Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-1212: Document salt-source-ref in namespace appendix #1464

spring-issuemaster opened this Issue Jul 30, 2009 · 3 comments


None yet
1 participant

Oliver Gierke (Migrated from SEC-1212) said:

Trying to use password encryption with salts pretty much conflicts with namespace configuration as you can not declare a SaltSource at the authentication-provider element. This forces one to declare the DaoAthenticationProvider as standard Spring bean which is not picked up by an AuthenticationManager created via the namespace. Thus I the standard Spring bean configuration mode bubbles up again.

As salting is a very common task to do in combination with encryption this should kick one out of the namespace config entirely.

Luke Taylor said:

The use of password encoders, with or without a salt source is already supported in the namespace, as is the addition of a custom authentication provider defined as a Spring bean. Either option is available to you so there's no question of you being "kicked out" of using namespace configuration if you want to use salted passwords.

Oliver Gierke said:

Thanks for the fast reply, Luke. I got it working after diving into the docs once again. Apparently the problem was that the configuration of salting is only contained in the "Getting Started" part ( The namespace reference in the appendix is somewhat incomplete regarding the authentication-provider element. So maybe you can rebrand this ticket to either create a link to the section where usage of authentication-provider is explained or simply extend the reference for the element.


Luke Taylor said:

Version 3.0 will require an explicit declaration of the AuthenticationManager in the namespace, using the authentication-manager element, and the the providers will be listed in there (custom-authentication-provider will no longer be supported). See SEC-1196. This overcomes quite a few issues which have resulted as a result of having an internally registered AuthenticationManager. So there will need to be quite a few documentation changes on this front.

@spring-issuemaster spring-issuemaster added this to the 3.0.0 RC1 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment