Why does Spring's MessageDigestPasswordEncoder take `` into the salt? The example in its javadoc does not seem to work2019 Community Moderator ElectionHow does the Java 'for each' loop work?Multiple line code example in Javadoc commentWhy is Spring's ApplicationContext.getBean considered bad?Why does Java have transient fields?How does autowiring work in Spring?Spring Security with Openid and Database IntegrationWhy does this code using random strings print “hello world”?Spring Security Salt Configuration with MD5 using basic String objectspring security restful interface - improve json request so as not to pass plaintext passwordHow BCryptPasswordEncoder works in Spring.Security?
What is the significance behind "40 days" that often appears in the Bible?
If I can solve Sudoku can I solve Travelling Salesman Problem(TSP)? If yes, how?
Why do passenger jet manufacturers design their planes with stall prevention systems?
Why Choose Less Effective Armour Types?
Could the Saturn V actually have launched astronauts around Venus?
Why would a flight no longer considered airworthy be redirected like this?
How to create the Curved texte?
A sequence that has integer values for prime indexes only:
Are there other languages, besides English, where the indefinite (or definite) article varies based on sound?
Who is flying the vertibirds?
What's the meaning of “spike” in the context of “adrenaline spike”?
What is a^b and (a&b)<<1?
What exactly is this small puffer fish doing and how did it manage to accomplish such a feat?
Are ETF trackers fundamentally better than individual stocks?
Happy pi day, everyone!
Do I need to be arrogant to get ahead?
It's a yearly task, alright
How to read the value of this capacitor?
Why do Australian milk farmers need to protest supermarkets' milk price?
Define, (actually define) the "stability" and "energy" of a compound
Professor being mistaken for a grad student
Awsome yet unlucky path traversal
Python if-else code style for reduced code for rounding floats
How do I hide Chekhov's Gun?
Why does Spring's MessageDigestPasswordEncoder take `` into the salt? The example in its javadoc does not seem to work
2019 Community Moderator ElectionHow does the Java 'for each' loop work?Multiple line code example in Javadoc commentWhy is Spring's ApplicationContext.getBean considered bad?Why does Java have transient fields?How does autowiring work in Spring?Spring Security with Openid and Database IntegrationWhy does this code using random strings print “hello world”?Spring Security Salt Configuration with MD5 using basic String objectspring security restful interface - improve json request so as not to pass plaintext passwordHow BCryptPasswordEncoder works in Spring.Security?
I'm upgrading from Spring Security 4.x to 5.x.
The ReflectionSaltSource from Spring 4 lets us configure a custom salt. But that's removed in Spring Security 5. I then found out that I should use MessageDigestPasswordEncoder. It has a long detailed java-doc but unfortunately the doc is a bag of words without conveying any structured information (I tried multiple times; my bad if I was ignorant).
Anyways I thought I should do the following based on my limited understanding.
Old system with 4.x - myEncodedPassword and mySalt are passed separately to the encoder.
New System with 5.x - Pass one field with the value mySaltmyEncodedPassword to the MessageDigestPasswordEncoder
However, that did not work. The Problem was that when MessageDigestPasswordEncoder sees mySaltencodedPassword, it uses mySalt (with the ) as the salt instead of using mySalt as the salt . I'm confused.
Here's a coding example. I used Groovy to reduce noise.
@Grab(group='org.springframework.security', module='spring-security-core', version='5.1.4.RELEASE')
import org.springframework.security.crypto.password.MessageDigestPasswordEncoder
String password = 'myPassword'
String salt_1 = 'mySalt'
String salt_2 = 'mySalt'
// http://www.lorem-ipsum.co.uk/hasher.php generated below hashes
String encodedPasswordWithSalt_1 = '57bc828628811a10496215e217b7ae9b714c859fc7a8b1c678c9a0cc40aac422'
String encodedPasswordWithSalt_2 = 'a18b53fc58843def1e08e00a718f40d6f8eda0b97ef97824b5078c1fad93c0c5'
MessageDigestPasswordEncoder encoder = new MessageDigestPasswordEncoder('SHA-256')
println "expected=true, actual=" + encoder.matches(password, "$salt_1$encodedPasswordWithSalt_1") // <--- expected to match but did not
println "expected=false, actual=" + encoder.matches(password, "$salt_1$encodedPasswordWithSalt_2") // <--- why does this match?
