4

I am using the new BCryptPasswordEncoder to hash User Passwords to the database (which is a MongoDB in my case). When I just test out my login, I set the password encoder in my security config to be a BCryptPasswordEncoder, but I get Bad Credentials back when I try to login (with correct credentials of course). What am I missing?

Security Config:

    import org.springframework.beans.factory.annotation.Autowired;
    import org.springframework.context.annotation.Bean;
    import org.springframework.context.annotation.Configuration;
    import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
    import org.springframework.security.config.annotation.web.builders.HttpSecurity;
    import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
    import org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity;
    import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
    import org.springframework.security.crypto.password.PasswordEncoder;

    @Configuration
    @EnableWebMvcSecurity
    public class VZWebSecurityConfig extends WebSecurityConfigurerAdapter{

    @Autowired
    VZUserDetailsService userDetailsService;

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception{
        auth.userDetailsService(userDetailsService).passwordEncoder(encoder());
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception{
            http
            .authorizeRequests()
                .antMatchers("/", "/home").permitAll()
                .anyRequest().authenticated()
                .and()
            .formLogin()
                .permitAll()
                .and()
            .logout()
                .permitAll();
    }

    @Bean
    public PasswordEncoder encoder(){
        return new BCryptPasswordEncoder();
    }

    }

To start out with some valid users, I initialize the DB with some users:

import java.util.ArrayList;
import java.util.List;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.CommandLineRunner;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;

import vertyze.platform.data.constants.VZUserRoles;


@Configuration
@ComponentScan("it.vertyze.platform")
@EnableAutoConfiguration
public class Application implements CommandLineRunner {

    @Autowired
    VZUserRepository userRepository;

    public static void main(String[] args) {
        SpringApplication.run(Application.class, args);
    }


    @Override
    public void run(String... args) throws Exception {
        userRepository.deleteAll();
        PasswordEncoder encoder = new BCryptPasswordEncoder();

        List<VZUserRoles> siteAdmin = new ArrayList<VZUserRoles>();
        siteAdmin.add(VZUserRoles.SITE_ADMIN);

        List<VZUserRoles> siteUser = new ArrayList<VZUserRoles>();
        siteUser.add(VZUserRoles.SITE_VIEWER);

        VZUser user1 = new VZUser();
        VZUser user2 = new VZUser();

        user1.setUsername("user1");
        user1.setPassword(encoder.encode("password1"));
        user1.setRoles(siteAdmin);

        user2.setUsername("user2");
        user2.setPassword(encoder.encode("password2"));
        user2.setRoles(siteUser);

        userRepository.save(user1);
        userRepository.save(user2);

    }

}

Can anyone help me out here? Thanks!

Improve this question
5
  • are you sure that setting of the encoder in the autowired method works fine? Commented Jan 2, 2015 at 10:23
  • @MarianP. Yes, seems to work just fine. Also, the error remains when putting in the actual hash in the password field. Commented Jan 2, 2015 at 13:32
  • ok, it's interesting, but I'm not sure what might be wrong from what I see here. maybe take a look here stackoverflow.com/questions/19846270/… Commented Jan 2, 2015 at 15:16
  • I'm too having the same problem here, did you find a solution. Commented Apr 6, 2017 at 22:46
  • @thomi did you find a solution to the problem? I'm facing the same problem. Commented Mar 19, 2019 at 10:40

2 Answers 2

Reset to default
0

Is there by chance a

WARN  o.s.s.c.bcrypt.BCryptPasswordEncoder - Encoded password does not   look like BCrypt

in your debug log? If yes, you should check whether the length of the password row in your user table is big enough. The bcrypt algorithm produces hashes of length 60, so if you happen to have a row with e.g. type varchar(45) your hash might be truncated.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Make sure that you save not plain but encoded password in your database

PasswordEncoder encoder = new BCryptPasswordEncoder();
User entity = new User("name", encoder.encode("password"));

Where encoder is your implementation of PasswordEncoder interface.

Here you can see first two users which i manually inserted in the table have plaintext password which was the root of the problem for me.

id username password

1 "Oleksandr" "1234"

"2 "John" "Doe"

3 "Test" "$2a$10$9mG1Ik1hRCdTdA9/RqSrUehDbkVqGhF.mbx4QE4nfe9Bnx6cLJj7.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.