Announcement Announcement Module
No announcement yet.
PasswordEncoding, when does it happen? Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • PasswordEncoding, when does it happen?

    Hi there,

    First and foremost, thanks Ben for taking the time to answer all of us!

    How exactly are passwords encoded before they get put in the database?

    I probably asked that vaguely, so I'll provide some context. I've made my own impl of PasswordAuthenticationDao which users hibernate, that returns a UserDetails object (which is actually my User domain model object). My problem, is trying to understand what happens when I want to create a new account.

    So, I go about constructing a new User object, and I set username, id, etc and also password. I then persist it with hibernate. However -- and here is the part I don't understand, how does the encoding happen? ie. Am I supposed to use a md5PasswordEncoderImpl that you supply with acegi code manually, or how does this happen?

    Thank you, I searched the forum and didn't find much.



  • #2
    You need to use the PasswordEncoder.encodePassword(String rawPass, Object salt) method within whatever creates or updates the user record in the authentication repository. Acegi Security never "writes" a user record, so there is no prescribed way of doing this - it's an application-specific choice.


    • #3
      Does it make sense for Acegi to ship a Hibernate UserType that does this translation? Since the resulting String is a way hash value, the domain object can only have a public setPassword(..) method.



      • #4
        You can have a protected setPassword() to store the hashed version, then have a public changePassword(String newPassword, PasswordEncoder encoder) to allow encapsulated public mutation of the property.