Simple Spring Security Webapp with password encoding:
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider user-service-ref="personService">
<security:password-encoder hash="md5" ref="passwordEncoder">
</security:password-encoder>
</security:authentication-provider>
</security:authentication-manager>
Coding is also simple:
person.setPassword(encoder.encodePassword(person.getPassword(), null));
So, in the database all passwords will be encoded. Now I want to authenticate some user with a specific username in the application. Before (when passswords was open) it was like this:
UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(
username, password);
Authentication authentication = authenticationManager.authenticate(token);
SecurityContextHolder.getContext().setAuthentication(authentication);
But now I get the encoded password from the database and can not do authentication as before.
Problem. that Spring doesn't know that cames passwords from UserPasswordAuthenticationToken are already encoded. And he encodes it a second time. Who can help?
Edit
So, I see two solutions here:
- implement custom DaoAuthenticationProvider, where to add verification if both passwords are already hashed
- .
? ?