Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"Global salt length is not defined in properties file." message repeatedly logged in restricted environments #157

Closed
dancristiancecoi opened this issue Jun 18, 2024 · 3 comments
Closed

"Global salt length is not defined in properties file." message repeatedly logged in restricted environments #157

dancristiancecoi opened this issue Jun 18, 2024 · 3 comments
Labels
priority: medium status: confirmed type: documentation Improvements or additions to documentation

Comments

@dancristiancecoi
Copy link

Describe the bug
This issue builds on top of #153.

Every time we call the hash method of the PBKDF2 hashing function, the following message gets logged:

Global salt length is not defined in properties file. Default value is used (64). Please set property global.salt.length in your psw4j.properties file.

We would like to suppress/remove this logging message when running in environments that don't use the psw4j.properties file.

To Reproduce
Run password4j without supplying psw4j.properties file and call PBKDF2's hash method

Expected behavior
Ideally either completely suppress this message or not log it at WARN level when running in restricted environments
@firaja
Copy link
Member

firaja commented Jun 19, 2024
edited
Loading

Hi @dancristiancecoi,

HashBuilder#addRandomSalt() implies a configuration file.
Unfortunately, I haven't updated the wiki yet, which mentions that a 64 byte salt will be generated without referencing the configuration file (old behavior).

So every time you use Password.hash(...).addRandomSalt().... the library checks the in-memory version of the psw4j.properties file.

If you use instead HashBuilder#addRandomSalt(int) the configurations in the files are overridden.

For example

Password.hash(plainText).addRandomSalt(64).withPBKDF2();

If you are in a restricted environment, I strongly suggest to specify all the parameters needed in the hashing process.

// parameters taken from OWASP
PBKDF2Function pbkdf2 = PBKDF2Function.getInstance(Hmac.SHA256, 600_000, 256);
Hash hash = Password.hash(plainText).addRandomSalt(128).with(pbkdf2);

@firaja firaja added type: documentation Improvements or additions to documentation priority: medium status: confirmed labels Jun 19, 2024
@dancristiancecoi
Copy link
Author

Thanks for getting back to me @firaja !

That makes sense as I am using the compressed pbkdf2 function.

I am away for the rest of the week but will test your suggestions when I'm back. Thanks again!

@firaja firaja closed this as completed Jun 27, 2024
@dancristiancecoi
Copy link
Author

Just to confirm that your suggestion worked.

Using the following code removed the log messages:
Password.hash(passwordBuffer).addRandomSalt(64).with(hashingFunction).getResult()

Thanks again!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
priority: medium status: confirmed type: documentation Improvements or additions to documentation
Projects
Core development
Status: Done
Milestone
No milestone
Development

No branches or pull requests
2 participants
@firaja @dancristiancecoi