Sep 17th, 2009, 12:12 AM
PasswordDigest authentication on stored MD5 password
I have a spring web-application that uses Acegi based authentication. the password is stored in the database as MD5 encrypted password and use the DaoAuthenticationProvider and Md5PasswordEncoder password encoder for authentication. It is all fine till this point.
Now, A few operations of the application is exposed using Spring WS, having the XWS Security Interceptor configured to authenticate using UsernameToken with PlainText Password (using AcegiPlainTextPasswordValidationCallbackHandler injecting the same authenticationManager used by the web-application).
As 'plain text' passwords are not 'safe' , i had to move to PasswordDigest based authentication.
But AcegiDigestPasswordValidationCallbackHandler supports injection of UserDetailsService rather than having Authentication ProviderManager injected.
I understand it is the way PasswordDigests work, ie, PasswordDigests validate by creating SHA-1 hashed password of the user password with and compares with the user's actual password.
But can someone please help me point out where my mistake is?
Isn't it normal to have passwords stored in DB as MD5 digests? How to use PasswordDigest based Spring-WS authentication against such already-hashed passwords?