I would like to add a password to the site I'm working on, and I found that Spring Security 3.1 has some new features to make this very easy.
I have a question about the StandardPasswordEncoder class. It works a little different than I expected. It seems easier to use than salting coding, but I think there is some kind of βmagicβ that I don't understand.
StandardPasswordEncoder seems to accidentally warm the hash for me, which is good. But after matching the original password with the encoded password ... how can it match the passwords without knowing what the original salt was?
In my opinion, when you make salt, you cannot go back ... so if there is a random salt for generating the encoded hash in the first place ... how is StandardPasswordEncoder able to match the password at a later stage? I'm confused. Shouldn't I get salt, save the salt in the database and then supply the salt? How can this be done without preserving and maintaining the value of salt?
Thanks for sorting out the confusion. Hope my question makes sense.
egervari
source share