact same issue.
You can create SQL view altering the given field.
Would be interested as well in a general fix.
Christian Axel Schmidt Dick
Oct 3, 2017, 5:37:51 AM10/3/17
to CAS Community
Hi Sandor,
Yes I am working on a workaround by creating a new table with usernames and passwords and triggers to replace strings in passwords. Will post the solution when done.
CREATE TRIGGER CopyNewUserAFTER INSERT ON m_user FOR EACH ROW INSERT INTO cas_user (id, username, password, firstname, lastname) VALUES (NEW.id, NEW.username, REPLACE(NEW.password, '$2y$10$', '$2a$10$'), NEW.firstname, NEW.lastname);Cheers,
Christian
Sandor Juhasz
Oct 3, 2017, 6:19:55 AM10/3/17
to cas-...@apereo.org
Hi,
workaround like this i have - without altering PHP related data. I was hoping more for a jbcrypt update.
Here is ours:
CREATE VIEW <DB>.<CAS_USER_TABLE> AS SELECT id, email, id as uid, CONCAT('$2a', SUBSTRING(password FROM 4)) as password FROM <DB>.<ORIGINAL_USER_TABLE> where password is not null;
--
Sándor Juhász
System Administrator
ChemAxon Ltd.
ChemAxon Ltd.
Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031
Cell: +36704258964
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f7623b25-b25e-49d9-899b-1345287bdb09%40apereo.org.--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
Christian Axel Schmidt Dick
Oct 3, 2017, 7:43:23 AM10/3/17
to CAS Community
Hi,
Yes, I was also expecting some help with a custom password encoder or making spring security use jBcrypt library, because I am to newbie with both CAS and spring.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
Christian Axel Schmidt Dick
Oct 11, 2017, 9:43:00 AM10/11/17
to CAS Community
Hi Sandor,
I've coded a better approach, created my own custom password encoder class, where I still replace the "$2y$" for "$2a$" before checking it. The attached file should be placed at cas-overlay/src/main/java/org/defrox/bcrypt and set the parameter cas.authn.jdbc.query[0].passwordEncoder.type=org.defrox.bcrypt.BCryptPasswordEncoder
Enjoy!
Enjoy!
El martes, 3 de octubre de 2017, 12:19:55 (UTC+2), Sandor Juhasz escribió:
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
Sandor Juhasz
Oct 11, 2017, 10:17:54 AM10/11/17
to cas-...@apereo.org
I hope someone would implement it on the project, i don't want to maintain it for myself.
--
Sándor Juhász
System Administrator
ChemAxon Ltd.
ChemAxon Ltd.
Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031
Cell: +36704258964
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/efb95477-affd-4a71-aa0f-3dfaad32f2e6%40apereo.org.
Reply all
Reply to author
Forward
0 new messages