Password Encoder SHA Strength

**DartmanX2** · May 8th, 2008, 09:16 AM

I am converting from acegi 1.0.6 to SS2, and have a question about specifying the SHA hashing strength.

Am I still required to define a ShaPasswordEncoder and pass in the strength (in this case, 256) as a constructor-arg?

This is what I have right now:

HTML Code:

    <security:authentication-provider>
        <security:jdbc-user-service
                data-source-ref="dataSource"
                authorities-by-username-query="select ACCT.login, AUTH.AUTHORITY_NAME FROM T_ACCOUNT ACCT, T_AUTHORITY AUTH WHERE ACCT.login=?"
                users-by-username-query="select login, hashedpassword as password, enabled from T_ACCOUNT where login = ?"/>
        <security:password-encoder hash="sha">
            <security:salt-source user-property="login" />
        </security:password-encoder>
    </security:authentication-provider>

Help would be appreciated.

Jason

**Luke Taylor** · May 8th, 2008, 10:44 AM

Yes. You'll have to define your own externally. I guess we could support additional hash names like "sha256","sha512" in future without too much hassle.

**DartmanX2** · May 8th, 2008, 12:46 PM

Okay, you'll have to excuse my ignorance.

I changed my implementation to this:

HTML Code:

    <security:authentication-provider>
        <security:jdbc-user-service
                data-source-ref="dataSource"
                authorities-by-username-query="select ACCT.login, AUTH.AUTHORITY_NAME FROM T_ACCOUNT ACCT, T_AUTHORITY AUTH WHERE ACCT.login=?"
                users-by-username-query="select login as username, hashedpassword as password, enabled from T_ACCOUNT where login = ?"/>
    </security:authentication-provider>

    <bean id="passwordEncoder" class="org.springframework.security.providers.encoding.ShaPasswordEncoder">
        <constructor-arg value="256" />
    </bean>

    <bean id="saltSource" class="org.springframework.security.providers.dao.salt.ReflectionSaltSource">
        <property name="userPropertyToUse">
            <value>getUserName</value>
        </property>
    </bean>

This is my first attempt at using the security namespace, so I don't know how to specify the password encoder and salt source in order to apply it to the jdbc-user-service.

Can anyone give me a quickie howto on using the passwordEncoder and saltSource beans with the jdbc-user-service?

**Luke Taylor** · May 12th, 2008, 08:15 AM

Use the "ref" attribute on <password-encoder>:

http://static.springframework.org/sp...ig.html#d4e226

**DartmanX2** · May 12th, 2008, 10:30 AM

Originally Posted by Luke Taylor

Use the "ref" attribute on <password-encoder>:

http://static.springframework.org/sp...ig.html#d4e226

By default, does it look for the "saltSource" bean?

**Luke Taylor** · May 12th, 2008, 11:27 AM

No. Try using

Code:

<password-encoder ref='encoderBean'>
    <salt-source user-property='whatever'/>
</password-encoder>

Thread: Password Encoder SHA Strength

Thread Tools

Display

Password Encoder SHA Strength

Posting Permissions