I'm working on a project that uses Spring Security to authenticate users. On the other hand, I wanna use BCryptPasswordEncoder to check is user stored. I'm using the below code to generate hash from TEST1234 via BCryptPasswordEncoder. In every for loop, BCryptPasswordEncoder generates different hash. Let's assume I'm taking first hash of them and storing in database.
public static void main(String[] args) {
int i = 0;
while (i < 10) {
String password = "TEST1234";
BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
String hashedPassword = passwordEncoder.encode(password);
System.out.println(hashedPassword);
i++;
}
}
After this, I'm running the project, calling secured page, entering username&passoword and accessing the secured page.
Now, I'm stopping the project and taking second hash from above for loop. I'm running the project, calling secured page, entering username&passoword and can "again" accessing the secured page.
I don't understand how it's working.
When server running, why if I change the hash in database login not working and when server stopped and hash changed in database and server started, why login is working with true username&passoword?
My Spring Security authenticator code is like this:
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.jdbcAuthentication()
.dataSource(dataSource)
.usersByUsernameQuery("select memberUserName,password,enabled from Member where memberUserName=?")
.authoritiesByUsernameQuery("select memberUserName,role from userroles where memberUserName=?")
.passwordEncoder(new BCryptPasswordEncoder());
}
