How to add support for hashed password

prioux · December 9, 2021, 9:43pm

Hi,

I’ve seen some old post that debate on the flowable passwords being in clear text in the act_id_user table.
Password should never be stored user password in clear text no matter what (https or not).

Is someone have successfully implemented the persistence of the hashed password and provide the classes details that need to be changed?

I’ve been looking in that section and it is not clear to me on how to set that passwordEncoder in the following documentation.

Any helps would be appreciated.

Thank you.

martin.grofcik · December 10, 2021, 9:04am

Hi Prioux.

From doc:

By default, the user passwords will be saved in plain text in the IDM database tables. To make sure that the passwords are encoded you can define a password encoder in the process engine configuration.

If you want to store encoded passwords change default idm configuration (which uses ClearTextPasswordEncoder) to other password encoder. e.g.

<bean id="bCryptEncoder"
class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>

<bean id="passwordEncoder" class="org.flowable.idm.spring.authentication.SpringEncoder">
    <constructor-arg ref="bCryptEncoder"/>
</bean>

<bean id="processEngineConfiguration" class="org.flowable.engine.impl.cfg.StandaloneInMemProcessEngineConfiguration">
  <property name="passwordEncoder" ref="passwordEncoder" />
  ...
</bean>

prioux · December 10, 2021, 2:21pm

In which file this bean section is going to? There is so many folders and and I am not sure where this section need to go.

prioux · December 13, 2021, 9:58pm

As additional information, we are using an old version 6.3.1 and spring.

Setting the following to a flowable.cfg.xml file under flowable-idm (webapps\flowable-idm\WEB-INF\classes) or flowable-rest (webapps\flowable-rest\WEB-INF\classes) class path have no effect.

<?xml version="1.0" encoding="UTF-8"?>

<beans xmlns="http://www.springframework.org/schema/beans"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://www.springframework.org/schema/beans   http://www.springframework.org/schema/beans/spring-beans.xsd">
  
    <bean id="processEngineConfiguration" class="org.flowable.spring.SpringProcessEngineConfiguration">
        <property name="passwordEncoder" ref="passwordEncoder" />
    </bean>

    <bean id="bCryptEncoder"
          class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>

    <bean id="passwordEncoder" class="org.flowable.idm.spring.authentication.SpringEncoder">
        <constructor-arg ref="bCryptEncoder"/>
    </bean>

</beans>

Topic		Replies	Views
Flowable IDM - Azure Active Directory Integration Flowable Engine	11	1498	December 6, 2023
Using Keycloak for user Management in Flowable Flowable Engine	1	1000	December 4, 2019
About password encryption Flowable Application	8	1661	June 11, 2017
REST API authentication fails with hashed passwords Flowable Engine	16	3404	February 28, 2018
Error 401 in flowable-rest Flowable Application	3	1228	December 9, 2019

How to add support for hashed password

Related topics