password salting problem.

[tango]

hi to all.
i working on a simple spring security example and now exercising on salting password on a db.
after changing my authentication manager to this style :

Code:

    <authentication-manager alias="mySimpleAuthenticationManager">
        <authentication-provider ref="dbAuthenticationProvider">
            <jdbc-user-service data-source-ref="dataSource"/>
            <password-encoder ref="passwordEncoder">
                <salt-source ref="saltSource"/>
            </password-encoder>
        </authentication-provider>
    </authentication-manager>
    <beans:bean class="org.springframework.security.authentication.encoding.ShaPasswordEncoder" id="passwordEncoder"/>
    <beans:bean class="org.springframework.security.authentication.dao.ReflectionSaltSource" id="saltSource">
        <beans:property name="userPropertyToUse" value="username"/>
    </beans:bean>

and write a simple class to change stored password in my persons tables like as this :

Code:

public class DatabasePasswordSecurerBean extends JdbcDaoSupport {
  @Autowired
  private PasswordEncoder passwordEncoder;
  @Autowired
  private SaltSource saltSource;
  @Autowired
  private UserDetailsService userDetailsService;

  public void secureDatabase() {
    getJdbcTemplate().query("select username, password from persons",
                             new RowCallbackHandler(){
      @Override
      public void processRow(ResultSet rs) throws SQLException {
        String username = rs.getString(1);
        String password = rs.getString(2);
        UserDetails user =
          userDetailsService.loadUserByUsername(username);
        String encodedPassword =
          passwordEncoder.encodePassword(password,
          saltSource.getSalt(user));
        getJdbcTemplate().update("update persons set password = ? where username = ?",
        encodedPassword,
          username);
        logger.debug("Updating password for username: " + username + " to: " + encodedPassword);
      }
    });
  }

    public PasswordEncoder getPasswordEncoder() {
        return passwordEncoder;
    }

    public void setPasswordEncoder(PasswordEncoder passwordEncoder) {
        this.passwordEncoder = passwordEncoder;
    }

    public SaltSource getSaltSource() {
        return saltSource;
    }

    public void setSaltSource(SaltSource saltSource) {
        this.saltSource = saltSource;
    }

    public UserDetailsService getUserDetailsService() {
        return userDetailsService;
    }

    public void setUserDetailsService(UserDetailsService userDetailsService) {
        this.userDetailsService = userDetailsService;
    }
}

my orginal password changed in database to this :
"354e72c1f52f683be6e930a757faed58c3b07386"

so i understand that my class changed the password in db.
problem is where when i want to login to system with my orginal password i cant to login to system and it seems password encoder not encode my orginal password to compare with encoded password that stored in db.
because when i enter my username and "354e72c1f52f683be6e930a757faed58c3b07386" as password value i can login to systeem?!

[Rob Winch]

What does the rest of your Spring Security configuration look like? Have you tried enabling logging for Spring Security?

[pmularien]

It sounds like you're confused about how salted / encoded passwords work. When you log in, you aren't supposed to enter the value as it's stored in the database (salted and encoded)! You should be entering the plaintext password, which Spring Security will then salt and encode in order to compare with the value in the database.

For example, if the password is "password", and the username is "user", the salted password will be "password(user)", and the encoded (let's say, SHA-1) password might be "b89ff48d4ef440e46303b530da1647579ba2643e". All of this is transparent to the user, however - they should just enter "password" when they log in, and everything else happens behind the scenes.