Reputation: 6032
Spring security:password-encoder and StandardPasswordEncoder
Say I hash passwords with StandardPasswordEncoder which uses SHA-256 and 8bit random characters as a salt and save it to db(for registration form for example).
And then I check it with
<security:password-encoder hash="sha-256" >
</security:password-encoder> (for login form)
Does this latest knows that the first encoded it in a way that salt is 8 bytes of randomly generated salt? And even if it knows how will it find out what salt to apply to get same hash?
Or maybe I am completely off the track and SHA-256 standard already presumes that there should be strictly 8-bit generated salt inside for hashing?
Thanks,
Upvotes: 1
Views: 5150
Answers (1)
Reputation: 6032
Solved it, I will not go into details, but better use org.springframework.security.authentication.encoding.ShaPasswordEncoder ,
<bean id ="passwordEncoder" class="org.springframework.security.authentication.encoding.ShaPasswordEncoder" >
<constructor-arg value="256"/>
<property name="iterations" value="1024"/>
</bean>
and reference this bean from your security context:
<security:password-encoder ref="passwordEncoder">
<security:salt-source user-property="username"/>
</security:password-encoder>
Upvotes: 1
Related Questions
- SpringSecurity : decode a password encoded with PasswordEncoder
- Password Encoder in Spring boot Security
- Spring Security, Problem with PasswordEncoder
- Password Encoder/Decoder in Spring Boot
- Using StandardPasswordEncoder in SpringBoot
- How to use new PasswordEncoder from Spring Security
- Using PasswordEncoder from Spring Security
- Java Spring Security PasswordEncoder
- How to use Spring's StandardPasswordEncode?
- Spring Security 3 Hash Password Encoders