Broadleaf is salting passwords with the customer username. Because there is no password encoder hooked up by default, this is the functionality of zero password hashing with a salt.
You can change the password encoders with the 'password.admin.encoder' and 'password.site.encoder' properties. For instance, in production-shared.properties:
Code: Select all
password.admin.encoder=org.springframework.security.authentication.encoding.ShaPasswordEncoder
password.site.encoder=org.springframework.security.authentication.encoding.ShaPasswordEncoder
Then obviously you would only see some sort of hash in the database but the hash would be the real user password salted with the email address. Also, you can change the behavior of the password salting in applicationContext-security.xml (and applicationContext-admin-security.xml) by modifying the 'blSaltSource' bean:
Code: Select all
<!-- The BLC Authentication manager. -->
<sec:authentication-manager alias="blAuthenticationManager">
<sec:authentication-provider user-service-ref="blUserDetailsService">
<sec:password-encoder ref="blPasswordEncoder">
<sec:salt-source ref="blSaltSource" />
</sec:password-encoder>
</sec:authentication-provider>
</sec:authentication-manager>
<!-- Configuration for salting user passwords. This configuration will use the 'username' property as the salt, which
implies that the username cannot change. If you would like to change this property or generate a random salt to store
on a per-customer basis or if you need to allow users to change their password then you will need to modify this
configuration and likely provide a custom UserDetailsService. -->
<bean id="blSaltSource" class="org.springframework.security.authentication.dao.ReflectionSaltSource">
<property name="userPropertyToUse" value="username" />
</bean>
