Jakub Pilimon
Jakub Pilimon

Reputation: 141

Spring Security: password don't match with stored one

I have a problem with password hashing. I want to appply sha-256 with salt and 1024 iterations to authenticate my users using Spring Security. But somehow, my password in database dont match those from user input.

Here is my code:


    class="org.springframework.security.authentication.encoding.ShaPasswordEncoder" >
    <beans:constructor-arg value="256" />
        value="1024" />

<beans:bean class="org.springframework.security.authentication.dao.ReflectionSaltSource" id="saltSource">
    <beans:property name="userPropertyToUse" value="id"/>

    <authentication-provider user-service-ref="userLoginDetails" >
        <password-encoder ref="passwordEncoder" >
             <salt-source ref="saltSource"/>


@Transactional(readOnly = true)
public class UserLoginDetails implements UserDetailsService {

private EregDaoFactory daoFactory;

public void setDaoFactory(EregDaoFactory daoFactory) {
    this.daoFactory = daoFactory;

 * Retrieves a user record containing the user's credentials and access.
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException,
        DataAccessException {
    Logger logger = Logger.getLogger(getClass());

    int userId = Integer.parseInt(username);

    UzytkownikDao dao = daoFactory.getUzytkownikDao();

    LoggedUser user = null;
    Uzytkownik dbUser = null;

    try {

        dbUser = (Uzytkownik) dao.findById(Integer.parseInt(username));
        List<SimpleGrantedAuthority> grants = new ArrayList<SimpleGrantedAuthority>();
        Collection<Object> userNames = new ArrayList<Object>();

        if (dbUser.getRola() == 'U') {
            grants.add(new SimpleGrantedAuthority("ROLE_STUDENT"));
            userNames = daoFactory.getUczenDao().getNameAndLastName(userId);

        } else if (dbUser.getRola() == 'N') {
            grants.add(new SimpleGrantedAuthority("ROLE_TEACHER"));
            userNames = daoFactory.getNauczycielDao().getNameAndLastName(userId);
        } else if (dbUser.getRola() == 'O') {
            grants.add(new SimpleGrantedAuthority("ROLE_PARENT"));
            userNames = daoFactory.getOpiekunDao().getNameAndLastName(userId);
        grants.add(new SimpleGrantedAuthority("ROLE_USER"));

        Object[] names = userNames.toArray();
        user =
                new LoggedUser(username, dbUser.getHaslo(), true, true, true, true, grants,
                        (String) names[0], (String) names[1], dbUser.getRola());
    } catch (Exception e) {
        throw new UsernameNotFoundException("Error in retrieving user");


    return user;




    package ereg.security.userdetails;

public class LoggedUser extends User {

private static final long serialVersionUID = 1L;
private final String id;
private final String imie;
private final String nazwisko;
private final char rola;
private Date lastSuccessfulLogin;
private String lastKnowIpAddress;

public LoggedUser(String username, String password, boolean enabled, boolean accountNonExpired,
        boolean credentialsNonExpired, boolean accountNonLocked,
        Collection<? extends GrantedAuthority> authorities, String name, String lastName, char rola) {
    super(username, password, enabled, accountNonExpired, credentialsNonExpired, accountNonLocked,
    this.imie = name;
    this.nazwisko = lastName;
    this.rola = rola;
    this.id = username;

public String getId() {
    return id;

public String getImie() {
    return imie;

public String getNazwisko() {
    return nazwisko;

public char getRola() {
    return rola;

public Date getLastSuccessfulLogin() {
    return lastSuccessfulLogin;

public String getFormattedDate() {
    if (lastSuccessfulLogin != null) {
        return new SimpleDateFormat("dd/MM/yyyy, HH:mm:ss").format(lastSuccessfulLogin);
    } else
        return null;

public String getLastKnowIpAddress() {
    return lastKnowIpAddress;

public void setLastSuccessfulLogin(Date lastSuccessfulLogin) {
    this.lastSuccessfulLogin = lastSuccessfulLogin;

public void setLastKnowIpAddress(String lastKnowIpAddress) {
    this.lastKnowIpAddress = lastKnowIpAddress;


And here is the program that hashes passwords:


private void encryptPasswords() throws Exception {
    OneWayEncryptor encryptor = OneWayEncryptor.getInstance();

    appContext =
            new FileSystemXmlApplicationContext(

    ds = (DataSource) appContext.getBean("dataSource");
    JdbcTemplate jdbc = new JdbcTemplate(ds);
    BigDecimal userId = null;
    String password = "";
    String encrypted = "";

    Map<?, ?> row = new HashMap<Object, Object>();

    for (Iterator<?> it = jdbc.queryForList("SELECT id, haslo FROM UZYTKOWNIK").iterator(); it.hasNext();) {
        row = (Map<?, ?>) it.next();

        userId = (BigDecimal) row.get("ID");
        password = (String) row.get("HASLO");
        encrypted = encryptor.encrypt(password, userId.toString());


        jdbc.execute("UPDATE UZYTKOWNIK SET haslo = '" + encrypted + "'  WHERE id = " + userId);


public static void main(String[] args) {

    EncryptAllUserPasswords encrypt = new EncryptAllUserPasswords();
    try {
    } catch (Exception e) {



public final class OneWayEncryptor {
private static final OneWayEncryptor INSTANCE = new OneWayEncryptor();

private static final int ITERATIONS = 1024;
private static final String ALGORITHM = "SHA-256";

private OneWayEncryptor() {

public static OneWayEncryptor getInstance() {
    return INSTANCE;


public String encrypt(String plaintext, String salt) throws NoSuchAlgorithmException,
        UnsupportedEncodingException {
    MessageDigest messageDigest = MessageDigest.getInstance(ALGORITHM);


    byte[] btPass = messageDigest.digest(plaintext.getBytes("UTF-8"));
    for (int i = 0; i < ITERATIONS; i++) {
        btPass = messageDigest.digest(btPass);

    String encodedPassword = byteToBase64(btPass);

    return encodedPassword;

private String byteToBase64(byte[] bt) throws UnsupportedEncodingException {

    return new String(Base64.encodeBase64(bt));



I believe that problem lies in the last one... Please help

Upvotes: 2

Views: 1572

Answers (1)

Jakub Pilimon
Jakub Pilimon

Reputation: 141

actually, this worked:

public String encrypt(String plaintext, String salt) throws NoSuchAlgorithmException,
        UnsupportedEncodingException {
    String pass = plaintext + "{" + salt + "}";
    MessageDigest messageDigest = MessageDigest.getInstance(ALGORITHM);

    byte[] btPass = messageDigest.digest(pass.getBytes("UTF-8"));

    for (int i = 0; i < ITERATIONS - 1; i++) {
        btPass = messageDigest.digest(btPass);

    String hashedPass = new BigInteger(1, btPass).toString(16);
    if (hashedPass.length() < 32) {
        hashedPass = "0" + hashedPass;

    return hashedPass;

can someone tell my why? I mean why when i tried using update(salt) method it didint and when i switch to concate string it did. and i dont mind part with "{salt}", cause that only allows me to generate exactly the same hash as spring does. the thing is that before it generated wrong hash even with given salt. I checked it with sha256 generators. Can someone tell me why it started working after string concatating?

Upvotes: 2

Related Questions