5

It appears that org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder doesn't return the generated password salt:

public String encode(CharSequence rawPassword) {
    String salt;
    if(this.strength > 0) {
        if(this.random != null) {
            salt = BCrypt.gensalt(this.strength, this.random);
        } else {
            salt = BCrypt.gensalt(this.strength);
        }
    } else {
        salt = BCrypt.gensalt();
    }

    return BCrypt.hashpw(rawPassword.toString(), salt);
}

Question : what purpose is that designed for? How can this be used, since it doesn't return a salt, which should be stored for the password checking?

Andremoniy
  • 34,031
  • 20
  • 135
  • 241
  • 1
    Please Refer answer of this You will get your Answer Possibly https://stackoverflow.com/questions/6832445/how-can-bcrypt-have-built-in-salts – Vikrant Kashyap Apr 05 '16 at 09:28
  • 2
    Are you sure that the information returned from `hashpw` does not include the salt itself? – khelwood Apr 05 '16 at 09:28
  • @khelwood I'm not sure, so this could be the answer. But `spring-security` failed to check password in login process without giving him actual salt – Andremoniy Apr 05 '16 at 09:30
  • Which basically points to an issue with the setup of login configuration / authentication provider. Post the configuration. – M. Deinum Apr 05 '16 at 11:36

1 Answers1

7

Apparently, the salt is part of the encrypted String, which is separated by $.

More information can be found here: How can bcrypt have built-in salts?

Community
  • 1
  • 1
Erik Pragt
  • 13,513
  • 11
  • 58
  • 64
  • Yes, it is. But `DaoAuthenticationProvider` failed to extract it because its `SaltSource` is null. It would be brilliant if you expand your answer and provide additional info how to configure it to automatically extract this `$` separated salt. – Andremoniy Apr 05 '16 at 09:47
  • You don't need to extract the salt you need to make sure that the `BCryptPasswordEncoder` is setup for validation. You don't nor should use the `SaltSource`. – M. Deinum Apr 05 '16 at 11:35
  • @M.Deinum could you please clarify this point, because this one `auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder())` doesn't work – Andremoniy Apr 05 '16 at 11:40
  • Then I doubt that that is the one that is actually being used and/or that you aren't returning the correct password in your custom `UserDetailsService`. You have to make sure that the returned user contains the password from the database. – M. Deinum Apr 05 '16 at 11:44
  • I found the mistake in my code. Many sorry about it and thank you;. – Andremoniy Apr 05 '16 at 11:50