4

I am using the new BCryptPasswordEncoder to hash User Passwords to the database (which is a MongoDB in my case). When I just test out my login, I set the password encoder in my security config to be a BCryptPasswordEncoder, but I get Bad Credentials back when I try to login (with correct credentials of course). What am I missing?

Security Config:

    import org.springframework.beans.factory.annotation.Autowired;
    import org.springframework.context.annotation.Bean;
    import org.springframework.context.annotation.Configuration;
    import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
    import org.springframework.security.config.annotation.web.builders.HttpSecurity;
    import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
    import org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity;
    import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
    import org.springframework.security.crypto.password.PasswordEncoder;

    @Configuration
    @EnableWebMvcSecurity
    public class VZWebSecurityConfig extends WebSecurityConfigurerAdapter{

    @Autowired
    VZUserDetailsService userDetailsService;

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception{
        auth.userDetailsService(userDetailsService).passwordEncoder(encoder());
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception{
            http
            .authorizeRequests()
                .antMatchers("/", "/home").permitAll()
                .anyRequest().authenticated()
                .and()
            .formLogin()
                .permitAll()
                .and()
            .logout()
                .permitAll();
    }

    @Bean
    public PasswordEncoder encoder(){
        return new BCryptPasswordEncoder();
    }

    }

To start out with some valid users, I initialize the DB with some users:

import java.util.ArrayList;
import java.util.List;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.CommandLineRunner;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;

import vertyze.platform.data.constants.VZUserRoles;


@Configuration
@ComponentScan("it.vertyze.platform")
@EnableAutoConfiguration
public class Application implements CommandLineRunner {

    @Autowired
    VZUserRepository userRepository;

    public static void main(String[] args) {
        SpringApplication.run(Application.class, args);
    }


    @Override
    public void run(String... args) throws Exception {
        userRepository.deleteAll();
        PasswordEncoder encoder = new BCryptPasswordEncoder();

        List<VZUserRoles> siteAdmin = new ArrayList<VZUserRoles>();
        siteAdmin.add(VZUserRoles.SITE_ADMIN);

        List<VZUserRoles> siteUser = new ArrayList<VZUserRoles>();
        siteUser.add(VZUserRoles.SITE_VIEWER);

        VZUser user1 = new VZUser();
        VZUser user2 = new VZUser();

        user1.setUsername("user1");
        user1.setPassword(encoder.encode("password1"));
        user1.setRoles(siteAdmin);

        user2.setUsername("user2");
        user2.setPassword(encoder.encode("password2"));
        user2.setRoles(siteUser);

        userRepository.save(user1);
        userRepository.save(user2);

    }

}

Can anyone help me out here? Thanks!

thomi
  • 1,603
  • 1
  • 24
  • 31
  • are you sure that setting of the encoder in the autowired method works fine? – MarianP Jan 02 '15 at 10:23
  • @MarianP. Yes, seems to work just fine. Also, the error remains when putting in the actual hash in the password field. – thomi Jan 02 '15 at 13:32
  • ok, it's interesting, but I'm not sure what might be wrong from what I see here. maybe take a look here http://stackoverflow.com/questions/19846270/null-being-passed-to-spring-security-userdetailsservice – MarianP Jan 02 '15 at 15:16
  • I'm too having the same problem here, did you find a solution. – Johna Apr 06 '17 at 22:46
  • @thomi did you find a solution to the problem? I'm facing the same problem. – Martin Mar 19 '19 at 10:40

1 Answers1

0

Is there by chance a

WARN  o.s.s.c.bcrypt.BCryptPasswordEncoder - Encoded password does not   look like BCrypt

in your debug log? If yes, you should check whether the length of the password row in your user table is big enough. The bcrypt algorithm produces hashes of length 60, so if you happen to have a row with e.g. type varchar(45) your hash might be truncated.

CheshireCat
  • 166
  • 2
  • 8