Hi,

A lot of password-protected websites do not use SSL, so passwords go over the internet unencrypted. Of course, SSL is the best solution to this, but JavaScript cryptography provides some protection. There are a couple of approaches that can be used:

JavaScript Hashing (this one is by me)
http://pajhome.org.uk/crypt/md5/

Secure Remote Password
http://srp.stanford.edu/

Has any consideration been given to adding support for this to Spring Security? I think it would be a good feature. I am coding an add-on to a Python authentication framework, repoze.who to provide this. I'm not a Java man, so I can't offer to code this, but I can offer advice and guidance.

Best wishes,

Paul