Home/ Questions/Q 7519637
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-30T01:56:13+00:00

Have simple Spring Security webapp with password encoding: <security:authentication-manager alias=authenticationManager> <security:authentication-provider user-service-ref=personService> <security:password-encoder hash=md5

  • 0

Have simple Spring Security webapp with password encoding:

<security:authentication-manager alias="authenticationManager">
<security:authentication-provider user-service-ref="personService">
     <security:password-encoder hash="md5" ref="passwordEncoder"> 
        <!--  <security:salt-source user-property="username"/> -->
     </security:password-encoder>
 </security:authentication-provider>
</security:authentication-manager>

Encoding also simple:

 person.setPassword(encoder.encodePassword(person.getPassword(), null));

So in DataBase all passwords will be encoded.
Now I want to do authentication of some user with certain username within the apllication.
Before(when passswords was in plaintext) it was like this:

UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(
                username, password);
Authentication authentication = authenticationManager.authenticate(token);
SecurityContextHolder.getContext().setAuthentication(authentication);

But now I get encoded password from DB and cant do authentication as before.

The problem. that Spring dont know that password cames from UsernamePasswordAuthenticationToken already encoded. And he is encoding it it second time.
Who can help?

Edit

So I see two solutions here:

  1. implement custom DaoAuthenticationProvider where add check if both passwords already hashed
  2. implement custom Authentication and put it in security context manually.

Any others? What is the best?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You haven’t actually said what goes wrong, but the authentication code should be exactly the same as for the non-hashed version.

    If you have a hashed password in the database and the corresponding encoder injected into the authentication provider, the password supplied by the user will be hashed by the encoder before comparing it with the database version.

    Make sure:

    1. You use the unhashed password value when creating the UsernamePasswordAuthenticationToken
    2. The value in the database really is the same as the hash produced by the encoder. Load it yourself and check it in a test. The database might be storing it in upper case, for example.

    Also, you should probably choose something better than plain MD5. You might want to look at bcrypt, for example, which is supported in Spring Security 3.1 and automatically uses a random salt value.

    Update

    Your suggestion of creating a provider which accepts hashed passwords is not a good one. This would allow anyone who steals a password hash to authenticate with it directly (thus defeating the purpose of hashing in the first place).

    Just validate your email URL links, load the information for that user and create an Authentication object for them:

    UserDetails user = ... // load user here
Authentication a = new UsernamePasswordAuthenticationToken(user, null, user.getAuthorities());
SecurityContextHolder.getContext().setAuthentication(a);
    • 0