SEC-1319: JdbcUserDetailsManager does not use <password-encoder> when storing new users #1563

spring-issuemaster opened this Issue Dec 7, 2009 · 4 comments

1 participant


Mikael Berglund (Migrated from SEC-1319) said:

The JdbcUserDetailsManager does not use the specified in the configuration of the when storing new users.

This can be circumvented by defining an encoder that corresponds to the "hash" attribute and manually encoding the password when storing a new user.


String encodedPassword = passwordEncoder.encodePassword(person.getPassword(), null);


Luke Taylor said:

I don't really understand what you're saying. JdbcUserDetailsManager is not really connected with or . If you configure an instance it won't automatically know that it should use any of the beans created by the namespace configuration. Could you explain in more detail please, with an example configuration?


Mikael Berglund said:

I think you got it. I thought that JdbcUserDetailsManager was connected to the configuration of since it seems as if one is instantiated automatically with a . The is using the when reading, so the natural thing for me was that the JdbcUserDetailsManager also used the .

Thanks for the comment, I believe that this issue may be closed.


Luke Taylor said:

Yes, the password encoder is actually used by the DaoAuthenticationProvider (which is created behind the element).

The UserDetailsService (JDBCDaoImpl) just loads the data as it is found in the database. JdbcUserDetailsManager is an extended version of that, which allows create, update and delete operations, but it doesn't do any password encoding of the supplied UserDetails object.


Mauro Molinari said:

However the current behaviour of JdbcUserDetailsManager is inconsistent when data is written. I opened SEC-2806 with a more specific example for this.

@spring-issuemaster spring-issuemaster added this to the 3.0.0.RC2 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment