1
1
.
.
5
5
.
.
3
3
S
S
h
h
a
a
2
2
5
5
6
6
I
I
n
n
f
f
o
o
[
[
G
G
]
]
Sha256 Password Encoder uses random salt so that encoded password is always different.
It has matches() Method to compare encoded password with the original password.
You can also provide a secret that needs to be applied every time.
E
E
x
x
a
a
m
m
p
p
l
l
e
e
In this tutorial User is defined inside application.properties.
But instead of providing Password in raw format we will provide LDAP Encoded Password.
mypassword gets encoded into {SSHA}xK8jUaSvNK39bRn6bOCKa8hU9yzRfNoNkQF7Eg==.
Inside the Controller we have added "/EncodePassword" Endpoint which you can use to encode other Passwords.
Inside WebSecurityConfig.java we have allowed Anonymous Access to this Endpoint.
If you want to use another password
Start Application
call Endpoint http://localhost:8080/EncodePassword?password=anotherpassword
copy result into application.properties under spring.security.user.password
Restart Application
try to access http://localhost:8080/Hello
in the Login Form type anotherpassword
Application Schema [Results]
Spring Boot Starters
GROUP
DEPENDENCY
DESCRIPTION
Web
Spring Web
Enables @Controller, @RequestMapping and Tomcat Server
Security
Spring Security
Enables Spring Security
http://localhost:8080/EncodePassword
?password=mypassword
Tomcat
Browser
http://localhost:8080/Hello
hello()
encodePassword()
P
P
r
r
o
o
c
c
e
e
d
d
u
u
r
r
e
e
Create Project: springboot_security_passwordencoders_sha256 (add Spring Boot Starters from the table)
Edit File: application.properties (add Role, User, Password)
Create Package: controllers (inside main package)
Create Class: MyController.java (inside package controllers)
Create Package: config (inside main package)
Create Class: WebSecurityConfig.java (inside package config)
application.properties
# SECURITY
spring.security.user.name = myuser
spring.security.user.password = 6897d478555b5baf32b35f0f1ffc7d01b9aa77df56458caababca855541f77c9e7265813959758cf
spring.security.user.roles = USER
MyController.java
package com.ivoronlne.springboot_security_passwordencoders_sha256.controllers;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.crypto.password.StandardPasswordEncoder;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
@Controller
public class MyController {
@ResponseBody
@RequestMapping("/EncodePassword")
public String encodePassword(@RequestParam String password) {
//GET PASSWORD ENCODER
PasswordEncoder passwordEncoder = new StandardPasswordEncoder();
//ENCODE PASSWORD
String encodedPassword = passwordEncoder.encode(password);
//RETURN ENCODED PASSWORD
return encodedPassword;
}
@ResponseBody
@RequestMapping("/Hello")
public String hello() {
return "Hello from Controller";
}
}
WebSecurityConfig.java
package com.ivoronlne.springboot_security_passwordencoders_sha256.config;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.crypto.password.StandardPasswordEncoder;
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
//====================================================================
// PASSWORD ENCODER
//====================================================================
@Bean
PasswordEncoder passwordEncoder() {
return new StandardPasswordEncoder();
}
//====================================================================
// CONFIGURE
//====================================================================
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity.authorizeRequests().antMatchers("/EncodePassword").permitAll(); //Anonymouse Access
httpSecurity.authorizeRequests().anyRequest().authenticated(); //Authenticated Access
httpSecurity.formLogin(); //Default Logn Form
}
}