I did a lot of test, and a cant find the way to make it work. With the next basic spring-boot project, you can test how even the passwords are the same, the match method always return false.
pom.xml
<?xml version="1.0" encoding="UTF-8"?><project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.example</groupId>
<artifactId>basic</artifactId>
<version>0.0.1-SNAPSHOT</version>
<packaging>jar</packaging>
<name>basic</name>
<description>Basic project for Spring Boot</description>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.0.3.RELEASE</version>
<relativePath/>
</parent>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
<java.version>1.8</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security.oauth</groupId>
<artifactId>spring-security-oauth2</artifactId>
<version>2.3.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-configuration-processor</artifactId>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
<configuration>
<fork>true</fork>
</configuration>
</plugin>
</plugins>
</build>
BasicApplication.java
package com.example;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
@SpringBootApplication
public class BasicApplication {
public static PasswordEncoder oauthClientPasswordEncoder = new BCryptPasswordEncoder(4);
private static final Logger LOG = LoggerFactory.getLogger(BasicApplication.class);
public static void main(String[] args) {
SpringApplication.run(BasicApplication.class, args);
String secret = oauthClientPasswordEncoder.encode("secreto");
LOG.info("Client pass: secreto, " + oauthClientPasswordEncoder.matches(secret, "secreto"));
}
}
Logs
Attaching agents: []
. ____ _ __ _ _
/\\ / ___'_ __ _ _(_)_ __ __ _ \ \ \ \
( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \
\\/ ___)| |_)| | | | | || (_| | ) ) ) )
' |____| .__|_| |_|_| |_\__, | / / / /
=========|_|==============|___/=/_/_/_/
:: Spring Boot :: (v2.0.3.RELEASE)
2019-04-04 18:06:09.183 INFO 4111 --- [ main] com.example.BasicApplication : Starting BasicApplication on --.local with PID 4111 (/Users/--/NetBeansProjects/java/BasicSpringbootTest/target/classes started by -- in /Users/--/NetBeansProjects/java/BasicSpringbootTest)
2019-04-04 18:06:09.187 INFO 4111 --- [ main] com.example.BasicApplication : No active profile set, falling back to default profiles: default
2019-04-04 18:06:09.227 INFO 4111 --- [ main] s.c.a.AnnotationConfigApplicationContext : Refreshing org.springframework.context.annotation.AnnotationConfigApplicationContext@6b67034: startup date [Thu Apr 04 18:06:09 CST 2019]; root of context hierarchy
2019-04-04 18:06:09.826 INFO 4111 --- [ main] o.s.j.e.a.AnnotationMBeanExporter : Registering beans for JMX exposure on startup
2019-04-04 18:06:09.838 INFO 4111 --- [ main] com.example.BasicApplication : Started BasicApplication in 16.44 seconds (JVM running for 17.75)
2019-04-04 18:06:09.845 WARN 4111 --- [ main] o.s.s.c.bcrypt.BCryptPasswordEncoder : Encoded password does not look like BCrypt
2019-04-04 18:06:09.845 INFO 4111 --- [ main] com.example.BasicApplication : Client pass: secreto, false
2019-04-04 18:06:09.854 INFO 4111 --- [ Thread-2] s.c.a.AnnotationConfigApplicationContext : Closing org.springframework.context.annotation.AnnotationConfigApplicationContext@6b67034: startup date [Thu Apr 04 18:06:09 CST 2019]; root of context hierarchy
2019-04-04 18:06:09.858 INFO 4111 --- [ Thread-2] o.s.j.e.a.AnnotationMBeanExporter : Unregistering JMX-exposed beans on shutdown
Well, and how it looks like my post is mostly code, here are some more details:
I looked for the same problem: Encoded password does not look like BCrypt, but all solutions relate to human error, or bugs from external resources.
Is weird that you can use the BCrypPasswordEncoder in your AuthorizationServerConfigurerAdapter for configuring Spring Security OAuth2 in your project this way:
SpringSecurityConfig.java
@Configuration
@EnableWebSecurity
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
[...] // bunch of code
@Bean
public PasswordEncoder oauthClientPasswordEncoder() {
return new BCryptPasswordEncoder(4);
}
}
AuthorizationServerConfig.java
@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
[...] // bunch of code
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
ClientDetailsServiceBuilder.ClientBuilder cb = clients
.inMemory()
.withClient("pms_read")
.resourceIds("pms")
.secret("BCRYPTED_PASSWORD_BY_BCRYPTPASSWORDENCODER")
.redirectUris("http://uri.com")
.authorities("APP")
.scopes("read");
}
}
And it works!, but if you want to match the passwords manually, you just cant.
