I am working with a legacy application that stored passwords in plaintext. I have ported the application to spring 3 mvc + security. I have also successfully gotten spring security handling the authentication and authorization using sha256 + a salt based on the username. This all works great, however as part of the deployment, I will need to migrate the existing database to use the new password schema. I am not sure how spring security does it's password hashing with a salt, so i am unable to write a sql script that can be used to migrate the old plaintext passwords to the new sha256+salt schema. Is there any documentation or resources that I can use to figure this out?

This is documented in BasePasswordEncoder:

The generated password will be in the form of password{salt}.

So in your case you can compute the salted password using this simple code:

new ShaPasswordEncoder(256).encodePassword(oldPassword, randomSalt)

Note: ShaPasswordEncoder extends BasePasswordEncoder.

1. If you are using the default password encode then the source seems useful. (Pick the branch appropiate for the version you are using).
2. You can implement your own PasswordEncoder and define the way the salt is used.