1
1
.
.
5
5
.
.
4
4
B
B
C
C
r
r
y
y
p
p
t
t
I
I
n
n
f
f
o
o
[
[
G
G
]
]
BCrypt Password Encoder uses random salt so that encoded password is always different.
It has matches() Method to compare encoded password with the original password.
When instantiating Encoder you can define its Strength. Default value is 10. With bigger value it takes longer to encode.
● Used Strength is embedded in the result $2a$10$lsrdF/M4slGjPOO8G/7cB.w6/SWqkyXCxqZJEZWjObavbMoJVY8QG.
● Strength parameter serves as defense against brute force attack so that less combinations can be covered in the same
amount of time.
E
E
x
x
a
a
m
m
p
p
l
l
e
e
In this tutorial User is defined inside application.properties.
But instead of providing Password in raw format we will provide LDAP Encoded Password.
mypassword gets encoded into $2a$10$zV89sUNg2HOQn6AQDT.SIO0CzE9W/ZHU095k49pHwJpbckDupYFxG.
Inside the Controller we have added "/EncodePassword" Endpoint which you can use to encode other Passwords.
Inside WebSecurityConfig.java we have allowed Anonymous Access to this Endpoint.
If you want to use another password
● Start Application
○ call Endpoint http://localhost:8080/EncodePassword?password=anotherpassword
○ copy result into application.properties under spring.security.user.password
● Restart Application
○ try to access http://localhost:8080/Hello
○ in the Login Form type anotherpassword
Application Schema [Results]
Spring Boot Starters
GROUP
DEPENDENCY
DESCRIPTION
Web
Spring Web
Enables @Controller, @RequestMapping and Tomcat Server
Security
Spring Security
Enables Spring Security
http://localhost:8080/EncodePassword
?password=mypassword
Tomcat
Browser
MyController
http://localhost:8080/Hello
hello()
encodePassword()
WebSecurityConfig
P
P
r
r
o
o
c
c
e
e
d
d
u
u
r
r
e
e
Create Project: springbott_security_passwordencoders_bcrypt (add Spring Boot Starters from the table)
Edit File: application.properties (add Role, User, Password)
Create Package: controllers (inside main package)
– Create Class: MyController.java (inside package controllers)
Create Package: config (inside main package)
– Create Class: WebSecurityConfig.java (inside package config)
application.properties
# SECURITY
spring.security.user.name = myuser
spring.security.user.password = $2a$10$zV89sUNg2HOQn6AQDT.SIO0CzE9W/ZHU095k49pHwJpbckDupYFxG
spring.security.user.roles = USER
MyController.java
package com.ivornline.springboot_security_passwordencoders_bcrypt.controllers;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
@Controller
public class MyController {
//====================================================================
// ENCODE PASSWORD
//====================================================================
@ResponseBody
@RequestMapping("/EncodePassword")
public String encodePassword(@RequestParam String password) {
//GET PASSWORD ENCODER
PasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
//ENCODE PASSWORD
String encodedPassword = passwordEncoder.encode(password);
//RETURN ENCODED PASSWORD
return encodedPassword;
}
//====================================================================
// HELLO
//====================================================================
@ResponseBody
@RequestMapping("/Hello")
public String hello() {
return "Hello from Controller";
}
}
WebSecurityConfig.java
package com.ivornline.springboot_security_passwordencoders_bcrypt.config;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
//====================================================================
// PASSWORD ENCODER
//====================================================================
@Bean
PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
//====================================================================
// CONFIGURE
//====================================================================
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity.authorizeRequests().antMatchers("/EncodePassword").permitAll(); //Anonymouse Access
httpSecurity.authorizeRequests().anyRequest().authenticated(); //Authenticated Access
httpSecurity.formLogin(); //Default Logn Form
}
}