[Fixed] Spring Security: Encoded password does not look like Bcrypt
- Details
- Written by Nam Ha Minh
- Last Updated on 31 March 2020   |   Print Email
When implementing authentication with Spring Security, you may face this warning:
Encoded password does not look like BCrypt
This causes login function does not work for your Spring application. There’s a couple reasons you got this error.
Reason #1:
The password stored in database is not in BCrypt format. A password encoded using BCrypt hash algorithm looks like this:
$2a$10$rfUczXcy3gmhT2Hft.ewI.jrK3JtBNVs0z7BLgx4x15xuYHI95mg6
To fix this issue, use a BCrypt generator tool online to encode your plain text password into BCrypt format. With Java, you can write a simple program to hash a plain text password using BCrypt algorithm like as follows:
package net.codejava; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; public class PasswordEncoderTest { public static void main(String[] args) { BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder(); String encodedPassword = passwordEncoder.encode("yourplaintextpassword"); System.out.println(encodedPassword); } }
Then update the password in database.
In case in-memory users are used, you can encode the passwords as below:
public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { PasswordEncoder encoder = PasswordEncoderFactories.createDelegatingPasswordEncoder(); auth.inMemoryAuthentication() .withUser("admin").password(encoder.encode("nimda")) .roles("ADMIN"); } }
Or using the {bcrypt} prefix for the encoded password like this:
@Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication() .withUser("namhm").password("{bcrypt}$2a$10$fUXt47JTx/Rv/OHBkQgqAOvan445zDU7tCZcHr...") .roles("USER") ; }
Reason #2:
You use the prefix {bcrypt} in your password for in-memory users while explicitly specify the password encoder is BCrypt, for example:
@Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication() .withUser("namhm").password("{bcrypt}$2a$10$fUXt47JTx/Rv/OHBkQgqAOvan445zDU7tCZcHr...") .roles("USER") ; }
To fix the login issue and get rid of the warning “Encoded password does not look like BCrypt”, either remove the {bcrypt} prefix or remove the password encoder declaration.
Related Spring Security Tutorials:
- Spring Web MVC Security Basic Example Part 1 with XML Configuration
- Spring Web MVC Security Basic Example Part 2 (Java-based Configuration)
Other Spring Tutorials:
- Understand the core of Spring framework
- Understand Spring MVC
- Understand Spring AOP
- Spring MVC beginner tutorial with Spring Tool Suite IDE
- Spring MVC Form Handling Tutorial
- Spring MVC Form Validation Tutorial
- 14 Tips for Writing Spring MVC Controller
- Spring Web MVC Security Basic Example (XML Configuration)
- Understand Spring Data JPA with Simple Example
Comments