How to use salt from database field in Spring Security

Question

I am using spring-security-3.1.0 with spring-framework-3.0.6. For login security check i'm using salt.But having problem in using salt in salt source. if i use beans:property name="userPropertyToUse" value="username" then everything is fine but having problem in <beans:property name="userPropertyToUse" value="lalt"> even tough i have configured all the necessary configuration for "salt". It sowing this message Unable to find salt method on user Object. Does the class 'org.springframework.security.core.userdetails.User' have a method or getter named 'salt' ?

My spring-security.xml looks like this

<beans:bean id="saltSource" class="org.springframework.security.authentication.dao.ReflectionSaltSource">
    <beans:property name="userPropertyToUse" value="salt" />
</beans:bean> 
<beans:bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.ShaPasswordEncoder"/>

<beans:bean id="loggerListener" class="org.springframework.security.authentication.event.LoggerListener" /> 

<authentication-manager>
    <authentication-provider user-service-ref="jdbcUserService">
        <password-encoder ref="passwordEncoder">
            <salt-source ref="saltSource"/>
        </password-encoder> 
    </authentication-provider>
</authentication-manager> 

<beans:bean id="jdbcUserService" class="controllers.CustomJdbcDaoImpl">
    <beans:property name="dataSource" ref="dataSource"/>
    <beans:property name="usersByUsernameQuery">
        <beans:value>SELECT U.userid AS username, 
            U.userpassword as password, 
            'true' AS enabled,
            U.userpasswordsalt AS salt 
            FROM users U WHERE U.userid=?
        </beans:value>
    </beans:property>
    <beans:property name="authoritiesByUsernameQuery">
        <beans:value>SELECT U.userid AS username,
            U.userrole as authority 
            FROM users U 
            WHERE U.userid=?
        </beans:value>
    </beans:property>
</beans:bean> 

My jdbcUserService.java for salt is

public class CustomJdbcDaoImpl extends JdbcDaoImpl {
    @Override
    protected List<UserDetails> loadUsersByUsername(String username) {
        return getJdbcTemplate().query(getUsersByUsernameQuery(),new String[] {username},
            new RowMapper<UserDetails>() {
                public UserDetails mapRow(ResultSet rs, int rowNum)throws SQLException {
                    String username = rs.getString(1);
                    String password = rs.getString(2);
                    boolean enabled = rs.getBoolean(3);
                    String salt = rs.getString(4);
                    System.out.println("CustomJdbcDaoImpl Salt : "+salt);
                    return new SaltedUser(username, password,enabled, true, true, true,AuthorityUtils.NO_AUTHORITIES, salt);
                }
            });
    } 
}

And My SaltedUser.java is

public class SaltedUser extends User{
    private String salt;
    public SaltedUser(String username, String password,boolean enabled,
            boolean accountNonExpired, boolean credentialsNonExpired,
            boolean accountNonLocked, List<GrantedAuthority>authorities, String salt) {
        super(username, password, enabled,accountNonExpired, credentialsNonExpired,accountNonLocked, authorities);
        this.salt = salt;
        System.out.println("SaltedUser Salt : "+salt);
    }

    public String getSalt() {
        return salt;
    }

    public void setSalt(String salt) {
        this.salt = salt;
    }
}

Any one can help me....?

Answer 1

You need to override the createUserDetails method which creates the final UserDetails implementation returned by the class. Take a look at the source for JdbcDaoImpl.

Note that if you aren't building this for a legacy system which already has a password-hashing system already in place, then using something like BCrypt to encode your passwords would be a better and simpler option.