Address weak crypto issues

Fix 2 weak cryptography issues identified by SonarCloud scans.

Issue-ID: CCSDK-3196
Signed-off-by: Dan Timoney <dtimoney@att.com>
Change-Id: I0fee14e7a96badeac8a278de4d74ef244c24f06f

1 files changed, 3 insertions, 1 deletions

diff --git a/ms/vlantag-api/src/main/java/org/onap/ccsdk/apps/ms/vlantagapi/core/ApplicationSecurityConfig.java b/ms/vlantag-api/src/main/java/org/onap/ccsdk/apps/ms/vlantagapi/core/ApplicationSecurityConfig.java
index bd0abe6f..80c42fb2 100644
--- a/ms/vlantag-api/src/main/java/org/onap/ccsdk/apps/ms/vlantagapi/core/ApplicationSecurityConfig.java
+++ b/ms/vlantag-api/src/main/java/org/onap/ccsdk/apps/ms/vlantagapi/core/ApplicationSecurityConfig.java
@@ -29,6 +29,7 @@ import org.springframework.security.config.annotation.web.configuration.WebSecur
 import org.springframework.security.config.http.SessionCreationPolicy;

 import org.springframework.security.core.userdetails.User;

 import org.springframework.security.core.userdetails.UserDetails;

+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;

 import org.springframework.security.crypto.factory.PasswordEncoderFactories;

 import org.springframework.security.crypto.password.PasswordEncoder;

 import org.springframework.security.provisioning.InMemoryUserDetailsManager;

@@ -51,7 +52,8 @@ public class ApplicationSecurityConfig extends WebSecurityConfigurerAdapter{
 	protected void configure(AuthenticationManagerBuilder auth) throws Exception {

 		List<UserDetails> userDetails = new ArrayList<>();

 		

-		PasswordEncoder encoder = PasswordEncoderFactories.createDelegatingPasswordEncoder();

+		// Explicitly set bcrypt password encoder rather than using default

+		PasswordEncoder encoder = new BCryptPasswordEncoder();

     	final User.UserBuilder userBuilder = User.builder().passwordEncoder(encoder::encode);

 

 		String authString = environment.getProperty("application.authToken");