1

I'm trying to use a DelegatingPasswordEncoder with jdbcAuthentication(). However, when I try to do this it gives me an HTTP status of 403. But when I do this with inMemoryAuthentication(), it works fine. Can anyone explain a reason why this is happening? Any mistakes that I'm doing?

I'm using bcrypt as the encoder and the passwords are stored in the database prefixed with the algorithm id like in the example below.

{bcrypt}$2a$10$t1E8PjjYqqp0Uovp6jVgS.r7J7yNzoH0pV3egIbzqQta0yznloJcG

ApplicationSecurityConfig.java

@Configuration
public class ApplicationSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private AppConfigProperties acp;

    @Autowired
    private DataSource dataSource;

    @Autowired
    private ApplicationUserRepo appUserRepo;

    protected void configure(AuthenticationManagerBuilder auth) throws Exception {

        String idForEncode = acp.getApplicationEncoding();
        Map encoders = new HashMap<>();
        encoders.put("bcrypt", new BCryptPasswordEncoder());
        encoders.put("noop", NoOpPasswordEncoder.getInstance());
        encoders.put("pbkdf2", new Pbkdf2PasswordEncoder());
        encoders.put("scrypt", new SCryptPasswordEncoder());
        encoders.put("sha256", new StandardPasswordEncoder());

        PasswordEncoder pwEncoder = new DelegatingPasswordEncoder(idForEncode, encoders);

        /*System.out.println(pwEncoder.encode("gad"));

        System.out.println(new BCryptPasswordEncoder().encode("gad"));

        Connection conn = dataSource.getConnection();
        PreparedStatement ps = conn.prepareStatement("select password from application_user where user_name='gad'");

        ResultSet rs = ps.executeQuery();

        while (rs.next()) {
            System.out.println(new BCryptPasswordEncoder().matches("gad", rs.getString(1)));
        }*/

        auth.jdbcAuthentication().dataSource(dataSource)
                                        .passwordEncoder(pwEncoder)
                                        .usersByUsernameQuery("select user_name, password, enabled from application_user where user_name=?")
                                        .authoritiesByUsernameQuery("select user_name, user_role from application_user_roles where user_name=?");

        /*auth.inMemoryAuthentication().passwordEncoder(pwEncoder)
                                    .withUser("gad").password(pwEncoder.encode("gad")).roles("USER")
                                    .and()
                                    .withUser("admin").password(pwEncoder.encode("admin")).roles("ADMIN");*/
    }

    protected void configure(HttpSecurity http) throws Exception {

        http.httpBasic().and().authorizeRequests()
                                    .antMatchers("/welcome/**").hasAnyRole("USER", "ADMIN")
                                    .antMatchers("/**").hasRole("ADMIN")
                                    .and()
                                    .csrf().disable().headers().frameOptions().disable()
                                    .and()
                                    .exceptionHandling().accessDeniedPage("/accessDenied");
    }

}
k9yosh
  • 858
  • 1
  • 11
  • 31
  • How do you create and save a new user in the Database ??? – borino Jun 26 '18 at 07:49
  • @borino by inserting database entries. This is a REST API... – k9yosh Jun 26 '18 at 08:52
  • Did you check the password field value in database, they are should be encrypted ??? if not check https://stackoverflow.com/questions/30260582/password-encoding-with-spring-data-rest – borino Jun 26 '18 at 10:07
  • @borino yes, I tried matching them with the raw password text and they are a match. According to their [blog post](https://spring.io/blog/2017/11/01/spring-security-5-0-0-rc1-released#password-storage-format) they say that passwords should be stored in this way when using DelegatingPasswordEncoder. – k9yosh Jun 26 '18 at 10:21
  • 1
    If the passwords in database are encrypted, i think the problems with roles and permissions. Usually i set log level for security in debug level and trying to find who is decline the request. – borino Jun 26 '18 at 11:29
  • @borino yeah, it was the case. I had to prefix my roles with ROLE_ to get it to work. Refer this [answer](https://stackoverflow.com/questions/35894206/spring-security-jdbcauthentication-does-not-work-with-default-roles-processing). You can post an answer, I'll mark it. – k9yosh Jun 26 '18 at 11:39

0 Answers0