The output is
expected=true, actual=false
expected=false, actual=true
I'm hoping to find a way to support SHA256 with custom and separate salt for each user password.
If anyone's interested, I created a ticket on GitHub - https://github.com/spring-projects/spring-security/issues/6594 . No solution so far. I will update here if there's any. So this is still an unanswered question.
java spring spring-security
asked Mar 6 at 19:49
phaniphani
3,79042136
add a comment |
I'm upgrading from Spring Security 4.x to 5.x.
The ReflectionSaltSource from Spring 4 lets us configure a custom salt. But that's removed in Spring Security 5. I then found out that I should use MessageDigestPasswordEncoder. It has a long detailed java-doc but unfortunately the doc is a bag of words without conveying any structured information (I tried multiple times; my bad if I was ignorant).
Anyways I thought I should do the following based on my limited understanding.
Old system with 4.x - myEncodedPassword and mySalt are passed separately to the encoder.
New System with 5.x - Pass one field with the value mySaltmyEncodedPassword to the MessageDigestPasswordEncoder
However, that did not work. The Problem was that when MessageDigestPasswordEncoder sees mySaltencodedPassword, it uses mySalt (with the ) as the salt instead of using mySalt as the salt . I'm confused.
Here's a coding example. I used Groovy to reduce noise.
@Grab(group='org.springframework.security', module='spring-security-core', version='5.1.4.RELEASE')
import org.springframework.security.crypto.password.MessageDigestPasswordEncoder
String password = 'myPassword'
String salt_1 = 'mySalt'
String salt_2 = 'mySalt'
// http://www.lorem-ipsum.co.uk/hasher.php generated below hashes
String encodedPasswordWithSalt_1 = '57bc828628811a10496215e217b7ae9b714c859fc7a8b1c678c9a0cc40aac422'
String encodedPasswordWithSalt_2 = 'a18b53fc58843def1e08e00a718f40d6f8eda0b97ef97824b5078c1fad93c0c5'
MessageDigestPasswordEncoder encoder = new MessageDigestPasswordEncoder('SHA-256')
println "expected=true, actual=" + encoder.matches(password, "$salt_1$encodedPasswordWithSalt_1") // <--- expected to match but did not
println "expected=false, actual=" + encoder.matches(password, "$salt_1$encodedPasswordWithSalt_2") // <--- why does this match?
The output is
expected=true, actual=false
expected=false, actual=true
I'm hoping to find a way to support SHA256 with custom and separate salt for each user password.
If anyone's interested, I created a ticket on GitHub - https://github.com/spring-projects/spring-security/issues/6594 . No solution so far. I will update here if there's any. So this is still an unanswered question.
java spring spring-security
asked Mar 6 at 19:49
phaniphani
3,79042136
Asked on github (@phani I saw it's you created, wrote for other answeres) : github.com/spring-projects/spring-security/issues/6594
– Andrew Sasha
Mar 7 at 9:04
Yep, thanks for commenting. I thought there might be more attention there.
– phani
Mar 7 at 18:03
1
You can create your own password encoder that implements the org.springframework.security.crypto.password.PasswordEncoder interface. We did that in our project. Or your can fix extractSalt method in MessageDigestPasswordEncoder and push it in to the spring-security project :)
– Anatoly Samoylenko
2 days ago
@AnatolySamoylenko yep. thanks for clarification.
– phani
2 days ago
add a comment |
I'm upgrading from Spring Security 4.x to 5.x.
The ReflectionSaltSource from Spring 4 lets us configure a custom salt. But that's removed in Spring Security 5. I then found out that I should use MessageDigestPasswordEncoder. It has a long detailed java-doc but unfortunately the doc is a bag of words without conveying any structured information (I tried multiple times; my bad if I was ignorant).
Anyways I thought I should do the following based on my limited understanding.
Old system with 4.x - myEncodedPassword and mySalt are passed separately to the encoder.
New System with 5.x - Pass one field with the value mySaltmyEncodedPassword to the MessageDigestPasswordEncoder
However, that did not work. The Problem was that when MessageDigestPasswordEncoder sees mySaltencodedPassword, it uses mySalt (with the ) as the salt instead of using mySalt as the salt . I'm confused.
Here's a coding example. I used Groovy to reduce noise.
@Grab(group='org.springframework.security', module='spring-security-core', version='5.1.4.RELEASE')
import org.springframework.security.crypto.password.MessageDigestPasswordEncoder
String password = 'myPassword'
String salt_1 = 'mySalt'
String salt_2 = 'mySalt'
// http://www.lorem-ipsum.co.uk/hasher.php generated below hashes
String encodedPasswordWithSalt_1 = '57bc828628811a10496215e217b7ae9b714c859fc7a8b1c678c9a0cc40aac422'
String encodedPasswordWithSalt_2 = 'a18b53fc58843def1e08e00a718f40d6f8eda0b97ef97824b5078c1fad93c0c5'
MessageDigestPasswordEncoder encoder = new MessageDigestPasswordEncoder('SHA-256')
println "expected=true, actual=" + encoder.matches(password, "$salt_1$encodedPasswordWithSalt_1") // <--- expected to match but did not
println "expected=false, actual=" + encoder.matches(password, "$salt_1$encodedPasswordWithSalt_2") // <--- why does this match?
The output is
expected=true, actual=false
expected=false, actual=true
I'm hoping to find a way to support SHA256 with custom and separate salt for each user password.
If anyone's interested, I created a ticket on GitHub - https://github.com/spring-projects/spring-security/issues/6594 . No solution so far. I will update here if there's any. So this is still an unanswered question.
java spring spring-security
asked Mar 6 at 19:49
phaniphani
3,79042136
I'm upgrading from Spring Security 4.x to 5.x.
The ReflectionSaltSource from Spring 4 lets us configure a custom salt. But that's removed in Spring Security 5. I then found out that I should use MessageDigestPasswordEncoder. It has a long detailed java-doc but unfortunately the doc is a bag of words without conveying any structured information (I tried multiple times; my bad if I was ignorant).
Anyways I thought I should do the following based on my limited understanding.
Old system with 4.x - myEncodedPassword and mySalt are passed separately to the encoder.
New System with 5.x - Pass one field with the value mySaltmyEncodedPassword to the MessageDigestPasswordEncoder
However, that did not work. The Problem was that when MessageDigestPasswordEncoder sees mySaltencodedPassword, it uses mySalt (with the ) as the salt instead of using mySalt as the salt . I'm confused.
Here's a coding example. I used Groovy to reduce noise.
@Grab(group='org.springframework.security', module='spring-security-core', version='5.1.4.RELEASE')
import org.springframework.security.crypto.password.MessageDigestPasswordEncoder
String password = 'myPassword'
String salt_1 = 'mySalt'
String salt_2 = 'mySalt'
// http://www.lorem-ipsum.co.uk/hasher.php generated below hashes
String encodedPasswordWithSalt_1 = '57bc828628811a10496215e217b7ae9b714c859fc7a8b1c678c9a0cc40aac422'
String encodedPasswordWithSalt_2 = 'a18b53fc58843def1e08e00a718f40d6f8eda0b97ef97824b5078c1fad93c0c5'
MessageDigestPasswordEncoder encoder = new MessageDigestPasswordEncoder('SHA-256')
println "expected=true, actual=" + encoder.matches(password, "$salt_1$encodedPasswordWithSalt_1") // <--- expected to match but did not
println "expected=false, actual=" + encoder.matches(password, "$salt_1$encodedPasswordWithSalt_2") // <--- why does this match?
The output is
expected=true, actual=false
expected=false, actual=true
I'm hoping to find a way to support SHA256 with custom and separate salt for each user password.
If anyone's interested, I created a ticket on GitHub - https://github.com/spring-projects/spring-security/issues/6594 . No solution so far. I will update here if there's any. So this is still an unanswered question.
java spring spring-security
java spring spring-security
asked Mar 6 at 19:49
phaniphani
3,79042136
asked Mar 6 at 19:49
phaniphani
3,79042136
edited Mar 11 at 17:16
phani
asked Mar 6 at 19:49
phaniphani
3,79042136
asked Mar 6 at 19:49
phaniphani
3,79042136
asked Mar 6 at 19:49
phaniphani
3,79042136
3,79042136
Asked on github (@phani I saw it's you created, wrote for other answeres) : github.com/spring-projects/spring-security/issues/6594
– Andrew Sasha
Mar 7 at 9:04
Yep, thanks for commenting. I thought there might be more attention there.
– phani
Mar 7 at 18:03
1
You can create your own password encoder that implements the org.springframework.security.crypto.password.PasswordEncoder interface. We did that in our project. Or your can fix extractSalt method in MessageDigestPasswordEncoder and push it in to the spring-security project :)
– Anatoly Samoylenko
2 days ago
@AnatolySamoylenko yep. thanks for clarification.
– phani
2 days ago
add a comment |
Asked on github (@phani I saw it's you created, wrote for other answeres) : github.com/spring-projects/spring-security/issues/6594
– Andrew Sasha
Mar 7 at 9:04
Yep, thanks for commenting. I thought there might be more attention there.
– phani
Mar 7 at 18:03
1
You can create your own password encoder that implements the org.springframework.security.crypto.password.PasswordEncoder interface. We did that in our project. Or your can fix extractSalt method in MessageDigestPasswordEncoder and push it in to the spring-security project :)
– Anatoly Samoylenko
2 days ago
@AnatolySamoylenko yep. thanks for clarification.
– phani
2 days ago
Asked on github (@phani I saw it's you created, wrote for other answeres) : github.com/spring-projects/spring-security/issues/6594
– Andrew Sasha
Mar 7 at 9:04
Asked on github (@phani I saw it's you created, wrote for other answeres) : github.com/spring-projects/spring-security/issues/6594
– Andrew Sasha
Mar 7 at 9:04
Yep, thanks for commenting. I thought there might be more attention there.
– phani
Mar 7 at 18:03
Yep, thanks for commenting. I thought there might be more attention there.
– phani
Mar 7 at 18:03
1
1
You can create your own password encoder that implements the org.springframework.security.crypto.password.PasswordEncoder interface. We did that in our project. Or your can fix extractSalt method in MessageDigestPasswordEncoder and push it in to the spring-security project :)
– Anatoly Samoylenko
2 days ago
You can create your own password encoder that implements the org.springframework.security.crypto.password.PasswordEncoder interface. We did that in our project. Or your can fix extractSalt method in MessageDigestPasswordEncoder and push it in to the spring-security project :)
– Anatoly Samoylenko
2 days ago
@AnatolySamoylenko yep. thanks for clarification.
– phani
2 days ago
@AnatolySamoylenko yep. thanks for clarification.
– phani
2 days ago
add a comment |
1 Answer
1
active
oldest
votes
I guess the issue is in the org.springframework.security.crypto.password.MessageDigestPasswordEncoder class
By debugging it in the method private String extractSalt(String prefixEncodedPassword) they try to extract salt by returning prefixEncodedPassword.substring(start, end + 1); where start is the index of the prefix while end is the index of suffix and it stops to the first suffix it matches so what happens in your code?
It happens this:
MessageDigestPasswordEncoder encoder = new MessageDigestPasswordEncoder('SHA-256')
println "expected=true, actual=" + encoder.matches(password, "$salt_1$encodedPasswordWithSalt_1") //It's not matched because the extracted salt will be mySalt and not mySalt
println "expected=false, actual=" + encoder.matches(password, "$salt_1$encodedPasswordWithSalt_2") //It's matched because the extracted salt will be mySalt and not mySalt
I state I don't know if it's a bug or not, in any case in your scenario it should be enough to properly investigate and properly modify the method
private String extractSalt(String prefixEncodedPassword)
int start = prefixEncodedPassword.indexOf(PREFIX);
if (start != 0)
return "";
int end = prefixEncodedPassword.indexOf(SUFFIX, start);
if (end < 0)
return "";
return prefixEncodedPassword.substring(start, end + 1);
This method is inside the org.springframework.security.crypto.password.MessageDigestPasswordEncoder class
I hope it's useful
Angelo
answered 2 days ago
Angelo ImmediataAngelo Immediata
4,57641638
Thanks for clarification.I feel silly that I had refused to believe it was a bug. As I'm new tospring-securityand the related topics, I thought I was doing something wrong.
– phani
2 days ago
add a comment |
Your Answer
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55031118%2fwhy-does-springs-messagedigestpasswordencoder-take-into-the-salt-the-exam%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
I guess the issue is in the org.springframework.security.crypto.password.MessageDigestPasswordEncoder class
By debugging it in the method private String extractSalt(String prefixEncodedPassword) they try to extract salt by returning prefixEncodedPassword.substring(start, end + 1); where start is the index of the prefix while end is the index of suffix and it stops to the first suffix it matches so what happens in your code?
It happens this:
MessageDigestPasswordEncoder encoder = new MessageDigestPasswordEncoder('SHA-256')
println "expected=true, actual=" + encoder.matches(password, "$salt_1$encodedPasswordWithSalt_1") //It's not matched because the extracted salt will be mySalt and not mySalt
println "expected=false, actual=" + encoder.matches(password, "$salt_1$encodedPasswordWithSalt_2") //It's matched because the extracted salt will be mySalt and not mySalt
I state I don't know if it's a bug or not, in any case in your scenario it should be enough to properly investigate and properly modify the method
private String extractSalt(String prefixEncodedPassword)
int start = prefixEncodedPassword.indexOf(PREFIX);
if (start != 0)
return "";
int end = prefixEncodedPassword.indexOf(SUFFIX, start);
if (end < 0)
return "";
return prefixEncodedPassword.substring(start, end + 1);
This method is inside the org.springframework.security.crypto.password.MessageDigestPasswordEncoder class
I hope it's useful
Angelo
answered 2 days ago
Angelo ImmediataAngelo Immediata
4,57641638
Thanks for clarification.I feel silly that I had refused to believe it was a bug. As I'm new tospring-securityand the related topics, I thought I was doing something wrong.
– phani
2 days ago
add a comment |
I guess the issue is in the org.springframework.security.crypto.password.MessageDigestPasswordEncoder class
By debugging it in the method private String extractSalt(String prefixEncodedPassword) they try to extract salt by returning prefixEncodedPassword.substring(start, end + 1); where start is the index of the prefix while end is the index of suffix and it stops to the first suffix it matches so what happens in your code?
It happens this:
MessageDigestPasswordEncoder encoder = new MessageDigestPasswordEncoder('SHA-256')
println "expected=true, actual=" + encoder.matches(password, "$salt_1$encodedPasswordWithSalt_1") //It's not matched because the extracted salt will be mySalt and not mySalt
println "expected=false, actual=" + encoder.matches(password, "$salt_1$encodedPasswordWithSalt_2") //It's matched because the extracted salt will be mySalt and not mySalt
I state I don't know if it's a bug or not, in any case in your scenario it should be enough to properly investigate and properly modify the method
private String extractSalt(String prefixEncodedPassword)
int start = prefixEncodedPassword.indexOf(PREFIX);
if (start != 0)
return "";
int end = prefixEncodedPassword.indexOf(SUFFIX, start);
if (end < 0)
return "";
return prefixEncodedPassword.substring(start, end + 1);
This method is inside the org.springframework.security.crypto.password.MessageDigestPasswordEncoder class
I hope it's useful
Angelo
answered 2 days ago
Angelo ImmediataAngelo Immediata
4,57641638
Thanks for clarification.I feel silly that I had refused to believe it was a bug. As I'm new tospring-securityand the related topics, I thought I was doing something wrong.
– phani
2 days ago
add a comment |
I guess the issue is in the org.springframework.security.crypto.password.MessageDigestPasswordEncoder class
By debugging it in the method private String extractSalt(String prefixEncodedPassword) they try to extract salt by returning prefixEncodedPassword.substring(start, end + 1); where start is the index of the prefix while end is the index of suffix and it stops to the first suffix it matches so what happens in your code?
