1

I want to use the bcrypt password encoder, as i understand it automatically hashes and salts the password.

My code looks like this atm:

@Configuration
@EnableWebSecurity
public class BasicAuthConfig extends WebSecurityConfigurerAdapter {

  @Bean
  public PasswordEncoder passwordEncoder(){return new BCryptPasswordEncoder();}
  @Autowired
  private ConfigService configService;
  // Authentication : User --> Roles
  protected void configure(AuthenticationManagerBuilder auth)
    throws Exception {
    auth.inMemoryAuthentication().passwordEncoder(passwordEncoder())
      .withUser(configService.getUsers().getUsername())
        .password(configService.getUsers().getPassword())
        .roles("USER");
  }

  // Authorization : Role -> Access
  protected void configure(HttpSecurity http) throws Exception {
    http
      .httpBasic()
        .and().authorizeRequests()
          .antMatchers("/actuator/**")
            .permitAll()
          .antMatchers("/tokenservice/**")
            .hasRole("USER")
          .antMatchers("/")
            .permitAll()
        .and().csrf()
        .disable()
          .headers()
          .frameOptions()
        .and().disable()
          .sessionManagement()
          .sessionCreationPolicy(SessionCreationPolicy.STATELESS);
  }

It works like this with no encoding {noop}. but when i do it like this, i get the following error: (one line sry, scroll right)

org.springframework.boot.web.servlet.context.AnnotationConfigServletWebServerApplicationContext:99 - Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'springSecurityFilterChain' defined in class path resource [org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [javax.servlet.Filter]: Factory method 'springSecurityFilterChain' threw exception; nested exception is java.lang.NullPointerException

The configService.getConfigurations.getUsername and password is read from an xml file

**EDIT Okay so i have verified that 2 users exist, and i think the problem is with the way im trying to call them. They exists in a List in Configurations. configurations.getUsers() returns both users. So how do i go about calling any user in the .withUser() ?

Something like configService.getConfigurations() //returns configurations .getUsers() //returns a list of users .getsomethinghere??

Gabriele Mariotti
  • 320,139
  • 94
  • 887
  • 841
Mike Nor
  • 227
  • 1
  • 9
  • 18

1 Answers1

3

You just need the following changes;

  protected void configure(AuthenticationManagerBuilder auth)
    throws Exception {
      auth.inMemoryAuthentication()
        .passwordEncoder(passwordEncoder())          
        .withUser(configService.getConfigurations().getUsername1())
        .password(configService.getConfigurations().getPassword1())
        .roles("USER");
  }

And have the password in your XML file as in hashed value. You can get the hash value by using a small code snippet like below.

System.out.println(new BCryptPasswordEncoder().encode("yourpassword"));

Another thing is that you can try SCryptPasswordEncoder which I contributed for Spring Security project sometime back, which is much more secure.

shazin
  • 21,379
  • 3
  • 54
  • 71