Spring Security
  1. Spring Security
  2. SEC-1319

JdbcUserDetailsManager does not use <password-encoder> when storing new users

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Won't Fix
    • Affects Version/s: 3.0.0 RC1
    • Fix Version/s: 3.0.0.RC2
    • Component/s: Core
    • Labels:
      None

      Description

      The JdbcUserDetailsManager does not use the specified <password-encoder> in the configuration of the <authentication-provider> when storing new users.

      This can be circumvented by defining an encoder that corresponds to the "hash" attribute and manually encoding the password when storing a new user.
      E.g.
      <bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.ShaPasswordEncoder" />

      and

      String encodedPassword = passwordEncoder.encodePassword(person.getPassword(), null);

        Activity

        Hide
        Luke Taylor added a comment -

        I don't really understand what you're saying. JdbcUserDetailsManager is not really connected with <authentication-provider> or <password-encoder>. If you configure an instance it won't automatically know that it should use any of the beans created by the namespace configuration. Could you explain in more detail please, with an example configuration?

        Show
        Luke Taylor added a comment - I don't really understand what you're saying. JdbcUserDetailsManager is not really connected with <authentication-provider> or <password-encoder>. If you configure an instance it won't automatically know that it should use any of the beans created by the namespace configuration. Could you explain in more detail please, with an example configuration?
        Hide
        Mikael Berglund added a comment -

        I think you got it. I thought that JdbcUserDetailsManager was connected to the configuration of <authentication-provider> since it seems as if one is instantiated automatically with a <jdbc-user-service>. The <jdbc-user-service> is using the <password-encoder> when reading, so the natural thing for me was that the JdbcUserDetailsManager also used the <password-encoder>.

        Thanks for the comment, I believe that this issue may be closed.

        Show
        Mikael Berglund added a comment - I think you got it. I thought that JdbcUserDetailsManager was connected to the configuration of <authentication-provider> since it seems as if one is instantiated automatically with a <jdbc-user-service>. The <jdbc-user-service> is using the <password-encoder> when reading, so the natural thing for me was that the JdbcUserDetailsManager also used the <password-encoder>. Thanks for the comment, I believe that this issue may be closed.
        Hide
        Luke Taylor added a comment -

        Yes, the password encoder is actually used by the DaoAuthenticationProvider (which is created behind the <authentication-provider> element).

        The UserDetailsService (JDBCDaoImpl) just loads the data as it is found in the database. JdbcUserDetailsManager is an extended version of that, which allows create, update and delete operations, but it doesn't do any password encoding of the supplied UserDetails object.

        Show
        Luke Taylor added a comment - Yes, the password encoder is actually used by the DaoAuthenticationProvider (which is created behind the <authentication-provider> element). The UserDetailsService (JDBCDaoImpl) just loads the data as it is found in the database. JdbcUserDetailsManager is an extended version of that, which allows create, update and delete operations, but it doesn't do any password encoding of the supplied UserDetails object.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Mikael Berglund
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: