Spring Security SEC-1912: Md5PasswordEncoder should allow option to include cipher when getting byte array from password hash

Drew Wings (Migrated from SEC-1912) said:

OpenLDAP stores MD5 hashed passwords with a cipher {MD5}. When the byte array for the hashed password is created, the cipher is included.

However, the PasswordComparisonAuthenticator class does not include the cipher. line 98 from 3.0.5 version of class - byte[] passwordBytes = LdapUtils.getUtf8Bytes(encodedPassword);

byte array returned from LDAP server: [123, 77, 68, 53, 125, 54, 71, 86, 107, 104, 113, 55, 89, 84, 106, 121, 55, 119, 75, 102, 75, 55, 82, 116, 109, 107, 63, 62, 62] byte array created by PasswordComparisonAuthenticator: [54, 71, 86, 107, 104, 113, 55, 89, 84, 106, 121, 55, 119, 75, 102, 75, 55, 82, 116, 109, 107, 63, 62, 62]

As you can see, the PasswordComparisonAuthenticator byte array is "missing" 5 bytes which correspond to the cipher.

If I add the cipher to the code I get the "correct" byte array. byte[] passwordBytes = LdapUtils.getUtf8Bytes("{MD5}"+encodedPassword);

This should be a configurable option because it is very common for LDAP databases to store the hashed value with a cipher.

Comment From: rwinch

There should not be the need to customize PasswordComparisonAuthenticator since there is already a strategy for obtaining the encoded password. For this to work you can inject a custom PasswordEncoder that returns {MD5} + encodedPassword.