passwordEncoder in spring security

Question

I'm using spring security 5 for the first time and whene I try to login I get this error:Encoded password does not look like BCrypt this is my securityConfig.java

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled=true)
public class SecurityConfig extends WebSecurityConfigurerAdapter{


@Autowired
public void globalConfig(AuthenticationManagerBuilder auth, DataSource dataSource) throws Exception {


    auth.jdbcAuthentication()
    .dataSource(dataSource)
    .usersByUsernameQuery("select username as principal,password as credentials, true from users where username = ?").passwordEncoder(new BCryptPasswordEncoder())
    .authoritiesByUsernameQuery("select user_username as principal, roles_role as role from users_roles where user_username = ?")
    .rolePrefix("ROLE_");

}


@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .csrf().disable()
        .authorizeRequests()
            .antMatchers("/css/**","/js/**","/images/**").permitAll()
            .anyRequest()
                .authenticated()
                    .and()
        .formLogin()
            .loginPage("/login.html")
            .permitAll()
            .defaultSuccessUrl("/index.html");

}

}

I use password encoder like this:

.usersByUsernameQuery("select username as principal,password as credentials, 
true from users where username = ?").passwordEncoder(new 
BCryptPasswordEncoder())

Does anyone know where does the problem come from!

Possible duplicate of [Encoded password does not look like BCrypt](https://stackoverflow.com/questions/49582971/encoded-password-does-not-look-like-bcrypt) — mancini0, Apr 18 '18 at 01:02

score 0 · Accepted Answer · answered Apr 18 '18 at 05:45

0

BCryptPasswordEncoder shows this warning when it fails to match a raw password with an encoded password. It appears that password present in database is not encoded, its in plain text.

Before inserting user details in database, make sure you encode the password.

final BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
passwordEncoder.encode(password);

answered Apr 18 '18 at 05:45

Vijay Nandwana

2,476
4
25
42

But right now i'm not inserting password through my application. I did that through phpmyadmin directly into mysql database, and mysql doesn't give me the option of encoding it with Bcrypt. any idea? please! – Kader Moulay Ely Apr 18 '18 at 10:48
If you're manually inserting data into database, then you'd need to manually encode the password and use that instead of clear text. For ex, if the password is `password` then in database value should be `$2a$10$mppSXDR0IK9byV1OHq1Kdu7/ycd0bdoaeuTeEMry7fpxdOY87ii8q`. Point is you are fetching data from database and then asking Spring to use `BCryptPasswordEncoder` to see if the password matches or not. `BCryptPasswordEncoder` expects encoded password but it finds clear text and due to this it fails to match. In real time scenario, you wont insert user data manually. – Vijay Nandwana Apr 19 '18 at 05:45

passwordEncoder in spring security

1 Answers1