Share on Google+Share on Google+

Spring Security Password Hashing

In this section, you will learn about Password Hashing in Spring Security.

Spring Security Password Hashing

In this section, you will learn about Password Hashing in Spring Security.

In the Spring Security Authorized Access Using Custom Login Form  example, the password is stored directly using clear text which is susceptible to attack. So, it is advised don't store password directly in plain text, you should hash your passwords before storing them.

Spring Security supports following hashing algorithms :

  • plaintext
  • sha
  • sha-256
  • md5
  • md4


In this example, we will perform password hashing through SHA hashing algorithm.  We will use this hashed password to accomplish the login authentication in Spring Security.

The tools and technologies used in the below example is given below :

  • jdk1.6.0_18

  • apache-tomcat-6.0.29

  • Eclipse 3.5.1

  • Spring 3.0.5.RELEASE

  • Spring Security 3.0.5.RELEASE

  • Jacksum 1.7.0

The project structure and jar file used is given below :

First we will discuss about password hashing :

Password Hashing

For password hashing, we are incorporating  Jacksum 1.7.0, you can download it from here.

After downloading it, execute the below CMD command to generate hash value of the plain text/password ,by using the same folder path where you download it ,as follows :

C:\JackSum>java -jar jacksum.jar -a sha -q "txt:deepak"                

In the above case, my password is deepak, after hashing it converts into d11186354d1ef01ca06ae37d7e23e827da13e85f. Use this hashed password in spring-security.xml as follows :


<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns=""

<http auto-config="true">
<intercept-url pattern="/admin*" access="ROLE_ADMIN" />
<form-login login-page="/login" default-target-url="/admin" authentication-failure-url="/failLogin" />
<logout logout-success-url="/logoff" />

<password-encoder hash="sha" />
<user name="admin" password="d11186354d1ef01ca06ae37d7e23e827da13e85f" authorities="ROLE_ADMIN" />


Rest of the code is given below :



<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="" xmlns="" xmlns:web="" xsi:schemaLocation="" id="WebApp_ID" version="2.5">


<beans xmlns=""

<context:component-scan base-package="net.roseindia" />

<property name="prefix">
<property name="suffix">

<bean id="messageSource"
<property name="basenames">


package net.roseindia;


import org.springframework.stereotype.Controller;
import org.springframework.ui.ModelMap;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;

public class LoginController {
@RequestMapping(value = "/admin", method = RequestMethod.GET)
public String welcomeAdmin(ModelMap model, Principal principal) {
String username = principal.getName();
model.addAttribute("user", username);
model.addAttribute("msg", "Spring Security - ADMIN PAGE");
return "welcome";


@RequestMapping(value = "/login", method = RequestMethod.GET)
public String login(ModelMap model) {

return "login";


@RequestMapping(value = "/failLogin", method = RequestMethod.GET)
public String failedLogin(ModelMap model) {

model.addAttribute("error", "true");
return "login";


@RequestMapping(value = "/logoff", method = RequestMethod.GET)
public String logoff(ModelMap model) {

return "login";

AbstractUserDetailsAuthenticationProvider.badCredentials=Wrong username\ /\ password


<%@ taglib prefix="c" uri=""%>
<title>Login Page</title>
.errorblock {
color: #ff0000;
background-color: #ffEEEE;
border: 3px solid #ff0000;
padding: 8px;
margin: 16px;
<body onload='document.f.j_username.focus();'>
<h3>Login with Username and Password (Custom Page)</h3>

<c:if test="${not empty error}">
<div class="errorblock">
Login error : Please try again.<br />Root Cause:

<form name='f' action="<c:url value='j_spring_security_check' />"

<td><input type='text' name='j_username' value=''>
<td><input type='password' name='j_password' />
<td colspan='2'><input name="submit" type="submit"
value="submit" />
<td colspan='2'><input name="reset" type="reset" />



<%@ taglib prefix="c" uri=""%>
<h3>Username : ${user}</h3> 

<a href="<c:url value="/j_spring_security_logout" />" > Logoff</a>



Call the following URL, to  use the admin section :


You will get the following page :

When you login with the correct login credential(i.e. Username : admin, Password: deepak), you will get the following page :

Download Source Code



Posted on: May 10, 2012 If you enjoyed this post then why not add us on Google+? Add us to your Circles

Share this Tutorial Follow us on Twitter, or add us on Facebook or Google Plus to keep you updated with the recent trends of Java and other open source platforms.