Do the <security:password-encoder> and <security:salt-source> tag also provide beans?

[Dr.Drane]

Hi all,

As there are these tags
<securityassword-encoder> and <security:salt-source>

Can I also inject them somewhere in my code?

As I'm getting an error trying to inject them somewhere to encrypt my passwords:

"No matching bean of type [org.springframework.security.authentication.encodi ng.PasswordEncoder] found for dependency: expected at least 1 bean which qualifies as autowire candidate for this dependency."

I guess there aren't any beans created somehow...I solved this by creating the beans and using ref values in their security tags. But what use are they if can't get them in my code somewhere for encrypting passwords?

Just for decrypting in-xml hardcoded user details? Why not make them available anyways since they aren't very useful since you will most likely need them in your code to encrypt.

Thanks!

Jochen

[Luke Taylor]

I wouldn't recommend you use a SaltSource unless you have a legacy system which requires a separately stored salt. Use a random salt concatenated with the password, as the LdapShaPasswordEncoder does (or the standard password encoder from the new crypto package in 3.1).

The password-encoder is only really there to inject a bean into the DaoAuthenticationProvider. I would just use a reference as it is more obvious what is going on and the namespace doesn't really save you much.

[Dr.Drane]

Me and my cholesterol want to thank you a lot for the fast reply!

I now just use the
org.springframework.security.crypto.password.Stand ardPasswordEncoder
instead and dropped the salt!

Best wishes,

Jochen

[Luke Taylor]

Hehe. Yes, I've never been a fan of too much salt myself . My blood pressure is high enough.