Spring Security simulataneous usage of multiple PasswordEncoders

Question

I have spring app with simple configuration of Spring Security using bcrypt (default parameters) and the test works fine, however i want to plan that this application gives the ability to the administrator or the user to change password and select authentication parameters to be used such as: 1)bcrypt (BCryptPasswordEncoder) 2)hash function such as sha (StandardPasswordEncoder),

So the question is how to change the following class (or the AuthenticationManagerBuilder specifically ) in order to reflect that some users could have they password stored as a sha hash but other as bcrypt, Taking into account that the database table already have a column that specify what kind of hash is being stored in the password column i.e. bcrypt or sha.

@Configuration
@EnableWebMvcSecurity
@EnableGlobalMethodSecurity(prePostEnabled=true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Autowired
    private UserDetailsService iUserDetailsService;


    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http
//          .csrf().disable()
//          .headers().disable()
            .headers()
            .contentTypeOptions()
            .xssProtection()
            .cacheControl()
            .httpStrictTransportSecurity()
            .frameOptions()
                .addHeaderWriter(new StaticHeadersWriter("X-Content-Security-Policy","script-src 'self"))
                .addHeaderWriter(new StaticHeadersWriter("Content-Security-Policy","script-src 'self'"))
                .addHeaderWriter(new StaticHeadersWriter("X-WebKit-CSP","default-src 'self'"))
            .and()
            .exceptionHandling()
                .accessDeniedHandler(syncAccessDeniedHandler())
            .and()
            .authorizeRequests()
                .antMatchers(   "/register",
                                "/static/**",
                                "/h2/**",
                                "/resources/**",
                                "/static/css/**", 
                                "/static/img/**" , 
                                "/static/js/**", 
                                "/static/pdf/**",
                                "/resources/static/css/**", 
                                "/resources/static/img/**" , 
                                "/resources/static/js/**", 
                                "/resources/static/pdf/**",
                                "/pdf/**",
                                "/css/**",
                                "/js/**",
                                "/img/**"

                                ).permitAll()
                .antMatchers("/admin/dashboard/**").hasAnyRole("STUDENT", "ADMIN")
                .antMatchers("/admin/network/**").hasRole("ADMIN")
                .anyRequest().authenticated()
                .and()
            .formLogin()
                .loginPage("/login")
                .permitAll()
                .and()
            .logout()
                .permitAll();
    }



    @Autowired
    public void registerAuthentication(AuthenticationManagerBuilder auth) throws Exception {
        auth
        .userDetailsService(iUserDetailsService).passwordEncoder(pwEncoder());        
    }

    @Bean
    public BCryptPasswordEncoder pwEncoder() {
        return new BCryptPasswordEncoder();        
    }


    @Bean
    public SyncAccessDeniedHandler syncAccessDeniedHandler() {
        String uri = "/403";
        return new SyncAccessDeniedHandler(uri);
    }



}

Answer 1

maybe you can use DelegatingPasswordEncoder from spring 5.0 or extend it to create your own version.

https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/crypto/password/DelegatingPasswordEncoder.html