BCrypt in my Spring Security project (Spring security)
Question
how can I do encryption. So that in the database it does not show the user password. I am now saved in the database - login and password, user role. I need Password must be encrypted (BCrypt) in the database
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/admin/**").hasRole("ADMIN")
.antMatchers("/user/**").hasRole("USER")
.antMatchers("/**").permitAll()
.and()
.formLogin()
.loginPage("/login")
.defaultSuccessUrl("/allStudents")
.and()
.logout()
.and()
.csrf().disable();
}
@Bean
public PasswordEncoder weDoNotWantEncryption() {
return new PasswordEncoder() {
@Override
public String encode(CharSequence rawPassword) {
return rawPassword.toString();
}
@Override
public boolean matches(CharSequence rawPassword, String encodedPassword) {
return rawPassword.toString().equals(encodedPassword);
}
};
}
}
2 answers
solution1
3 ACCPTED 2019-08-16 10:49:18
Very simply - just replace your weDoNotWantEncryption() function with one that returns a BCrypt instance:
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
BCryptPasswordEncoder implements PasswordEncoder (as the name suggests) and so already has good methods defined for encode() and matches() .
Note that this will (of course) render any passwords currently in your database unusable, although given that those passwords are stored in plaintext, I assume (and hope/pray) that this is in a test environment, rather than production.
solution2
1 2019-08-16 10:56:33
When we encrypt passwords for storage, we generally hash them so that it is a one way encryption ie we cannot retrieve the original password from the encrypted password even if we knew the hashing algorithm.
The main procedure we follow to do this as follows.
- Take the string "password"
- Add a salt (a random string to ensure multiple users with the same password do not have the same hashed password) to the password: Random salt: "A3fcherf42", Generated string: "A3fcherf42password"
- Hash this string using an encryption algorithm and you might get: "d143d1w132dd23dsgrg5"
- Append the salt to the encrypted password for future use when validating user login: "A3fcherf42d143d1w132dd23dsgrg5"
- Save it in the database with the user id
Now to validate user login:
- Take password from the login form ie "password"
- Read the hash stored in the database: "A3fcherf42d143d1w132dd23dsgrg5"
- Extract the salt from stored hashed password: "A3fcherf42"
- Append the salt to the user entered password: "A3fcherf42password"
- Hash the password, and now the generated hash should match the hash stored in the database.
To do this using Bcrypt is a simple process as most of the work is handled by the library. I explained the above scenario so you have a good understanding of what is happening behind the scenes. You do the following to generate and save the hashed password.
String pw_hash = BCrypt.hashpw(plain_password, BCrypt.gensalt());
Now that you have the hashed string, you store this into the database.
When the user logs in, you take his entered password, the database stored hash string, and validate it.
if (BCrypt.checkpw(entered_pw, stored_hash))
return True;
Refer to the spring security documentation on BCrypt hashing here:
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.