Using BCrypt for password encryption

Hello,

Cuba offers two encryption type out of the box (md5 and sha1). Since they are not very secure I would like to use BCrypt for encrypting my password.

This can be done by implementing my own EncryptionModule ([https://github.com/cuba-platform/cuba/blob/8836668c2fd0ffa88f2e91b9df6f64565c28b983/modules/global/src/com/haulmont/cuba/core/sys/encryption/EncryptionModule.java]). After implementing the different get*Hash()-methods I am now stuck with the checkPassword method:


EncryptionModule.checkPassword(User user, String givenPassword);

I expected that givenPassword would be the plain text password that the user entered. Actually it the givenPassword is already encrypted. My problem is that I need he plain text password and the previously encrypted password to check if they are equal.
(see spring security implementation: [https://github.com/spring-projects/spring-security/blob/master/crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.java])

How can I implement BCrypt for password encryption in cuba?

Yours,
Joerg

Hi,

AppLoginWindow passes a password hash to middleware which is obtained with EncryptionModule.getPlainHash call.

If you want to implement your BCrypt EncryptionModule you can either implement it as Md5EncryptionModule (where EncryptionModule.checkPassword simply compares plain hash and a user password field) or you can return password from getPlainHash without encryption and implement all the hash checks in checkPassword method. In the second case password will be passed to EncryptionModule.checkPassword without encryption.

In fact Sha1EncryptionModule now performs two hash procedures, first without salt in getPlainHash and second with encrypted password and salt in the checkPassword method.