=== modified file 'dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/DefaultSecurityService.java'
--- dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/DefaultSecurityService.java	2015-07-15 09:45:45 +0000
+++ dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/DefaultSecurityService.java	2015-08-25 13:54:00 +0000
@@ -38,7 +38,6 @@
 import org.hisp.dhis.i18n.locale.LocaleManager;
 import org.hisp.dhis.message.MessageSender;
 import org.hisp.dhis.period.Cal;
-import org.hisp.dhis.security.migration.MigrationPasswordManager;
 import org.hisp.dhis.setting.SystemSettingManager;
 import org.hisp.dhis.system.util.ValidationUtils;
 import org.hisp.dhis.system.velocity.VelocityManager;
@@ -82,9 +81,9 @@
     // Dependencies
     // -------------------------------------------------------------------------
 
-    private MigrationPasswordManager passwordManager;
+    private PasswordManager passwordManager;
 
-    public void setPasswordManager( MigrationPasswordManager passwordManager )
+    public void setPasswordManager( PasswordManager passwordManager )
     {
         this.passwordManager = passwordManager;
     }
@@ -359,7 +358,7 @@
             return errorMessage;
         }
 
-        errorMessage = verifyRestoreCode( credentials, code );
+        errorMessage = verifyRestoreCode( credentials.getRestoreCode(), code );
 
         if ( errorMessage != null )
         {
@@ -381,14 +380,12 @@
      * Verifies a user supplied restore code against the stored restore code.
      * If the code cannot be verified a descriptive error string is returned.
      *
-     * @param credentials the user credentials.
-     * @param code        the user supplied code.
+     * @param restoreCode the restore code to verify against.
+     * @param code        the user supplied code to verify.
      * @return null on success, a descriptive error string otherwise.
      */
-    private String verifyRestoreCode( UserCredentials credentials, String code )
+    private String verifyRestoreCode( String restoreCode, String code )
     {
-        String restoreCode = credentials.getRestoreCode();
-
         if ( code == null )
         {
             return "code_parameter_is_null";
@@ -399,7 +396,7 @@
             return "account_restore_code_is_null";
         }
 
-        boolean validCode = passwordManager.legacyOrCurrentMatches( code, restoreCode, credentials.getUsername() );
+        boolean validCode = passwordManager.matches( code, restoreCode );
 
         return validCode ? null : "code_does_not_match_restoreCode - code: '" + code + "' restoreCode: '" + restoreCode + "'";
     }
@@ -461,7 +458,7 @@
             return "could_not_verify_token";
         }
 
-        boolean validToken = passwordManager.legacyOrCurrentMatches( token, restoreToken, credentials.getUsername() );
+        boolean validToken = passwordManager.matches( token, restoreToken );
 
         return validToken ? null : "restore_token_does_not_match_supplied_token";
     }

=== removed file 'dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/DefaultUsernameSaltSource.java'
--- dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/DefaultUsernameSaltSource.java	2015-01-17 07:41:26 +0000
+++ dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/DefaultUsernameSaltSource.java	1970-01-01 00:00:00 +0000
@@ -1,51 +0,0 @@
-package org.hisp.dhis.security;
-
-/*
- * Copyright (c) 2004-2015, University of Oslo
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- * Redistributions of source code must retain the above copyright notice, this
- * list of conditions and the following disclaimer.
- *
- * Redistributions in binary form must reproduce the above copyright notice,
- * this list of conditions and the following disclaimer in the documentation
- * and/or other materials provided with the distribution.
- * Neither the name of the HISP project nor the names of its contributors may
- * be used to endorse or promote products derived from this software without
- * specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
- * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
- * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-import  org.springframework.security.core.userdetails.UserDetails;
-
-/**
- * @author Torgeir Lorange Ostby
- * @version $Id: DefaultUsernameSaltSource.java 3109 2007-03-19 17:05:21Z torgeilo $
- */
-public class DefaultUsernameSaltSource
-    implements UsernameSaltSource
-{
-    @Override
-    public Object getSalt( UserDetails userDetails )
-    {
-        return getSalt( userDetails.getUsername() );
-    }
-
-    @Override
-    public Object getSalt( String username )
-    {
-        return username.hashCode();
-    }
-}

