From 0c549ee14774df7404aea5eaf465b17b32ee6a16 Mon Sep 17 00:00:00 2001 From: Marcus Da Coregio Date: Mon, 25 Jul 2022 10:21:25 -0300 Subject: [PATCH] Use SHA256 by default in Remember Me Closes gh-11520 --- .../ROOT/pages/servlet/authentication/rememberme.adoc | 4 ++-- .../rememberme/TokenBasedRememberMeServices.java | 4 ++-- .../rememberme/TokenBasedRememberMeServicesTests.java | 6 +++--- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/docs/modules/ROOT/pages/servlet/authentication/rememberme.adoc b/docs/modules/ROOT/pages/servlet/authentication/rememberme.adoc index 97c577da1d..af9c5ae425 100644 --- a/docs/modules/ROOT/pages/servlet/authentication/rememberme.adoc +++ b/docs/modules/ROOT/pages/servlet/authentication/rememberme.adoc @@ -114,9 +114,9 @@ A `key` is shared between this authentication provider and the `TokenBasedRememb In addition, `TokenBasedRememberMeServices` requires a `UserDetailsService`, from which it can retrieve the username and password for signature comparison purposes and generate the `RememberMeAuthenticationToken` to contain the correct `GrantedAuthority` instances. `TokenBasedRememberMeServices` also implements Spring Security's `LogoutHandler` interface so that it can be used with `LogoutFilter` to have the cookie cleared automatically. -By default, this implementation uses the MD5 algorithm to encode the token signature. +By default, this implementation uses the SHA-256 algorithm to encode the token signature. To verify the token signature, the algorithm retrieved from `algorithmName` is parsed and used. -If no `algorithmName` is present, the default matching algorithm will be used, which is MD5. +If no `algorithmName` is present, the default matching algorithm will be used, which is SHA-256. You can specify different algorithms for signature encoding and for signature matching, this allows users to safely upgrade to a different encoding algorithm while still able to verify old ones if there is no `algorithmName` present. To do that you can specify your customized `TokenBasedRememberMeServices` as a Bean and use it in the configuration. diff --git a/web/src/main/java/org/springframework/security/web/authentication/rememberme/TokenBasedRememberMeServices.java b/web/src/main/java/org/springframework/security/web/authentication/rememberme/TokenBasedRememberMeServices.java index 64d4b4c023..613bbd1da4 100644 --- a/web/src/main/java/org/springframework/security/web/authentication/rememberme/TokenBasedRememberMeServices.java +++ b/web/src/main/java/org/springframework/security/web/authentication/rememberme/TokenBasedRememberMeServices.java @@ -94,9 +94,9 @@ import org.springframework.util.StringUtils; */ public class TokenBasedRememberMeServices extends AbstractRememberMeServices { - private static final RememberMeTokenAlgorithm DEFAULT_MATCHING_ALGORITHM = RememberMeTokenAlgorithm.MD5; + private static final RememberMeTokenAlgorithm DEFAULT_MATCHING_ALGORITHM = RememberMeTokenAlgorithm.SHA256; - private static final RememberMeTokenAlgorithm DEFAULT_ENCODING_ALGORITHM = RememberMeTokenAlgorithm.MD5; + private static final RememberMeTokenAlgorithm DEFAULT_ENCODING_ALGORITHM = RememberMeTokenAlgorithm.SHA256; private final RememberMeTokenAlgorithm encodingAlgorithm; diff --git a/web/src/test/java/org/springframework/security/web/authentication/rememberme/TokenBasedRememberMeServicesTests.java b/web/src/test/java/org/springframework/security/web/authentication/rememberme/TokenBasedRememberMeServicesTests.java index 22d0607056..69abe28bcd 100644 --- a/web/src/test/java/org/springframework/security/web/authentication/rememberme/TokenBasedRememberMeServicesTests.java +++ b/web/src/test/java/org/springframework/security/web/authentication/rememberme/TokenBasedRememberMeServicesTests.java @@ -407,7 +407,7 @@ public class TokenBasedRememberMeServicesTests { assertThat(cookie.getMaxAge()).isEqualTo(this.services.getTokenValiditySeconds()); assertThat(CodecTestUtils.isBase64(cookie.getValue().getBytes())).isTrue(); assertThat(new Date().before(new Date(determineExpiryTimeFromBased64EncodedToken(cookie.getValue())))).isTrue(); - assertThat("MD5").isEqualTo(determineAlgorithmNameFromBase64EncodedToken(cookie.getValue())); + assertThat("SHA256").isEqualTo(determineAlgorithmNameFromBase64EncodedToken(cookie.getValue())); } @Test @@ -459,11 +459,11 @@ public class TokenBasedRememberMeServicesTests { } @Test - public void constructorWhenNoEncodingAlgorithmSpecifiedThenMd5() { + public void constructorWhenNoEncodingAlgorithmSpecifiedThenSha256() { TokenBasedRememberMeServices rememberMeServices = new TokenBasedRememberMeServices("key", this.uds); RememberMeTokenAlgorithm encodingAlgorithm = (RememberMeTokenAlgorithm) ReflectionTestUtils .getField(rememberMeServices, "encodingAlgorithm"); - assertThat(encodingAlgorithm).isSameAs(RememberMeTokenAlgorithm.MD5); + assertThat(encodingAlgorithm).isSameAs(RememberMeTokenAlgorithm.SHA256); } }