Announcement Announcement Module
Collapse
No announcement yet.
Possibly bug in Spring Security 2.0.4 Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Possibly bug in Spring Security 2.0.4

    Code:
    	<beans:bean id="shaPasswordEncoder" class="org.springframework.security.providers.encoding.ShaPasswordEncoder">
        	<beans:constructor-arg value="512" />
    	</beans:bean>
    	
    	<authentication-provider user-service-ref="myUserDetailsService">
    		<password-encoder base64="true" ref="shaPasswordEncoder"></password-encoder>		
    	</authentication-provider>
    IMO, this is how Spring interprets it, "Apply SHA-512 hashing and then Base64 encoding to entered password" Am I correct?

    I looked into the actual code base,

    ShaPasswordEncoder

    Code:
    public ShaPasswordEncoder(int strength) {
            super("SHA-" + strength);
        }
    It calls super constructor,MessageDigestPasswordEncoder

    Code:
    public MessageDigestPasswordEncoder(String algorithm) {
            this(algorithm, false);
        }
    It calls two argument constructor,
    Code:
    public MessageDigestPasswordEncoder(String algorithm, boolean encodeHashAsBase64) throws IllegalArgumentException {
            this.algorithm = algorithm;
            setEncodeHashAsBase64(encodeHashAsBase64);
            //Validity Check
            getMessageDigest();
        }
    This means it will always set Base64 as false. Am I correct?

  • #2
    If you are configuring an external PasswordEncoder bean (and pointing to it using the "ref" attribute), then you have to configure that bean to use base64 yourself by setting the property "encodeHashAsBase64".

    Comment

    Working...
    X