[Fixed] Spring Security: Encoded password does not look like Bcrypt
- Details
- Written by Nam Ha Minh
- Last Updated on 31 March 2020 | Print Email
When implementing authentication with Spring Security, you may face this warning:
Encoded password does not look like BCrypt
This causes login function does not work for your Spring application. There’s a couple reasons you got this error.
Reason #1:
The password stored in database is not in BCrypt format. A password encoded using BCrypt hash algorithm looks like this:
$2a$10$rfUczXcy3gmhT2Hft.ewI.jrK3JtBNVs0z7BLgx4x15xuYHI95mg6
To fix this issue, use a BCrypt generator tool online to encode your plain text password into BCrypt format. With Java, you can write a simple program to hash a plain text password using BCrypt algorithm like as follows:
package net.codejava;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
public class PasswordEncoderTest {
public static void main(String[] args) {
BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
String encodedPassword = passwordEncoder.encode("yourplaintextpassword");
System.out.println(encodedPassword);
}
}Then update the password in database.
In case in-memory users are used, you can encode the passwords as below:
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
PasswordEncoder encoder = PasswordEncoderFactories.createDelegatingPasswordEncoder();
auth.inMemoryAuthentication()
.withUser("admin").password(encoder.encode("nimda"))
.roles("ADMIN");
}
}Or using the {bcrypt} prefix for the encoded password like this:
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("namhm").password("{bcrypt}$2a$10$fUXt47JTx/Rv/OHBkQgqAOvan445zDU7tCZcHr...")
.roles("USER")
;
}
Reason #2:
You use the prefix {bcrypt} in your password for in-memory users while explicitly specify the password encoder is BCrypt, for example:
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("namhm").password("{bcrypt}$2a$10$fUXt47JTx/Rv/OHBkQgqAOvan445zDU7tCZcHr...")
.roles("USER")
;
}To fix the login issue and get rid of the warning “Encoded password does not look like BCrypt”, either remove the {bcrypt} prefix or remove the password encoder declaration.
Related Spring Security Tutorials:
- Spring Web MVC Security Basic Example Part 1 with XML Configuration
- Spring Web MVC Security Basic Example Part 2 (Java-based Configuration)
Other Spring Tutorials:
- Understand the core of Spring framework
- Understand Spring MVC
- Understand Spring AOP
- Spring MVC beginner tutorial with Spring Tool Suite IDE
- Spring MVC Form Handling Tutorial
- Spring MVC Form Validation Tutorial
- 14 Tips for Writing Spring MVC Controller
- Spring Web MVC Security Basic Example (XML Configuration)
- Understand Spring Data JPA with Simple Example
About the Author:
Nam Ha Minh is certified Java programmer (SCJP and SCWCD). He began programming with Java back in the days of Java 1.4 and has been passionate about it ever since. You can connect with him on Facebook and watch his Java videos on YouTube.