Set In Property File - Bcrypt datasource password over Spring Boot

Question

Using Spring boot 2+ I have an application.properties file with the followings:

This is a part of my application.properties:

spring.datasource.password={bcrypt}xxxxxxx

Without bcrypt the application works perfectly but using this, my code return error in DB JPA login.

I have added this to my security class:

@Autowired
private DataSource dataSource;

@Autowired
public void configAuthentication(AuthenticationManagerBuilder auth) throws Exception {
    auth.jdbcAuthentication().dataSource(dataSource).passwordEncoder(passwordEncoder());
}

@Bean
public BCryptPasswordEncoder passwordEncoder() {
    return new BCryptPasswordEncoder();
}

But it doesn’t solve my issue. still login failure to DB.

Can anyone help? Thanks in advance guys.

Remove the `{bcrypt}`, it is only used if you are using `DelegatingPasswordEncoder`. See this answer to understand it bit more https://stackoverflow.com/questions/62701158/spring-boot-jdbc-authentication-failing/62704290#62704290 — Kavithakaran Kanapathippillai, Jul 19 '20 at 19:08
If it still fails, put a breakpoint in `BCryptPasswordEncoder.matches` method, it will compare the password you sent and the password you setup in `application.properties` — Kavithakaran Kanapathippillai, Jul 19 '20 at 19:10
Hi, @KavithakaranKanapathippillai thanks for your answer . im lost as your answer is related to Bcrypt password from DB. My Whole point is to hash my DB Password Connection.. Why is it so hard? — Yaniv Levy, Jul 19 '20 at 19:14
your password is from db too. See `jdbcAuthentication()` in your config — Kavithakaran Kanapathippillai, Jul 19 '20 at 19:15
It is not difficult, just put a breakpoint in `BCryptPasswordEncoder.matches` method, copy the value of `encodedPassword` and put it in `application.properties`. (because you might have copied the bcrypt password incorrectly` — Kavithakaran Kanapathippillai, Jul 19 '20 at 19:23
I have removed the `{bcrypt}` I have set a new Hashed key in case something wrong with the current key. Both didnt succeed — Yaniv Levy, Jul 19 '20 at 19:27
What is it? i dont have it in the code: `BCryptPasswordEncoder.matches` Where does it need to be? do you have example? — Yaniv Levy, Jul 19 '20 at 19:29
It is the spring library classes and it will be available in your IDE — Kavithakaran Kanapathippillai, Jul 19 '20 at 19:30
_"My Whole point is to hash my DB Password Connection.. Why is it so hard?"_ - because it's not possible to do. Hashing is an irreversible process, but you need the actual password to authenticate with the database. — 1615903, Jul 20 '20 at 05:06
Ok! @1615903 - Now im Progressing! So this cannot be done?? So How i can protect my DB Password to be not seen over the application.properties file ? — Yaniv Levy, Jul 21 '20 at 06:09
You could use environment variables, or something like [jasypt](https://www.baeldung.com/spring-boot-jasypt) — 1615903, Jul 21 '20 at 06:12

score 1 · Accepted Answer · answered Sep 01 '20 at 07:37

1

I was able to solve this quest by using "spring boot jasypt" api. Thank you very much for your assistant. Yaniv

Here is a tutorial that can assist you in case you need. https://www.baeldung.com/spring-boot-jasypt

answered Sep 01 '20 at 07:37

Yaniv Levy

78
10

score 0 · Answer 2 · answered Jul 19 '20 at 22:25

In somewhere in your code must have some kind of password comparing, so if your password is saved and encrypted by bcrypt, you must check it with bycrypt aswell with

BCryptPasswordEncoder.matches(rawPassword, encryptedPassword);

for example, in my code:

@Service
public class UserServiceImpl implements AuthenticationProvider {

  @Autowired
  private final UserRepository userRepository;
  @Autowired
  private final PasswordEncoder passwordEncoder;

  @Override
  public Authentication authenticate(Authentication authentication) {
    String username = authentication.getName();
    String password = authentication.getCredentials().toString();
    User user = userRepository.find.findByUsername(username);
    //You have to check if user exist or not before compares the password
    if (passwordEncoder.matches(password, user.getPassword())) {
        //Password matches then login
    } else {
        //Password did not match, bad credentials.
    }
  }
}

Hello @kyito , This is a DATASOURCE JDBC Login For SQL Server. the Datasource is a default datasource withouth a class in the Spring boot pacakge. How can i Setup the Password of the datasource (JDBC) to be Hashed? — Yaniv Levy, Jul 21 '20 at 06:07
Can you provide your code how did you do the login? Somewhere in you code has to check if user and password matches. — Kyito, Jul 21 '20 at 21:43

Set In Property File - Bcrypt datasource password over Spring Boot

2 Answers2