This PR addresses #685. It adds the ability to inject an alternate password encoder to use when hashing user passwords, and adds an implementation that checks if the existing password looks like it's been BCrypt-ed before hashing it. The latter is not the default.
Initially I considered passing an extra parameter to the REST endpoint to indicate this was the desired behaviour. But there's a few problems with that: a lot more files to change, and always the chance some idiot would use it with an un-hashed password.
This approach also opens up the possibility of injecting a DelegatingPasswordEncoder if / when you upgrade to spring security 5, which at first glance might provide a more elegant solution.
To wire in the NoReHashPasswordEncoder, edit saiku-beans.xml:
This PR addresses #685. It adds the ability to inject an alternate password encoder to use when hashing user passwords, and adds an implementation that checks if the existing password looks like it's been BCrypt-ed before hashing it. The latter is not the default.
Initially I considered passing an extra parameter to the REST endpoint to indicate this was the desired behaviour. But there's a few problems with that: a lot more files to change, and always the chance some idiot would use it with an un-hashed password.
This approach also opens up the possibility of injecting a DelegatingPasswordEncoder if / when you upgrade to spring security 5, which at first glance might provide a more elegant solution.
To wire in the
NoReHashPasswordEncoder, editsaiku-beans.xml: