If you want to know what jasypt can do to improve the security of your users' passwords in an acegi-enabled application, check the FAQ and also the article 'How to encrypt user passwords' guide.

Integrating Jasypt with Spring Security 2.x or 3.x (or Acegi 1.x)

Jasypt provides the jasypt-acegisecurity, jasypt-springsecurity2 and jasypt-springsecurity3 artifacts for integration with Spring Security 1.x, 2.x and 3.x. Since jasypt 1.9.0, these artifacts must be added to your classpath separately.

These integration libraries allow the integration of jasypt's powerful password encryption capabilities into Spring Security-enabled applications. Once integrated, jasypt will be responsible for managing the check of users' passwords at sign in in a transparent way for the rest of the security framework.

Password encryption is set up in Spring Security by injecting an object implementing the org.acegisecurity.providers.encoding.PasswordEncoder (ACEGI 1.x), org.springframework.security.providers.encoding.PasswordEncoder (Spring Security 2.x) or org.springframework.security.authentication.encoding.PasswordEncoder (Spring Security 3.x) interface into your AuthenticationProvider.

Jasypt provides two implementations of this PasswordEncoder interface for each of ACEGI 1.x and Spring Security 2.x and 3.x:

  • org.jasypt.acegisecurity.PasswordEncoder / org.jasypt.springsecurity2.PasswordEncoder / org.jasypt.springsecurity3.PasswordEncoder, which is used for uni-directional password encryption (recommended), and which can wrap either an org.jasypt.util.password.PasswordEncryptor or an org.jasypt.digest.StringDigester object.
  • org.jasypt.acegisecurity.PBEPasswordEncoder / org.jasypt.springsecurity2.PBEPasswordEncoder / org.jasypt.springsecurity3.PBEPasswordEncoder, which is used for bi-directional password encryption (not recommended), and which can wrap either an org.jasypt.util.text.TextEncryptor or an org.jasypt.encryption.pbe.StringEncryptor object.

Please note that password encryption should be uni-directional, but bi-directional password encryption (this is, passwords which can be decrypted) is allowed in order to support some legacy and complex inter-application integration scenarios.

Also, jasypt includes org.jasypt.springsecurity3.TokenBasedRememberMeServices for Spring Security 3, which works in the same way as org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices but creating a jasypt-digested data signature for inclusion in rememeber-me cookies.

org.jasypt.acegisecurity|springsecurity2|springsecurity3.PasswordEncoder

These PasswordEncoder implementations can wrap either an org.jasypt.util.password.PasswordEncryptor implementation (BasicPasswordEncryptor, StrongPasswordEncryptor, ConfigurablePasswordEncryptor,...) or an org.jasypt.digest.StringDigester implementation (StandardStringDigester,...). This means that all uni-directional encryption methods supported in jasypt can be integrated into ACEGI / Spring Security using this adapter.

It can be used from your Spring XML resource files like this (for a PasswordEncryptor and Spring Security 3.x):

  ...
  <!-- Your application may use the PasswordEncryptor in several places, --> 
  <!-- like for example at new user sign-up.                             --> 
  <bean id="jasyptPasswordEncryptor" class="org.jasypt.util.password.StrongPasswordEncryptor" />
  ...
  ...
  <!-- This Spring Security-friendly PasswordEncoder implementation will -->
  <!-- wrap the PasswordEncryptor instance so that it can be used from   -->
  <!-- the security framework.                                           -->
  <bean id="passwordEncoder" class="org.jasypt.springsecurity3.PasswordEncoder">
    <property name="passwordEncryptor">
      <ref bean="jasyptPasswordEncryptor" />
    </property>
  </bean>
  ...
  ...
  <!-- Your DaoAuthenticationProvider will then use it like with any     -->
  <!-- other implementation of the PasswordEncoder interface.            -->
  <bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
      <property name="userDetailsService" ref="userDetailsService"/>
      <property name="passwordEncoder">
        <ref bean="passwordEncoder" />
      </property>
  </bean>
  ...

Or like this (for a StringDigester and Spring Security 3.x):

  ...
  <!-- Your application may use the StringDigester in several places,    --> 
  <!-- like for example at new user sign-up.                             --> 
  <bean id="jasyptStringDigester" class="org.jasypt.digest.StandardStringDigester" >
    <property name="algorithm" value="SHA-1" />
    <property name="iterations" value="100000" />
  </bean>
  ...
  ...
  <!-- This Spring Security-friendly PasswordEncoder implementation will -->
  <!-- wrap the StringDigester instance so that it can be used from      -->
  <!-- the security framework.                                           -->
  <bean id="passwordEncoder" class="org.jasypt.springsecurity3.PasswordEncoder">
    <property name="stringDigester">
      <ref bean="jasyptStringDigester" />
    </property>
  </bean>
  ...
  ...
  <!-- Your DaoAuthenticationProvider will then use it like with any     -->
  <!-- other implementation of the PasswordEncoder interface.            -->
  <bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
      <property name="userDetailsService" ref="userDetailsService"/>
      <property name="passwordEncoder">
        <ref bean="passwordEncoder" />
      </property>
  </bean>
  ...

