I would like to add salt like:
PasswordEncoder encoder = new ShaPasswordEncoder();
userDetails.setPassword(encoder.encodePassword(userDetails.getPassword(),saltSource.getSalt(userDetails));
as far userDetails
is instance of my custom UserDetail
class,i obliged to cast it to this spring class:UserDetails
,but as it's logically expected i got in Runtime:
java.lang.ClassCastException: model.UserDetails cannot be cast to org.springframework.security.core.userdetails.UserDetails
config:
<beans:bean id="saultSource" class="org.springframework.security.authentication.dao.ReflectionSaltSource">
<beans:property name="userPropertyToUse" value="username"/>
</beans:bean>
<authentication-manager alias="authenticationManager">
<authentication-provider>
<password-encoder hash="sha">
<salt-source user-property="username"/>
</password-encoder>
<jdbc-user-service data-source-ref="dataSource"/>
</authentication-provider>
</authentication-manager>
How can I configure salt correctly in this case?
ReflectionSaltSource
only works with a UserDetails
object (I'm assuming that's where you get the class-cast exception?), so you would have to either implement UserDetails
or create your own SaltSource
implementation which works with your object.
However, I wouldn't use a property of the user as the salt unless you are working with a legacy system which already does this. The username is not a very good salt value. It's much better to use a random salt which is stored with the password. A good example is the BCrypt algorithm. See my answer to this question for an example of using it with Spring Security 3.1. As explained there, BCrypt automatically generates a random salt which it stores in the same string as the hashed password.
Note that there is actually a new PasswordEncoder
interface in the Spring Security 3.1 "crypto" package (in org.springframework.security.crypto.password
). This doesn't include a salt in the API methods, since it assumes the salt is internally generated (as it is with the BCrypt implementation). The framework will generally accept one of these or the legacy org.springframework.security.authentication.encoding.PasswordEncoder
.