=== removed file 'dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/UsernameSaltSource.java'
--- dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/UsernameSaltSource.java	2015-01-17 07:41:26 +0000
+++ dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/UsernameSaltSource.java	1970-01-01 00:00:00 +0000
@@ -1,54 +0,0 @@
-package org.hisp.dhis.security;
-
-/*
- * Copyright (c) 2004-2015, University of Oslo
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- * Redistributions of source code must retain the above copyright notice, this
- * list of conditions and the following disclaimer.
- *
- * Redistributions in binary form must reproduce the above copyright notice,
- * this list of conditions and the following disclaimer in the documentation
- * and/or other materials provided with the distribution.
- * Neither the name of the HISP project nor the names of its contributors may
- * be used to endorse or promote products derived from this software without
- * specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
- * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
- * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-import  org.springframework.security.authentication.dao.SaltSource;
-
-/**
- * This interface adds a method for getting a salt based on a username. The
- * reason for this is that before you the user has been added to the database
- * you only have the username to base the salt on. The alternative is to add the
- * user to database first and then encode and set the password later, but then
- * we need a User to UserDetails converter.
- * 
- * @author Torgeir Lorange Ostby
- * @version $Id: UsernameSaltSource.java 3109 2007-03-19 17:05:21Z torgeilo $
- */
-public interface UsernameSaltSource
-    extends SaltSource
-{
-    /**
-     * Creates and returns a salt based on the given username.
-     *
-     * @param username
-     *            the username to base the salt on.
-     * @return a salt based on the given username.
-     */
-    Object getSalt( String username );
-}

=== removed directory 'dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/migration'
=== removed file 'dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/migration/MigrationAuthenticationProvider.java'
--- dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/migration/MigrationAuthenticationProvider.java	2015-01-17 07:41:26 +0000
+++ dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/migration/MigrationAuthenticationProvider.java	1970-01-01 00:00:00 +0000
@@ -1,110 +0,0 @@
-package org.hisp.dhis.security.migration;
-
-/*
- * Copyright (c) 2004-2015, University of Oslo
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- * Redistributions of source code must retain the above copyright notice, this
- * list of conditions and the following disclaimer.
- *
- * Redistributions in binary form must reproduce the above copyright notice,
- * this list of conditions and the following disclaimer in the documentation
- * and/or other materials provided with the distribution.
- * Neither the name of the HISP project nor the names of its contributors may
- * be used to endorse or promote products derived from this software without
- * specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
- * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
- * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-import org.hisp.dhis.user.UserCredentials;
-import org.hisp.dhis.user.UserService;
-import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
-import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
-import org.springframework.security.core.AuthenticationException;
-import org.springframework.security.core.userdetails.UserDetails;
-
-/**
- * Implements migration of legacy user password hashes on user login.
- *
- * The procedure to do so works by preceding the ordinary authentication check
- * (which is performed using the current password hashing method) with an authentication
- * procedure using the legacy password hashing method.
- *
- * If the currently stored hash and the legacyHash(suppliedPassword, usernameSalt) matches
- * the password is hashed again using the current method and replaces the stored hash for the user.
- * The user is now migrated to the current password hashing scheme and will on next logon not
- * authenticate using the legacy hash method but the current one.
- *
- * In either case the call is followed by the authentication procedure in DaoAuthenticationProvider
- * which performs the final authentication (using the current method).
- *
- * @author Halvdan Hoem Grelland
- */
-public class MigrationAuthenticationProvider
-    extends DaoAuthenticationProvider
-{
-    private static final Log log = LogFactory.getLog( MigrationAuthenticationProvider.class );
-
-    // -------------------------------------------------------------------------
-    // Dependencies
-    // -------------------------------------------------------------------------
-
-    private UserService userService;
-
-    public void setUserService( UserService userService )
-    {
-        this.userService = userService;
-    }
-
-    private MigrationPasswordManager passwordManager;
-
-    public void setPasswordManager( MigrationPasswordManager passwordManager )
-    {
-        this.passwordManager = passwordManager;
-    }
-
-    // -------------------------------------------------------------------------
-    // Pre-auth check-and-switch for legacy password hash match
-    // -------------------------------------------------------------------------
-
-    @Override
-    protected void additionalAuthenticationChecks( UserDetails userDetails,
-        UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken )
-        throws AuthenticationException
-    {
-        String password = (String) usernamePasswordAuthenticationToken.getCredentials();
-        String username = userDetails.getUsername();
-
-        // If legacyHash(password, username) matches stored hash, re-hash password with current method and switch with stored hash
-        if( passwordManager.legacyMatches( password, userDetails.getPassword(), username ) )
-        {
-            UserCredentials userCredentials = userService.getUserCredentialsByUsername( username );
-
-            if ( userCredentials != null )
-            {
-                userService.encodeAndSetPassword( userCredentials, password );
-                userService.updateUser( userCredentials.getUser() );
-
-                log.info( "User " + userCredentials.getUsername() + " was migrated from " + passwordManager.getLegacyPasswordEncoderClassName() +
-                    " to " + passwordManager.getPasswordEncoderClassName() + " based password hashing on login." );
-
-                userDetails = getUserDetailsService().loadUserByUsername( username );
-            }
-        }
-        super.additionalAuthenticationChecks( userDetails, usernamePasswordAuthenticationToken );
-    }
-}

