java - How to use new PasswordEncoder from Spring Security

Question

As of Spring Security 3.1.4.RELEASE, the old org.springframework.security.authentication.encoding.PasswordEncoder has been deprecated in favour of org.springframework.security.crypto.password.PasswordEncoder. As my application has not been released to the public yet, I decided to move to the new, not deprecated API.

Until now, I had a ReflectionSaltSource that automatically used the user's registration date as per-user salt for password.

String encodedPassword = passwordEncoder.encodePassword(rawPassword, saltSource.getSalt(user));

During login process, Spring also used my beans to appropriate verify if the user can or can not sign in. I can't achieve this in the new password encoder, because the default implementation of SHA-1 - StandardPasswordEncoder has only ability to add a global secret salt during the encoder creation.

Is there any reasonable method of how to set it up with the non-deprecated API?

Answer 1

If you haven't actually registered any users with your existing format then you would be best to switch to using the BCrypt password encoder instead.

It's a lot less hassle, as you don't have to worry about salt at all - the details are completely encapsulated within the encoder. Using BCrypt is stronger than using a plain hash algorithm and it's also a standard which is compatible with applications using other languages.

There's really no reason to choose any of the other options for a new application.