Spring Security
  1. Spring Security
  2. SEC-1018

Allow reference to manually defined SaltSource when using new 2.0 xsd configuration

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 2.0.4
    • Fix Version/s: 3.0.0 M1
    • Component/s: Namespace
    • Labels:
      None
    • Environment:
      Windows Xp, OS X, Java 5/6

      Description

      Here's a common scenario for all of our webapps...

      We configure a password encoder and a salt source (of the user-property) to be used by spring security during authentication. The same password encoder and salt source are used when a user registers with the site. We'll call the thing that saves the new user record with freshly encoded password the UserService. The nice thing is that one instance of the PE and SS are configured in the application context and user by both Spring Security and the UserService, so there's no duplication and no chance of the configuration from diverging.

      When moving to the new Spring Security 2.0 xsd configuration, there's no way (that's I've found at least) to define a single PE and SS and have both Spring Security and the UserService. You can configure a PE the old fashioned way and make a reference to it in <security:password-encoder ref="..." >, but there's no way to do the same for the Salt Source.

      Something like this would be be great:

      <security:authentication-provider user-service-ref="adminUserService">
      <security:password-encoder ref="passwordEncoder" >
      <security:salt-source ref="saltSource"/>
      </security:password-encoder>
      </security:authentication-provider>

      Here's a fragment of the UserService and old-style configuration to complete the picture:

      public class UserService {

      @Autowired SaltSource saltSource;
      @Autowired PasswordEncoder passwordEncoder;

      @Transactional
      public void createUser(User user)

      { Assert.notNull(user, "'user' must not be null."); Assert.isNull(user.getId(), "only transient objects may be saved."); // Save the user so that they are assigned an id (required for salt generator). user.setDateCreated(new Date()); userDao.makePersistent(user); // Encode the user's password. String encodedPassword = passwordEncoder.encodePassword(user.getPassword(), saltSource.getSalt(user)); user.setPassword(encodedPassword); // 'User' is live so it's saved when the transaction/session is closed. }

      //....
      }

      And the corresponding PE and SS:

      <bean id="passwordEncoder" class="org.springframework.security.providers.encoding.Md5PasswordEncoder">
      <property name="encodeHashAsBase64" value="true"/>
      </bean>

      <bean id="saltSource" class="org.springframework.security.providers.dao.salt.ReflectionSaltSource">
      <property name="userPropertyToUse" value="id"/>
      </bean>

        Activity

        Hide
        Andrew McCall added a comment -

        I agree with Christian, I've encountered the exact same thing,

        Show
        Andrew McCall added a comment - I agree with Christian, I've encountered the exact same thing,
        Hide
        Luke Taylor added a comment -

        Ok. I've updated the namespace and parsers so that you should now be able to use <salt-source ref='someBean'/>. Let me know if there are any issues with it.

        Show
        Luke Taylor added a comment - Ok. I've updated the namespace and parsers so that you should now be able to use <salt-source ref='someBean'/>. Let me know if there are any issues with it.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Christian Nelson
          • Votes:
            1 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: