'Why us Spring security password (instead of hash) baked into the documentation and code?

Why do Spring Security documentation and implementation rely on password and not password hash?

Isn't it a major security issue, that might cause issues in many products? Thanks.

springspring-securitypassword-protectionpassword-hash


Solution 1:[1]

Your understanding is wrong. The fact that something is called getPassword or the field password doesn't mean it isn't encrypted.

By default passwords are hashed using BCrypt in Spring Security. This is done through the BCryptPasswordEncoder. So what is stored (if anything is stored!) depends on the actual PasswordEncoder in use, next to ofcourse the authentication mechanism in use (for instance if you use X509 this would be empty).

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 M. Deinum

Related Questions

Upload data file as byte array with Feign

Apache Camel: Set body from resource

How to configure log4j in a Spring Mvc application configured with Java Annotations and using a log4j.properties file

SonnarQube's issue: change code to not construct the URL from user-controlled data

How do I produce just one message using Spring Cloud Stream w/o deprecated @Output, or turn off polling?

Error creating bean with name 'entityManagerFactory'

Spel not supported on spring annotation @Scheduled.fixedDelayString

How to run gradle based spring boot application in background using command line in ubuntu?

AuthenticationSuccessEvent never fired

Spring @Value annotation always evaluating as null?

Spring MongoDB query sorting

Map JSON default tag to java variable

Spring Hibernate Jackson Hibernate5Module

Spring JUnit: How to Mock autowired component in autowired component

Flyway Found more than one migration with version