I introduce Spring security for a web application. First I have my authentication manager as follows.
<authentication-manager>
<authentication-provider>
<password-encoder hash='md5'>
</password-encoder>
<jdbc-user-service data-source-ref="dataSource"/>
</authentication-provider>
</authentication-manager>
For tesing I'm going to use '1' as both username and password. I use a online md5 hash generator and I got 'c4ca4238a0b923820dcc509a6f75849b' for md5(1). Login works fine with this configuration. The I wanted to try salt and I modify authentication manager as follows.
<authentication-manager>
<authentication-provider>
<password-encoder hash='md5'>
<salt-source user-property="username"/>
</password-encoder>
<jdbc-user-service data-source-ref="dataSource"/>
</authentication-provider>
</authentication-manager>
So as I read in web how salt used is like hash(salt + password). So using the same tool I hash '11' then got hash value '6512bd43d9caa6e02c990b0a82652dca'. I update the database with that value. But now login fail with error thrown 'Caused : Bad credentials'. Which means password didn't match with the database. So my question is does that mean Spring use a different way for salting?