org.jasypt.acegisecurity|springsecurity2|springsecurity3.PBEPasswordEncoder

These PasswordEncoder implementations can wrap either an org.jasypt.util.text.TextEncryptor implementation (BasicTextEncryptor, StrongTextEncryptor,...) or an org.jasypt.encryption.pbe.PBEStringEncryptor implementation (StandardPBEStringEncryptor,...). This means that all bi-directional encryption methods supported in jasypt can be integrated into ACEGI / Spring Security using this adapter.

It can be used from your Spring XML resource files like this (for a TextEncryptor and Spring Security 3.x):

  ...
  <!-- Your application may use the TextEncryptor in several places,     --> 
  <!-- like for example at new user sign-up.                             --> 
  <bean id="jasyptTextEncryptor" class="org.jasypt.util.text.StrongTextEncryptor" >
    <property name="password" value="myPassword" />
  </bean>
  ...
  ...
  <!-- This Spring Security-friendly PasswordEncoder implementation will -->
  <!-- wrap the TextEncryptor instance so that it can be used from       -->
  <!-- the security framework.                                           -->
  <bean id="passwordEncoder" class="org.jasypt.springsecurity3.PBEPasswordEncoder">
    <property name="textEncryptor">
      <ref bean="jasyptTextEncryptor" />
    </property>
  </bean>
  ...
  ...
  <!-- Your DaoAuthenticationProvider will then use it like with any     -->
  <!-- other implementation of the PasswordEncoder interface.            -->
  <bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
      <property name="userDetailsService" ref="userDetailsService"/>
      <property name="passwordEncoder">
        <ref bean="passwordEncoder" />
      </property>
  </bean>
  ...

Or like this (for a PBEStringEncryptor and Spring Security 3.x):

  ...
  <!-- Your application may use the PBEStringEncryptor in several places,--> 
  <!-- like for example at new user sign-up.                             --> 
  <bean id="jasyptPBEStringEncryptor" class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor" >
    <property name="algorithm" value="PBEWithMD5AndTripleDES" />
    <property name="password" value="myPassword" />
  </bean>
  ...
  ...
  <!-- This Spring Security-friendly PasswordEncoder implementation will -->
  <!-- wrap the PBEStringEncryptor instance so that it can be used from  -->
  <!-- the security framework.                                           -->
  <bean id="passwordEncoder" class="org.jasypt.springsecurity3.PBEPasswordEncoder">
    <property name="pbeStringEncryptor">
      <ref bean="jasyptPBEStringEncryptor" />
    </property>
  </bean>
  ...
  ...
  <!-- Your DaoAuthenticationProvider will then use it like with any     -->
  <!-- other implementation of the PasswordEncoder interface.            -->
  <bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
      <property name="userDetailsService" ref="userDetailsService"/>
      <property name="passwordEncoder">
        <ref bean="passwordEncoder" />
      </property>
  </bean>
  ...

Using other JCE providers like Bouncy Castle

With Jasypt, you can easily integrate the Bouncy Castle JCE provider (or any other JCE provider) into your Acegi / Spring Security infrastructure, thus being able to use lots of new algorithms for password encryption at your apps.

For example, you could use the WHIRLPOOL hash function on your passwords just like this:

  ...
  <!-- We need an instance of the BouncyCastleProvider --> 
  <bean id="bcProvider" class="org.bouncycastle.jce.provider.BouncyCastleProvider" />
  ...
  ...
  <!-- Your application may use the PasswordEncryptor in several places, --> 
  <!-- like for example at new user sign-up.                             --> 
  <bean id="jasyptPasswordEncryptor" class="org.jasypt.util.password.ConfigurablePasswordEncryptor">
    <property name="algorithm">
      <value>WHIRLPOOL</value>
    </property>
    <property name="provider">
      <ref bean="bcProvider" />
    </property>
  </bean>
  ...
  ...
  <!-- This Spring Security-friendly PasswordEncoder implementation will -->
  <!-- wrap the PasswordEncryptor instance so that it can be used from   -->
  <!-- the security framework.                                           -->
  <bean id="passwordEncoder" class="org.jasypt.springsecurity3.PasswordEncoder">
    <property name="passwordEncryptor">
      <ref bean="jasyptPasswordEncryptor" />
    </property>
  </bean>
  ...
  ...
  <!-- Your DaoAuthenticationProvider will then use it like with any     -->
  <!-- other implementation of the PasswordEncoder interface.            -->
  <bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
      <property name="userDetailsService" ref="userDetailsService"/>
      <property name="passwordEncoder">
        <ref bean="passwordEncoder" />
      </property>
  </bean>
  ...