Menu
I'm trying to learn Spring security currently. I used BCryptPasswordEncoder to encode user password before persisting into a database
Code:
@Override
public void saveUser(User user) {
user.setPassword(bCryptPasswordEncoder.encode(user.getPassword()));
user.setActive(1);
Role userRole = roleRepository.findByRole("ADMIN");
user.setRoles(new HashSet<Role>(Arrays.asList(userRole)));
userRepository.save(user);
}
Then used it during authentication as well and User was getting authenticated as expected.
@Override
protected void configure(AuthenticationManagerBuilder auth)
throws Exception {
auth.
jdbcAuthentication()
.usersByUsernameQuery(usersQuery)
.authoritiesByUsernameQuery(rolesQuery)
.dataSource(dataSource).passwordEncoder(bCryptPasswordEncoder);
}
Then I removed .passwordEncoder(bCryptPasswordEncoder); from configure() method, still users with encoded password is getting authenticated successfully.
Then I removed password encoder from both the saveUser() and the configure() method, and persisted a User into the database(i.e without password encoding) and tried to access an authenticated page but I got AccessedDeniedException,
But users with encoded password still gets authenticated even though i removed passwordEncoder() from configure() method. Why is this happening?
Does spring security by default use password encoder during authentication?
If so how to use spring security without password encoding?
366
Class NoOpPasswordEncoder. Deprecated. This PasswordEncoder is not secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder.
Spring Security's PasswordEncoder interface is used to perform a one way transformation of a password to allow the password to be stored securely.
Django, OAuth2, Keycloak, JSON Web Token, and Auth0 are the most popular alternatives and competitors to Spring Security.
Password Hashing With Spring Security Luckily for us, Spring Security ships with support for all these recommended algorithms via the PasswordEncoder interface: Pbkdf2PasswordEncoder gives us PBKDF2. BCryptPasswordEncoder gives us BCrypt, and. SCryptPasswordEncoder gives us SCrypt.
Maybe you can implement this simple code to evade Spring Encoder
public class PasswordEnconderTest implements PasswordEncoder {
@Override
public String encode(CharSequence charSequence) {
return charSequence.toString();
}
@Override
public boolean matches(CharSequence charSequence, String s) {
return charSequence.toString().equals(s);
}
}
and add in your WebSecurityConfig:
@Bean
public PasswordEncoder passwordEncoder(){
return new PasswordEnconderTest();
}
it's not recommended but you can implement
99
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