=== removed file 'dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/migration/MigrationPasswordManager.java'
--- dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/migration/MigrationPasswordManager.java	2015-01-17 07:41:26 +0000
+++ dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/migration/MigrationPasswordManager.java	1970-01-01 00:00:00 +0000
@@ -1,91 +0,0 @@
-package org.hisp.dhis.security.migration;
-
-/*
- * Copyright (c) 2004-2015, University of Oslo
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- * Redistributions of source code must retain the above copyright notice, this
- * list of conditions and the following disclaimer.
- *
- * Redistributions in binary form must reproduce the above copyright notice,
- * this list of conditions and the following disclaimer in the documentation
- * and/or other materials provided with the distribution.
- * Neither the name of the HISP project nor the names of its contributors may
- * be used to endorse or promote products derived from this software without
- * specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
- * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
- * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-import org.hisp.dhis.security.PasswordManager;
-
-/**
- * Drop-in replacement for PasswordManager which provides access to legacy password hashing methods as
- * well as the currently used hashing methods. This is useful in implementing seamless migration to
- * a new and more secure password hashing method.
- * In such a migration phase the system will need to be able to authenticate passwords and tokens
- * which are encoded using both the legacy hash method and the current one.
- * Specific methods for encoding and matching using the legacy hashing method are provided alongside the
- * current ones. The {@link #legacyOrCurrentMatches(String, String,String) legacyOrCurrentMatches}
- * method should be used to provide backwards compatibility where applicable.
- *
- * @author Halvdan Hoem Grelland
- */
-public interface MigrationPasswordManager
-    extends PasswordManager
-{
-    /**
-     * Cryptographically hash a password using a legacy encoder.
-     * Useful for access to the former (legacy) hash method when implementing migration to a new method.
-     *
-     * @param password the password to encode.
-     * @param username the username (used for seeding salt generation).
-     * @return the encoded (hashed) password.
-     */
-    public String legacyEncode( String password, String username );
-
-    /**
-     * Determines whether the supplied password equals the encoded password or not.
-     * Uses the legacy hashing method to do so and is useful in implementing migration to a new method.
-     *
-     * @param rawPassword the password.
-     * @param encodedPassword the encoded password.
-     * @param username the username (used for salt generation).
-     * @return true if the password matches the encoded password, false otherwise.
-     */
-    public boolean legacyMatches( String rawPassword, String encodedPassword, String username );
-
-    /**
-     * Determines whether encodedPassword is a valid hash of password using either the legacy or
-     * current encoder (hashing method).
-     * This method is a migration specific wrapper for the {@link org.hisp.dhis.security.PasswordManager#matches(String, String) matches}
-     * method in order to support authenticating hashes which were generated using the legacy hash
-     * implementation in addition to the current hashing scheme.
-     * Use this method to provide backwards compatibility for hashes.
-     * Replace with {@link org.hisp.dhis.security.PasswordManager#matches(String, String) matches}
-     * when disabling (ending) backwards compatibility.
-     *
-     * @param rawPassword the un-encoded token as supplied from the user.
-     * @param encodedPassword the encoded token to match against.
-     * @param username the username associated with the token (used for salting by the legacy password encoder).
-     * @return true if the token matches for either the legacy or current hashing scheme, false otherwise.
-     */
-    public boolean legacyOrCurrentMatches( String rawPassword, String encodedPassword, String username );
-
-    /**
-     * Return the class name of the legacy password encoder.
-     * @return the name of the legacy password encoder class.
-     */
-    public String getLegacyPasswordEncoderClassName();
-}

=== removed file 'dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/migration/SpringSecurityMigrationPasswordManager.java'
--- dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/migration/SpringSecurityMigrationPasswordManager.java	2015-02-22 20:02:00 +0000
+++ dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/migration/SpringSecurityMigrationPasswordManager.java	1970-01-01 00:00:00 +0000
@@ -1,87 +0,0 @@
-package org.hisp.dhis.security.migration;
-
-/*
- * Copyright (c) 2004-2015, University of Oslo
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- * Redistributions of source code must retain the above copyright notice, this
- * list of conditions and the following disclaimer.
- *
- * Redistributions in binary form must reproduce the above copyright notice,
- * this list of conditions and the following disclaimer in the documentation
- * and/or other materials provided with the distribution.
- * Neither the name of the HISP project nor the names of its contributors may
- * be used to endorse or promote products derived from this software without
- * specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
- * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
- * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-import org.hisp.dhis.security.UsernameSaltSource;
-import org.hisp.dhis.security.spring.SpringSecurityPasswordManager;
-import org.springframework.security.authentication.encoding.PasswordEncoder;
-
-/**
- * @author Halvdan Hoem Grelland
- */
-public class SpringSecurityMigrationPasswordManager
-    extends SpringSecurityPasswordManager
-    implements MigrationPasswordManager
-{
-    // -------------------------------------------------------------------------
-    // Dependencies
-    // -------------------------------------------------------------------------
-
-    private PasswordEncoder legacyPasswordEncoder;
-
-    public void setLegacyPasswordEncoder( PasswordEncoder legacyPasswordEncoder )
-    {
-        this.legacyPasswordEncoder = legacyPasswordEncoder;
-    }
-
-    private UsernameSaltSource usernameSaltSource;
-
-    public void setUsernameSaltSource( UsernameSaltSource usernameSaltSource )
-    {
-        this.usernameSaltSource = usernameSaltSource;
-    }
-
-    // -------------------------------------------------------------------------
-    // MigrationPasswordManager implementation
-    // -------------------------------------------------------------------------
-
-    @Override
-    public final String legacyEncode( String password, String username )
-    {
-        return legacyPasswordEncoder.encodePassword( password, usernameSaltSource.getSalt( username ) );
-    }
-
-    @Override
-    public boolean legacyMatches( String rawPassword, String encodedPassword, String username )
-    {
-        return legacyPasswordEncoder.isPasswordValid( encodedPassword, rawPassword, usernameSaltSource.getSalt( username ) );
-    }
-
-    @Override
-    public boolean legacyOrCurrentMatches( String rawPassword, String encodedPassword, String username )
-    {
-        return legacyMatches( rawPassword, encodedPassword, username ) || super.matches( rawPassword, encodedPassword );
-    }
-
-    @Override
-    public String getLegacyPasswordEncoderClassName()
-    {
-        return legacyPasswordEncoder.getClass().getName();
-    }
-}

