Bad credentials when using Spring Security BCryptPasswordEncoder to hash passwords
I'm using the new one BCryptPasswordEncoder
for hash user passwords for the database (in my case it's MongoDB). When I just check my login, I set the password encoder in my security config as BCryptPasswordEncoder
, but I return Bad Credentials when I try to login (with the correct credentials, of course). What am I missing?
Security configuration:
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
@Configuration
@EnableWebMvcSecurity
public class VZWebSecurityConfig extends WebSecurityConfigurerAdapter{
@Autowired
VZUserDetailsService userDetailsService;
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception{
auth.userDetailsService(userDetailsService).passwordEncoder(encoder());
}
@Override
protected void configure(HttpSecurity http) throws Exception{
http
.authorizeRequests()
.antMatchers("/", "/home").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.permitAll()
.and()
.logout()
.permitAll();
}
@Bean
public PasswordEncoder encoder(){
return new BCryptPasswordEncoder();
}
}
To start with some valid users, I initialize the DB with some users:
import java.util.ArrayList;
import java.util.List;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.CommandLineRunner;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import vertyze.platform.data.constants.VZUserRoles;
@Configuration
@ComponentScan("it.vertyze.platform")
@EnableAutoConfiguration
public class Application implements CommandLineRunner {
@Autowired
VZUserRepository userRepository;
public static void main(String[] args) {
SpringApplication.run(Application.class, args);
}
@Override
public void run(String... args) throws Exception {
userRepository.deleteAll();
PasswordEncoder encoder = new BCryptPasswordEncoder();
List<VZUserRoles> siteAdmin = new ArrayList<VZUserRoles>();
siteAdmin.add(VZUserRoles.SITE_ADMIN);
List<VZUserRoles> siteUser = new ArrayList<VZUserRoles>();
siteUser.add(VZUserRoles.SITE_VIEWER);
VZUser user1 = new VZUser();
VZUser user2 = new VZUser();
user1.setUsername("user1");
user1.setPassword(encoder.encode("password1"));
user1.setRoles(siteAdmin);
user2.setUsername("user2");
user2.setPassword(encoder.encode("password2"));
user2.setRoles(siteUser);
userRepository.save(user1);
userRepository.save(user2);
}
}
Can anyone help me here? Thank!
Is there by chance
WARN o.s.s.c.bcrypt.BCryptPasswordEncoder - Encoded password does not look like BCrypt
in your debug log? If so, you should check if the length of the password string in your user table is sufficient. The bcrypt algorithm creates hashes of length 60, so if you have a string with eg. type varchar (45) your hash may be truncated.