Upgrading Spring Security PasswordEncoder

Question

Upgrading from:

import org.springframework.security.authentication.encoding.PasswordEncoder;

    @Override
    public String encodePassword(String plainPassword, Object salt) {
        final String finalSalt = salt != null ? salt.toString() : "";
        return DigestUtils.md5Hex(finalSalt + plainPassword);
    }

    @Override
    public boolean isPasswordValid(String encodedPassword, String plainPassword, Object salt) {
        final String enteredPassword = encodePassword(plainPassword, salt);
        return encodedPassword.equals(enteredPassword);
    }

To:

import org.springframework.security.crypto.password.PasswordEncoder;

    @Override
    public String encode(CharSequence rawPassword) {
      final String finalSalt = salt != null ? salt.toString() : "";
      return DigestUtils.md5Hex(finalSalt + plainPassword);
    }

    @Override
    public boolean matches(CharSequence rawPassword, String encodedPassword) {
       final String enteredPassword = encodePassword(plainPassword, salt);
       return encodedPassword.equals(enteredPassword);
    }

1. Not sure what to do about salt ?
2. Not sure if I can just convert rawPassword to String to replace plainPassword ?

Answer 1

The new methods expect that salt is part of the encoded password. As per PasswordEncoder.encoder() javadoc :

Encode the raw password. Generally, a good encoding algorithm applies a SHA-1 or greater hash combined with an 8-byte or greater randomly generated salt.

If you look at this answer it shows how BCryptPasswordEncoder encodes salt in the encoded password. The actual BCrypt encoded password format is explained here .