How to use Spring StandardPasswordEncode and Get Salt Generate?

Question

How do I encrypt a password insert it into the db and after the comparison when he will want to connect?

I would use StandardPasswordEncoder Spring security 3.1.4 to encrypt my password and insert into the db. But how do I recovered the salt generated by the method?

Here is an example of the doc Spring security:

StandardPasswordEncoder encoder = new StandardPasswordEncoder("secret");
String result = encoder.encode("myPassword");
assertTrue(encoder.matches("myPassword", result));

I asked her because I'll need the selt order to re encode the password for the comparison? And validate if the user has to enter the correct password?

Here the password encoding: 9e7e3a73a40871d4b489adb746c31ace280d28206dded9665bac40eabfe6ffdc32a8c5c416b5878f and I would compare encode the new password

Link Doc Spring : http://docs.spring.io/spring-security/site/docs/3.1.4.RELEASE/reference/crypto.html Link API SPring security 3.1.4 : http://docs.spring.io/spring-security/site/docs/3.1.4.RELEASE/apidocs/

Answer 1

I think you are asking how it works?? The answer is fairly simple. StandardPasswordEncoder.matches() is the method you want to use. Behind the scenes, StandardPasswordEncoder will decode the hashed password and extract the salt from the resulting byte array. It will then use that salt to hash the plain-text password you passed in. If the resulting hash matches the original hash, your passwords match! Refer to the source for the details behind StandardPasswordEncoder.matches():

public boolean matches(CharSequence rawPassword, String encodedPassword) {
    byte[] digested = decode(encodedPassword);
    byte[] salt = subArray(digested, 0, saltGenerator.getKeyLength());
    return matches(digested, digest(rawPassword, salt));
}

Answer 2

You cant decrepit the saved password as human readable.

assume myPassword ="9e7e3a73a40871d4b489adb746c31ace280d28206dded9665bac40eabfe6ffdc32a8c5c416b5878f" pesent in the daabase.

You can do like this

StandardPasswordEncoder encoder = new StandardPasswordEncoder("secret");
String result = encoder.encode("myPassword");

now your result is equal to `9e7e3a73a40871d4b489adb746c31ace280d28206dded9665bac40eabfe6ffdc32a8c5c416b5878f` 

String passworddb = getPasswordFromDB();

passworddb from daabase is `9e7e3a73a40871d4b489adb746c31ace280d28206dded9665bac40eabfe6ffdc32a8c5c416b5878f`

assertTrue(encoder.matches(passworddb, result)); then passworddb and result are equal.