=== modified file 'dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/user/DefaultUserService.java'
--- dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/user/DefaultUserService.java	2015-07-15 09:45:45 +0000
+++ dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/user/DefaultUserService.java	2015-08-25 13:54:00 +0000
@@ -40,7 +40,7 @@
 import org.hisp.dhis.dataelement.DataElementCategoryService;
 import org.hisp.dhis.dataset.DataSet;
 import org.hisp.dhis.period.PeriodType;
-import org.hisp.dhis.security.migration.MigrationPasswordManager;
+import org.hisp.dhis.security.PasswordManager;
 import org.hisp.dhis.setting.SystemSettingManager;
 import org.hisp.dhis.system.filter.UserAuthorityGroupCanIssueFilter;
 import org.hisp.dhis.system.util.DateUtils;
@@ -118,9 +118,9 @@
         this.systemSettingManager = systemSettingManager;
     }
 
-    private MigrationPasswordManager passwordManager;
+    private PasswordManager passwordManager;
 
-    public void setPasswordManager( MigrationPasswordManager passwordManager )
+    public void setPasswordManager( PasswordManager passwordManager )
     {
         this.passwordManager = passwordManager;
     }
@@ -555,7 +555,7 @@
     public void encodeAndSetPassword( UserCredentials userCredentials, String rawPassword )
     {
         boolean isNewPassword = StringUtils.isBlank( userCredentials.getPassword() ) ||
-            !passwordManager.legacyOrCurrentMatches( rawPassword, userCredentials.getPassword(), userCredentials.getUsername() );
+            !passwordManager.matches( rawPassword, userCredentials.getPassword() );
 
         if ( isNewPassword )
         {

=== modified file 'dhis-2/dhis-services/dhis-service-core/src/main/resources/META-INF/dhis/security.xml'
--- dhis-2/dhis-services/dhis-service-core/src/main/resources/META-INF/dhis/security.xml	2015-07-07 03:14:28 +0000
+++ dhis-2/dhis-services/dhis-service-core/src/main/resources/META-INF/dhis/security.xml	2015-08-25 13:54:00 +0000
@@ -2,48 +2,15 @@
 <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:sec="http://www.springframework.org/schema/security"
   xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.1.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
 
-  <bean id="md5PasswordEncoder" class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" />
-
-  <bean id="usernameSaltSource" class="org.hisp.dhis.security.DefaultUsernameSaltSource" />
+  <bean id="userDetailsService" class="org.hisp.dhis.security.DefaultUserDetailsService">
+    <property name="userService" ref="org.hisp.dhis.user.UserService" />
+  </bean>
 
   <bean id="bCryptPasswordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />
 
-  <bean id="userDetailsService" class="org.hisp.dhis.security.DefaultUserDetailsService">
-    <property name="userService" ref="org.hisp.dhis.user.UserService" />
-  </bean>
-
-  <!--
-    As of version 2.17 the password hashing method has been switched from MD5 to bCrypt. In order to migrate user records
-    seamlessly to the new hashing scheme, the SpringSecurityMigrationPasswordManager and MigrationAuthenticationProvider should
-    be used in lieu of SpringSecurityPasswordManager and the default spring AuthenticationProvider respectively.
-
-    As soon as migration is deemed complete (in a later version, most likely 2.18 or 2.19) the org.hisp.dhis.security.migration
-    package components should be replaced.
-
-    The configuration for SpringSecurityPasswordManager as it should be used in later versions is shown int the comments below.
-    To disable migration mode enable this and change any in class references from MigrationPasswordManager to PasswordManager.
-  -->
-
-  <!--
-    Replaced by MigrationSpringSecurityPasswordManager as while the system is not fully migrated to bCrypt password hashes.
-
   <bean id="org.hisp.dhis.security.PasswordManager" class="org.hisp.dhis.security.spring.SpringSecurityPasswordManager">
     <property name="passwordEncoder" ref="bCryptPasswordEncoder" />
   </bean>
-  -->
-
-  <bean id="org.hisp.dhis.security.PasswordManager" class="org.hisp.dhis.security.migration.SpringSecurityMigrationPasswordManager">
-    <property name="passwordEncoder" ref="bCryptPasswordEncoder" />
-    <property name="legacyPasswordEncoder" ref="md5PasswordEncoder" />
-    <property name="usernameSaltSource" ref="usernameSaltSource" />
-  </bean>
-
-  <bean id="migrationAuthenticationProvider" class="org.hisp.dhis.security.migration.MigrationAuthenticationProvider">
-    <property name="passwordManager" ref="org.hisp.dhis.security.PasswordManager" />
-    <property name="userService" ref="org.hisp.dhis.user.UserService" />
-    <property name="passwordEncoder" ref="bCryptPasswordEncoder" />
-    <property name="userDetailsService" ref="userDetailsService" />
-  </bean>
 
   <bean id="org.hisp.dhis.security.SecurityService" class="org.hisp.dhis.security.DefaultSecurityService">
     <property name="passwordManager" ref="org.hisp.dhis.security.PasswordManager" />
@@ -54,24 +21,11 @@
   </bean>
 
   <!-- Security : Authentication providers -->
-
-  <sec:authentication-manager alias="authenticationManager">
-    <sec:authentication-provider ref="migrationAuthenticationProvider" />
-  </sec:authentication-manager>
-
-  <!--
-  As of 2.17 user password hashes are being migrated from MD5(password, username) to bCrypt(password).
-  The migration is implemented in the migrationAuthenticationProvider configured above.
-  Once migration is complete, the authentication-manager configuration above can be
-  replaced by the one given below (commented). At that point the system will no longer accept
-  authentication request from users which are still stored with an MD5 hash in the database.
-
   <sec:authentication-manager alias="authenticationManager">
     <sec:authentication-provider user-service-ref="userDetailsService">
       <sec:password-encoder ref="bCryptPasswordEncoder" />
     </sec:authentication-provider>
   </sec:authentication-manager>
-  -->
 
   <!-- OAuth2 -->
   <bean id="clientDetailsService" class="org.hisp.dhis.security.oauth2.DefaultClientDetailsService" />

=== modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/AccountController.java'
--- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/AccountController.java	2015-07-08 08:12:45 +0000
+++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/AccountController.java	2015-08-25 13:54:00 +0000
@@ -35,10 +35,10 @@
 import org.hisp.dhis.configuration.ConfigurationService;
 import org.hisp.dhis.dxf2.webmessage.WebMessageException;
 import org.hisp.dhis.organisationunit.OrganisationUnit;
+import org.hisp.dhis.security.PasswordManager;
 import org.hisp.dhis.security.RestoreOptions;
 import org.hisp.dhis.security.RestoreType;
 import org.hisp.dhis.security.SecurityService;
-import org.hisp.dhis.security.migration.MigrationPasswordManager;
 import org.hisp.dhis.setting.SystemSettingManager;
 import org.hisp.dhis.system.util.ValidationUtils;
 import org.hisp.dhis.user.User;
@@ -102,7 +102,7 @@
     private ConfigurationService configurationService;
 
     @Autowired
-    private MigrationPasswordManager passwordManager;
+    private PasswordManager passwordManager;
 
