Changing password hashing algorithm

I would like to changing the hashing function used within Cuba to something more secure. I know that it is possible to do this using a new EncryptionModule, but my use case is a little more complex.

I have a set of around 800 pre-existing users that currently all have a SHA-1 password in the DB - these are all users of a portal module who authenticate with the login API. I cannot simply change the hashing algorithm and ask my users to generate a new password. So I am proposing some code which will:

  1. When the user logs in, checks the DB to see what kind of hashing algorithm their password has been hashed with (this will default to SHA-1)
  2. Their plaintext password will be hashed and checked with the stored value (using appropriate algorithm derived from step 1)
  3. If the user is on an outdated hashing mechanism like this, the system will take their plaintext password and hash it in the new algorithm and store it, and update their record to indicate that they are now hashed using this more up to date method.

In this way I can perform a gradual migration from SHA-1 to, say, bcrypt, without causing issues for my users.

Do you have any advice for how best to accomplish this within the structure of the Cuba framework?

Many thanks.


Password hashing algorithm is implemented by the EncryptionModule type bean and is specified in cuba.passwordEncryptionModule application property. SHA-1 is used by default. You can implement your own class that will full fill your requirements, it is not so simple, but can be done. I’d recommend that you use com.haulmont.cuba.core.sys.encryption.Sha1EncryptionModule as an example.

There is one known problem - You have to use DataManager to access DB, since EncryptionModule code is invoked from both web and core modules. Or you can call your custom Services, but EntityManager / transaction are not accessible from encryption modules, since they must be defined in global module.

Such a migration will be much simplier if you migrate your application to the upcoming version 6.7, because we’ve reworked a big part of authentication on midlleware. For instance, you will be able to get rid of plain-hasing passwords before sending them to middleware and implement your customized login behaviour only in single place - in LoginPasswordAuthenticationProvider.

We are planning to rework this plain/hash problem in the near future, so you will be able to rework only middleware part instead of two points: web / core: and