how can I do encryption. So that in the database it does not show the user password. I am now saved in the database - login and password, user role. I need Password must be encrypted (BCrypt) in the database
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/admin/**").hasRole("ADMIN")
.antMatchers("/user/**").hasRole("USER")
.antMatchers("/**").permitAll()
.and()
.formLogin()
.loginPage("/login")
.defaultSuccessUrl("/allStudents")
.and()
.logout()
.and()
.csrf().disable();
}
@Bean
public PasswordEncoder weDoNotWantEncryption() {
return new PasswordEncoder() {
@Override
public String encode(CharSequence rawPassword) {
return rawPassword.toString();
}
@Override
public boolean matches(CharSequence rawPassword, String encodedPassword) {
return rawPassword.toString().equals(encodedPassword);
}
};
}
}
Very simply - just replace your weDoNotWantEncryption()
function with one that returns a BCrypt instance:
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
BCryptPasswordEncoder
implements PasswordEncoder
(as the name suggests) and so already has good methods defined for encode()
and matches()
.
Note that this will (of course) render any passwords currently in your database unusable, although given that those passwords are stored in plaintext, I assume (and hope/pray) that this is in a test environment, rather than production.
When we encrypt passwords for storage, we generally hash them so that it is a one way encryption ie we cannot retrieve the original password from the encrypted password even if we knew the hashing algorithm.
The main procedure we follow to do this as follows.
Now to validate user login:
To do this using Bcrypt is a simple process as most of the work is handled by the library. I explained the above scenario so you have a good understanding of what is happening behind the scenes. You do the following to generate and save the hashed password.
String pw_hash = BCrypt.hashpw(plain_password, BCrypt.gensalt());
Now that you have the hashed string, you store this into the database.
When the user logs in, you take his entered password, the database stored hash string, and validate it.
if (BCrypt.checkpw(entered_pw, stored_hash))
return True;
Refer to the spring security documentation on BCrypt hashing here:
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.