Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-1018: Allow reference to manually defined SaltSource when using new 2.0 xsd configuration #1267

spring-issuemaster opened this Issue Oct 20, 2008 · 2 comments


None yet
1 participant

Christian Nelson(Migrated from SEC-1018) said:

Here’s a common scenario for all of our webapps…

We configure a password encoder and a salt source (of the user-property) to be used by spring security during authentication. The same password encoder and salt source are used when a user registers with the site. We’ll call the thing that saves the new user record with freshly encoded password the UserService. The nice thing is that one instance of the PE and SS are configured in the application context and user by both Spring Security and the UserService, so there’s no duplication and no chance of the configuration from diverging.

When moving to the new Spring Security 2.0 xsd configuration, there’s no way (that’s I’ve found at least) to define a single PE and SS and have both Spring Security and the UserService. You can configure a PE the old fashioned way and make a reference to it in , but there’s no way to do the same for the Salt Source.

Something like this would be be great:



Here’s a fragment of the UserService and old-style configuration to complete the picture:

public class UserService {

@Autowired SaltSource saltSource;
@Autowired PasswordEncoder passwordEncoder;

public void createUser(User user) {
Assert.notNull(user, “‘user’ must not be null.”);
Assert.isNull(user.getId(), “only transient objects may be saved.”);

// Save the user so that they are assigned an id (required for salt generator). user.setDateCreated(new Date()); userDao.makePersistent(user); // Encode the user’s password. String encodedPassword = passwordEncoder.encodePassword(user.getPassword(), saltSource.getSalt(user)); user.setPassword(encodedPassword); // ‘User’ is live so it’s saved when the transaction/session is closed.




And the corresponding PE and SS:

Andrew McCall said:

I agree with Christian, I’ve encountered the exact same thing,

Luke Taylor said:

Ok. I’ve updated the namespace and parsers so that you should now be able to use . Let me know if there are any issues with it.

@spring-issuemaster spring-issuemaster added this to the 3.0.0 M1 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment