I would like to add password salting to a site I am working on, and I discovered that Spring Security 3.1 has some new features to make this very easy to do.
I have a question about the StandardPasswordEncoder class. It operates a little differently than I would expect. It seems simpler to use than coding the salting myself, but I think there's some "magic" going on that I don't understand.
StandardPasswordEncoder seems to randomly salt the hash for me, which is fine. But upon matching the original password to the encoded password... how is it able to match the passwords without knowing what the original salt was in the first place?
It is to my understanding that once you make a salt, you can't go back... so if there's a random salt to generate the encoded hash in the first place... how is StandardPasswordEncoder able to match the password at a later point? I am confused. Shouldn't I have to get the salt, persist the salt in the database and then supply the salt? How is it able to do this without me storing and providing the salt value?
Thanks for clearing up the confusion. I hope my question makes sense.
It stores hashed password concatenated with the salt, see StandardPasswordEncoder.java
, so it knows the salt when checking the password.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With