I found this post on the Apache Shiro mailing list which states that the jBcrypt (which is where Spring Security's bcrypt implementation came from) is not correctly implemented:
I've read the Niels/Provos paper and viewed the jBCrypt source and noticed that the code does not match the math. (I
can't remember off of the top of my head but I believe the feistel transformation function was incorrect).
Has anyone actually verified the bcrypt implementation?