To be replaced with internal code to reduce external dependencies. This Base64 implementation (also used in OWASP ESAPI) would be a good start:
security setup doesn't add commons codec to pom.xml
I've moved commons-codec from core completely and moved it to "test" scope in the web pom.xml. There are now internal Hex and Base64 encoder classes.
This issue has been migrated to https://github.com/spring-projects/spring-security/issues/1524