If you are choosing a hashing system yourself, rather than building an app using an existing database which already contains hashed passwords, then you should make sure your hashing algorithm also uses a salt. Don't just use a plain digest.
A good choice is bcrypt, which we now support directly in Spring Security 3.1 via the BCryptPasswordEncoder
(implemented using jBCrypt). This automatically generates a salt and concatenates it with the hash value in a single String.
Some databases have built-in support for hashing (e.g. Postgres). Otherwise, you need to hash the password yourself before passing it to JDBC:
String password = "plaintextPassword";
PasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
String hashedPassword = passwordEncoder.encode(password);
That's all you need to do to encode the passwords when you create a user.
For authentication, you would use something like:
<bean id="encoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>
<bean id="authProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="yourJdbcUserService" />
<property name="passwordEncoder" ref="encoder" />
</bean>
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…