Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update default values for salt & iteration index #39510

Merged
merged 1 commit into from
Apr 18, 2024
Merged

Update default values for salt & iteration index #39510

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 1 addition & 5 deletions docs/src/main/asciidoc/security-jdbc.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -209,17 +209,15 @@
quarkus.security.jdbc.principal-query.sql=SELECT u.password, u.role FROM test_user u WHERE u.username=? <1>
quarkus.security.jdbc.principal-query.bcrypt-password-mapper.enabled=true <2>
quarkus.security.jdbc.principal-query.bcrypt-password-mapper.password-index=1
quarkus.security.jdbc.principal-query.bcrypt-password-mapper.salt-index=-1
quarkus.security.jdbc.principal-query.bcrypt-password-mapper.iteration-count-index=-1
quarkus.security.jdbc.principal-query.attribute-mappings.0.index=2 <3>
quarkus.security.jdbc.principal-query.attribute-mappings.0.to=groups
----

The `elytron-security-jdbc` extension requires at least one principal query to authenticate the user and its identity.

<1> We define a parameterized SQL statement (with exactly 1 parameter) which should return the user's password plus any additional information you want to load.
<2> We configure the password mapper with the position of the password field in the `SELECT` fields and other information like salt, hash encoding, etc. Setting the salt and iteration count indexes to `-1` is required for MCF.
<2> The password mapper is configured with the position of the password field in the `SELECT` fields. The hash is stored in the Modular Crypt Format (MCF) because the salt and iteration count indexes are set to `-1` by default. You can override them in order to decompose each element into three separate columns.

Check warning on line 219 in docs/src/main/asciidoc/security-jdbc.adoc

View workflow job for this annotation

GitHub Actions / Linting with Vale 

[vale] reported by reviewdog 🐶
[Quarkus.TermsWarnings] Consider using 'to' rather than 'in order to' unless updating existing content that uses the term.

Raw Output:
{"message": "[Quarkus.TermsWarnings] Consider using 'to' rather than 'in order to' unless updating existing content that uses the term.", "location": {"path": "docs/src/main/asciidoc/security-jdbc.adoc", "range": {"start": {"line": 219, "column": 251}}}, "severity": "WARNING"}

Check warning on line 219 in docs/src/main/asciidoc/security-jdbc.adoc

View workflow job for this annotation

GitHub Actions / Linting with Vale 

[vale] reported by reviewdog 🐶
[Quarkus.Fluff] Depending on the context, consider using 'Be concise: use 'to' rather than' rather than 'in order to'.

Raw Output:
{"message": "[Quarkus.Fluff] Depending on the context, consider using 'Be concise: use 'to' rather than' rather than 'in order to'.", "location": {"path": "docs/src/main/asciidoc/security-jdbc.adoc", "range": {"start": {"line": 219, "column": 251}}}, "severity": "INFO"}
<3> We use `attribute-mappings` to bind the `SELECT` projection fields (i.e. `u.role` here) to the target Principal representation attributes.

Check failure on line 220 in docs/src/main/asciidoc/security-jdbc.adoc

View workflow job for this annotation

GitHub Actions / Linting with Vale 

[vale] reported by reviewdog 🐶
[Quarkus.TermsErrors] Use 'you' rather than 'i'.

Raw Output:
{"message": "[Quarkus.TermsErrors] Use 'you' rather than 'i'.", "location": {"path": "docs/src/main/asciidoc/security-jdbc.adoc", "range": {"start": {"line": 220, "column": 73}}}, "severity": "ERROR"}

[NOTE]
====
Expand Down Expand Up @@ -311,8 +309,6 @@
quarkus.security.jdbc.principal-query.sql=SELECT u.password FROM test_user u WHERE u.username=?
quarkus.security.jdbc.principal-query.bcrypt-password-mapper.enabled=true
quarkus.security.jdbc.principal-query.bcrypt-password-mapper.password-index=1
quarkus.security.jdbc.principal-query.bcrypt-password-mapper.salt-index=-1
quarkus.security.jdbc.principal-query.bcrypt-password-mapper.iteration-count-index=-1

quarkus.security.jdbc.principal-query.roles.sql=SELECT r.role_name FROM test_role r, test_user_role ur WHERE ur.username=? AND ur.role_id = r.id
quarkus.security.jdbc.principal-query.roles.datasource=permissions
Expand Down
10 changes: 6 additions & 4 deletions ...runtime/src/main/java/io/quarkus/elytron/security/jdbc/BcryptPasswordKeyMapperConfig.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,9 +34,10 @@ public interface BcryptPasswordKeyMapperConfig {
Encoding hashEncoding();

/**
* The index (1 based numbering) of the column containing the Bcrypt salt
* The index (1 based numbering) of the column containing the Bcrypt salt. The default value of `-1` implies that the salt
* is stored in the password column using the Modular Crypt Format (MCF) standard.
*/
@WithDefault("0")
@WithDefault("-1")
int saltIndex();

/**
Expand All @@ -46,9 +47,10 @@ public interface BcryptPasswordKeyMapperConfig {
Encoding saltEncoding();

/**
* The index (1 based numbering) of the column containing the Bcrypt iteration count
* The index (1 based numbering) of the column containing the Bcrypt iteration count. The default value of `-1` implies that
* the iteration count is stored in the password column using the Modular Crypt Format (MCF) standard.
*/
@WithDefault("0")
@WithDefault("-1")
int iterationCountIndex();

default PasswordKeyMapper toPasswordKeyMapper() {
Expand Down
Loading