I am reading the doc Spring 3.1 security documentation extensively, but I can’t find answers to all my questions.

In a spring web application, based on form login (user + pwd), I want to salt user passwords with SHA-256, using a random salt for each user. This means I have to save the salt and the hashed password in my database for each user. No issue so far.

1. It seems clear that I have to implement my own UserDetailsService to fetch my user information’s from my database and configure it in my spring-security.xml.

2. It seems like I will have to add an extra getSalt() method on top of my implementation of UserDetails to make it available when checking the login provided by the user against the stored hashed password.

Then the situation becomes unclear. I should intercept login requests. From section 6.4.3, it seems like Spring will map the user submitted credentials to an Authentication object and submit it to an AuthenticationManager.

My questions are:

i) What implementation of Authentication will Spring submit to the AuthenticationManager? How do I retrieve the name and password?

ii) It seems like I would have to implement my own AuthenticationManager. At each call of authenticate(...), I would fetch the login name and password, fetch UserDetails from the database. Then, hash the provided pwd with the corresponding salt and compare with the database hashed item. Correct?

iii) The AuthenticationManager API also has a supports(...) method. How should it be implemented?

iv) How should Authentication and AuthenticationManager be configured?