SEC-636: Support for use of "ref" attribute in salt-source element.

core/src/main/java/org/springframework/security/config/PasswordEncoderParser.java

@@ -8,7 +8,9 @@ import org.springframework.security.providers.ldap.authenticator.LdapShaPassword
 import org.springframework.beans.factory.xml.BeanDefinitionParser;
 import org.springframework.beans.factory.xml.ParserContext;
 import org.springframework.beans.factory.config.BeanDefinition;
+import org.springframework.beans.factory.config.RuntimeBeanReference;
 import org.springframework.beans.factory.support.RootBeanDefinition;
+import org.springframework.beans.BeanMetadataElement;
 import org.springframework.util.StringUtils;
 import org.springframework.util.xml.DomUtils;
 
@@ -48,7 +50,7 @@ public class PasswordEncoderParser {
 
     private Log logger = LogFactory.getLog(getClass());
 
-    private BeanDefinition passwordEncoder;
+    private BeanMetadataElement passwordEncoder;
     private BeanDefinition saltSource;
 
 
@@ -60,15 +62,21 @@ public class PasswordEncoderParser {
         String hash = element.getAttribute(ATT_HASH);
         boolean useBase64 = StringUtils.hasText(element.getAttribute(ATT_BASE_64));
 
-        Class beanClass = (Class) ENCODER_CLASSES.get(hash);
-        passwordEncoder = new RootBeanDefinition(beanClass);
-
-        if (useBase64) {
-            if (beanClass.isAssignableFrom(BaseDigestPasswordEncoder.class)) {
-                passwordEncoder.getPropertyValues().addPropertyValue("encodeHashAsBase64", "true");
-            } else {
-                logger.warn(ATT_BASE_64 + " isn't compatible with " + OPT_HASH_LDAP_SHA + " and will be ignored");
+        String ref = element.getAttribute(ATT_REF);
+
+        if (StringUtils.hasText(ref)) {
+            passwordEncoder = new RuntimeBeanReference(ref);
+        } else {
+            Class beanClass = (Class) ENCODER_CLASSES.get(hash);
+            BeanDefinition beanDefinition = new RootBeanDefinition(beanClass);
+            if (useBase64) {
+                if (beanClass.isAssignableFrom(BaseDigestPasswordEncoder.class)) {
+                    beanDefinition.getPropertyValues().addPropertyValue("encodeHashAsBase64", "true");
+                } else {
+                    logger.warn(ATT_BASE_64 + " isn't compatible with " + OPT_HASH_LDAP_SHA + " and will be ignored");
+                }
             }
+            passwordEncoder = beanDefinition;
         }
 
         Element saltSourceElt = DomUtils.getChildElementByTagName(element, Elements.SALT_SOURCE);
@@ -78,7 +86,7 @@ public class PasswordEncoderParser {
         }
     }
 
-    public BeanDefinition getPasswordEncoder() {
+    public BeanMetadataElement getPasswordEncoder() {
         return passwordEncoder;
     }
 

core/src/test/resources/org/springframework/security/config/auth-provider.xml

@@ -6,7 +6,7 @@
     xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
 http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd">
 
-    <!-- All combinations should authenticate as bob/password -->
+    <!-- All combinations should authenticate as bob/bobspassword -->
 
     <authentication-provider>
         <user-service>
@@ -34,4 +34,17 @@ http://www.springframework.org/schema/security http://www.springframework.org/sc
         </user-service>
     </authentication-provider>
 
+    <!-- External beans for both UserDetailsService and PasswordEncoder -->
+    <authentication-provider user-service-ref="customUserService">
+        <password-encoder ref="customPasswordEncoder">
+            <salt-source user-property="username"/>
+        </password-encoder>
+    </authentication-provider>
+
+    <beans:bean id="customPasswordEncoder" class="org.springframework.security.providers.encoding.Md5PasswordEncoder"/>
+
+    <beans:bean id="customUserService" class="org.springframework.security.userdetails.memory.InMemoryDaoImpl">
+        <beans:property name="userMap" value="bob=f117f0862384e9497ff4f470e3522606,ROLE_A"/>
+    </beans:bean>
+
 </beans:beans>