It happens this:
MessageDigestPasswordEncoder encoder = new MessageDigestPasswordEncoder('SHA-256')
println "expected=true, actual=" + encoder.matches(password, "$salt_1$encodedPasswordWithSalt_1") //It's not matched because the extracted salt will be mySalt and not mySalt
println "expected=false, actual=" + encoder.matches(password, "$salt_1$encodedPasswordWithSalt_2") //It's matched because the extracted salt will be mySalt and not mySalt
I state I don't know if it's a bug or not, in any case in your scenario it should be enough to properly investigate and properly modify the method
private String extractSalt(String prefixEncodedPassword)
int start = prefixEncodedPassword.indexOf(PREFIX);
if (start != 0)
return "";
int end = prefixEncodedPassword.indexOf(SUFFIX, start);
if (end < 0)
return "";
return prefixEncodedPassword.substring(start, end + 1);
This method is inside the org.springframework.security.crypto.password.MessageDigestPasswordEncoder class
I hope it's useful
Angelo
answered 2 days ago
Angelo ImmediataAngelo Immediata
4,57641638
I guess the issue is in the org.springframework.security.crypto.password.MessageDigestPasswordEncoder class
By debugging it in the method private String extractSalt(String prefixEncodedPassword) they try to extract salt by returning prefixEncodedPassword.substring(start, end + 1); where start is the index of the prefix while end is the index of suffix and it stops to the first suffix it matches so what happens in your code?
It happens this:
MessageDigestPasswordEncoder encoder = new MessageDigestPasswordEncoder('SHA-256')
println "expected=true, actual=" + encoder.matches(password, "$salt_1$encodedPasswordWithSalt_1") //It's not matched because the extracted salt will be mySalt and not mySalt
println "expected=false, actual=" + encoder.matches(password, "$salt_1$encodedPasswordWithSalt_2") //It's matched because the extracted salt will be mySalt and not mySalt
I state I don't know if it's a bug or not, in any case in your scenario it should be enough to properly investigate and properly modify the method
private String extractSalt(String prefixEncodedPassword)
int start = prefixEncodedPassword.indexOf(PREFIX);
if (start != 0)
return "";
int end = prefixEncodedPassword.indexOf(SUFFIX, start);
if (end < 0)
return "";
return prefixEncodedPassword.substring(start, end + 1);
This method is inside the org.springframework.security.crypto.password.MessageDigestPasswordEncoder class
I hope it's useful
Angelo
answered 2 days ago
Angelo ImmediataAngelo Immediata
4,57641638
answered 2 days ago
Angelo ImmediataAngelo Immediata
4,57641638
answered 2 days ago
Angelo ImmediataAngelo Immediata
4,57641638
answered 2 days ago
Angelo ImmediataAngelo Immediata
4,57641638
4,57641638
Thanks for clarification.I feel silly that I had refused to believe it was a bug. As I'm new tospring-securityand the related topics, I thought I was doing something wrong.
– phani
2 days ago
add a comment |
Thanks for clarification.I feel silly that I had refused to believe it was a bug. As I'm new tospring-securityand the related topics, I thought I was doing something wrong.
– phani
2 days ago
Thanks for clarification.I feel silly that I had refused to believe it was a bug. As I'm new to
spring-security and the related topics, I thought I was doing something wrong.– phani
2 days ago
Thanks for clarification.I feel silly that I had refused to believe it was a bug. As I'm new to
spring-security and the related topics, I thought I was doing something wrong.– phani
2 days ago
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55031118%2fwhy-does-springs-messagedigestpasswordencoder-take-into-the-salt-the-exam%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Asked on github (@phani I saw it's you created, wrote for other answeres) : github.com/spring-projects/spring-security/issues/6594
– Andrew Sasha
Mar 7 at 9:04
Yep, thanks for commenting. I thought there might be more attention there.
– phani
Mar 7 at 18:03
1
You can create your own password encoder that implements the org.springframework.security.crypto.password.PasswordEncoder interface. We did that in our project. Or your can fix extractSalt method in MessageDigestPasswordEncoder and push it in to the spring-security project :)
– Anatoly Samoylenko
2 days ago
@AnatolySamoylenko yep. thanks for clarification.
– phani
2 days ago