     @Autowired
     private SecurityService securityService;
@@ -447,7 +447,7 @@
             return;
         }
 
-        if ( !passwordManager.legacyOrCurrentMatches( oldPassword, credentials.getPassword(), credentials.getUsername() ) )
+        if ( !passwordManager.matches( oldPassword, credentials.getPassword() ) )
         {
             result.put( "status", "NON_MATCHING_PASSWORD" );
             result.put( "message", "Old password is wrong, please correct and try again." );

=== modified file 'dhis-2/dhis-web/dhis-web-commons/src/main/java/org/hisp/dhis/useraccount/action/UpdateUserAccountAction.java'
--- dhis-2/dhis-web/dhis-web-commons/src/main/java/org/hisp/dhis/useraccount/action/UpdateUserAccountAction.java	2015-02-19 09:18:17 +0000
+++ dhis-2/dhis-web/dhis-web-commons/src/main/java/org/hisp/dhis/useraccount/action/UpdateUserAccountAction.java	2015-08-25 13:54:00 +0000
@@ -30,7 +30,7 @@
 
 import org.apache.commons.lang3.StringUtils;
 import org.hisp.dhis.i18n.I18n;
-import org.hisp.dhis.security.migration.MigrationPasswordManager;
+import org.hisp.dhis.security.PasswordManager;
 import org.hisp.dhis.user.User;
 import org.hisp.dhis.user.UserService;
 
@@ -48,7 +48,7 @@
 
     private UserService userService;
 
-    private MigrationPasswordManager passwordManager;
+    private PasswordManager passwordManager;
 
     // -------------------------------------------------------------------------
     // Input
@@ -76,7 +76,7 @@
     // Getters && Setters
     // -------------------------------------------------------------------------
 
-    public void setPasswordManager( MigrationPasswordManager passwordManager )
+    public void setPasswordManager( PasswordManager passwordManager )
     {
         this.passwordManager = passwordManager;
     }
@@ -149,7 +149,7 @@
         User user = userService.getUser( id );
         String currentPassword = userService.getUserCredentials( user ).getPassword();
         
-        if ( !passwordManager.legacyOrCurrentMatches( oldPassword, currentPassword, user.getUsername() ) )
+        if ( !passwordManager.matches( oldPassword, currentPassword ) )
         {
             message = i18n.getString( "wrong_password" );
             return INPUT;

=== modified file 'dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-user/src/main/java/org/hisp/dhis/user/action/DeleteCurrentUserAction.java'
--- dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-user/src/main/java/org/hisp/dhis/user/action/DeleteCurrentUserAction.java	2015-01-17 07:41:26 +0000
+++ dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-user/src/main/java/org/hisp/dhis/user/action/DeleteCurrentUserAction.java	2015-08-25 13:54:00 +0000
@@ -33,7 +33,7 @@
 import java.util.Collection;
 
 import org.hisp.dhis.i18n.I18n;
-import org.hisp.dhis.security.migration.MigrationPasswordManager;
+import org.hisp.dhis.security.PasswordManager;
 import org.hisp.dhis.user.CurrentUserService;
 import org.hisp.dhis.user.User;
 import org.hisp.dhis.user.UserCredentials;
@@ -52,9 +52,9 @@
         this.currentUserService = currentUserService;
     }
 
-    private MigrationPasswordManager passwordManager;
+    private PasswordManager passwordManager;
 
-    public void setPasswordManager( MigrationPasswordManager passwordManager )
+    public void setPasswordManager( PasswordManager passwordManager )
     {
         this.passwordManager = passwordManager;
     }
@@ -138,7 +138,7 @@
             return INPUT;
         }
 
-        if( !passwordManager.legacyOrCurrentMatches( oldPassword, oldPasswordFromDB, username ) )
+        if( !passwordManager.matches( oldPassword, oldPasswordFromDB ) )
         {
             message = i18n.getString( "wrong_password" );
             return INPUT;