I'm trying to set up spring security 3 to authenticate users against my hibernate 3 database. I'm storing only sha1 hashes of the passwords in the database (not plaintext).
I've looked at this and this, which tell me to implement my own UserDetailsService. Unfortunately, the UserDetails that loadUserByUsername spits out seem to need the plaintext password, which I don't have.
How is this usually handled? Can Spring Security actually do what I need here? Am I missing something?
When you setup an UserDetailsService, spring uses that to load users and then compares them against the login information. That means, it compares the passwords. However, you can configure a password encoder: Doc: Adding a Password Encoder
or you simply write your own AuthenticationManager or AuthenticationProvider which loads the user and decides if the user has logged in successfully. Just implement the Interfaces AuthenticationProvider and set up the config
<authentication-manager>
<authentication-provider ref="myAuthenticationProvider"/>
</authentication-manager>
<bean id="myAuthenticationProvider"
class="stackoverflow.SuperduperMegaAuthenticationProvider">
</bean>
Normaly the Userdetails contain a hashed password and you just need to configure Spring Security to use the correct password encoder to authenticate with it.
<password-encoder hash="md5"/>
Look for the above password-encoder line in Stack Overflow answer @ Spring Security 3 database authentication with Hibernate.
In you're case you should replace this line with:
<password-encoder hash="sha"/>
