Example With BCryptPasswordEncoder

Example With BCryptPasswordEncoder

• So, If you have just read the BCryptPasswordEncoder and others Password Encoders in Definition Of PasswordEncoder of Spring Security, so in this section we will try to apply the BCryptPasswordEncoder into our Spring Boot application. This example will reuse the source code in the section Custom UserDetailsService Of Spring Security and enhance it with BCryptPasswordEncoder.

Configuration

• So, we will comment out the old passwordEncoder configuration and add the new one in the class ProjectSecurityConfig.class as below.

package com.spring.security.spring.security.example.bCryptPasswordEncoder.config;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;

@Configuration
public class ProjectSecurityConfig extends WebSecurityConfigurerAdapter {

    /**
     *
     * contact: Not Secure
     * notice: Not Secure
     * balance: Secure
     * Card: Secure
     * Loan: Secure
     * Account: Secure
     *
     */

    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers("/v1/accounts/**").authenticated()
                .antMatchers("/v1/balance").authenticated()
                .antMatchers("/v1/loan").authenticated()
                .antMatchers("/v1/card").authenticated()
                .antMatchers("/v1/contact").permitAll()
                .antMatchers("/v1/notice").permitAll()
                .and().formLogin()
                .and().httpBasic();
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

}

• As you can see, we will create a bean of passwordEncoder with a new instance of BCryptPasswordEncoder.

Prepare Data In Database

• So, let's use the SQL below to add a new record into the customers table.

INSERT INTO worldbank.customers
(id, email, password, `role`)
VALUES(2, 'han.do@example.com', '$2a$12$V.A53NkiPnA45W44aRYi2OLwUbbu08aDoY409/SKY/bT7cdF1PpLO', 'admin');

• As you can see, the password now is a BCrypt hash string, because we are using the BCryptPasswordEncoder so it requires the password that contained in database must be a BCrypt hash string. If you don't know how to get an example BCrypt hash string you can go to this page to get one to do the example.
• So after executing the SQL above, you will see there are two accounts in the customers table, the first one is the old account with plain text password (12345) and the second account is the BCrypt hash password string from raw password (12345).

mysql> select * from customers;

id	email	password	role
1	duc.nguyen@example.com	12345	admin
2	han.do@example.com	$2a$12$V.A53NkiPnA45W44aRYi2OLwUbbu08aDoY409/SKY/bT7cdF1PpLO	admin

Testing

• So now, let's start your spring boot application and use postman to call api for testing. So if you use the old account with plain text password in the database, then you can see the error code 401 unauthorized has been showed.

• Because we are using the BCryptPasswordEncoder but the password is the plain text so the authentication will be failed and you can not access the api.
• Now, let's use the account with the Bcrypt hash password in the database, then you can see the successful result as below.

References

• Full Source Code
• BCrypt Generator