Bad credentials when using Spring Security BCryptPasswordEncoder for hashing passwords
Question
I am using the new BCryptPasswordEncoder to hash User Passwords to the database (which is a MongoDB in my case). When I just test out my login, I set the password encoder in my security config to be a BCryptPasswordEncoder , but I get Bad Credentials back when I try to login (with correct credentials of course). What am I missing?
Security Config:
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
@Configuration
@EnableWebMvcSecurity
public class VZWebSecurityConfig extends WebSecurityConfigurerAdapter{
@Autowired
VZUserDetailsService userDetailsService;
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception{
auth.userDetailsService(userDetailsService).passwordEncoder(encoder());
}
@Override
protected void configure(HttpSecurity http) throws Exception{
http
.authorizeRequests()
.antMatchers("/", "/home").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.permitAll()
.and()
.logout()
.permitAll();
}
@Bean
public PasswordEncoder encoder(){
return new BCryptPasswordEncoder();
}
}
To start out with some valid users, I initialize the DB with some users:
import java.util.ArrayList;
import java.util.List;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.CommandLineRunner;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import vertyze.platform.data.constants.VZUserRoles;
@Configuration
@ComponentScan("it.vertyze.platform")
@EnableAutoConfiguration
public class Application implements CommandLineRunner {
@Autowired
VZUserRepository userRepository;
public static void main(String[] args) {
SpringApplication.run(Application.class, args);
}
@Override
public void run(String... args) throws Exception {
userRepository.deleteAll();
PasswordEncoder encoder = new BCryptPasswordEncoder();
List<VZUserRoles> siteAdmin = new ArrayList<VZUserRoles>();
siteAdmin.add(VZUserRoles.SITE_ADMIN);
List<VZUserRoles> siteUser = new ArrayList<VZUserRoles>();
siteUser.add(VZUserRoles.SITE_VIEWER);
VZUser user1 = new VZUser();
VZUser user2 = new VZUser();
user1.setUsername("user1");
user1.setPassword(encoder.encode("password1"));
user1.setRoles(siteAdmin);
user2.setUsername("user2");
user2.setPassword(encoder.encode("password2"));
user2.setRoles(siteUser);
userRepository.save(user1);
userRepository.save(user2);
}
}
Can anyone help me out here? Thanks!
1 answers
solution1
0 2016-03-09 12:38:36
Is there by chance a
WARN o.s.s.c.bcrypt.BCryptPasswordEncoder - Encoded password does not look like BCrypt
in your debug log? If yes, you should check whether the length of the password row in your user table is big enough. The bcrypt algorithm produces hashes of length 60, so if you happen to have a row with eg type varchar(45) your hash might be truncated.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.