Comments (9)
AlicanBalik
commented on May 28, 2024
15
Sure.
First, open your security configuration which extends WebSecurityConfigurerAdapter and paste below function:
@Bean
public static PasswordEncoder passwordEncoder() {
return PasswordEncoderFactories.createDelegatingPasswordEncoder();
}
Then in the same configuration file, modify your authenticationProvider() function like this:
@Bean
public DaoAuthenticationProvider authenticationProvider() {
DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();
authenticationProvider.setUserDetailsService(customUserDetailsService);
authenticationProvider.setPasswordEncoder(passwordEncoder());
return authenticationProvider;
}
Note: If you create multiple PasswordEncoder beans, the compiler will always select the first one. If you also need to implement NoOpPasswordEncoder, do it in the file that you really need to use it and create it without @Bean.
@SuppressWarnings("deprecation")
public static NoOpPasswordEncoder passwordEncoder() {
return (NoOpPasswordEncoder) NoOpPasswordEncoder.getInstance();
}
In your service, or wherever you want to use you need to autowire the `PasswordEncoder`:
@Autowired
private PasswordEncoder passwordEncoder;
And you can encrypt your String like this: `passwordEncoder.encode("password");`
If you want to match a raw password with an encrypted one, you can do it with `passwordEncoder.matches("rawPassword", user.getPassword());` where `user.getPassword()` returns an encrypted password (from db).
from spring-security-registration.
AlicanBalik
commented on May 28, 2024
2
Yes, I did. If you also have the same problem, you can follow here
from spring-security-registration.
misabelcarde
commented on May 28, 2024
1
I had to encode the client secret too. Don't know if that's the best practice.
@Override
public void configure(ClientDetailsServiceConfigurer configurer) throws Exception {
configurer
.inMemory()
.withClient(clientId)
.secret(passwordEncoder.encode(clientSecret))
.authorizedGrantTypes(grantType)
.scopes(scopeRead, scopeWrite)
.resourceIds(resourceIds);
}
from spring-security-registration.
lor6
commented on May 28, 2024
1
Issue has been fixed in the codebase after Boot 2 upgrade.
from spring-security-registration.
misabelcarde
commented on May 28, 2024
Hi @AlicanBalik I saw you closed the issue. Did you solve the problem?
from spring-security-registration.
andersonkxiass
commented on May 28, 2024
@AlicanBalik Maybe you could explain how you did this fix? NOTE: I read the documentation, need to see some example. thks
from spring-security-registration.
AlicanBalik
commented on May 28, 2024
It should be the same thing. Let's say:
private String clientSecret = "mySecret";
private String encodedClientSecret = passwordEncoder.encode(clientSecret); // assume encoded value is $%*@DJ#
configurer
.inMemory()
.withClient(clientId)
.secret(encodedClientSecret)
.authorizedGrantTypes(grantType)
.scopes(scopeRead, scopeWrite)
.resourceIds(resourceIds);
In this point, your secret is actually $%*@DJ#. If I have this value, I can bypass your security. The important thing is to secure your clientSecret value in the application.properties. There are many ways to secure that.
- Default option: just put the value in the application.properties.
- Better option: You can create one more .properties profile and put your value there. Then call that value in the application.properties. Important note for this one is that you must discard your new .properties file from the git so you won't push it anywhere.
e.g.:
application-local.properties:
client.secret.hidden = mySecret
--
application.properties =
client.secret = ${client.secret.hidden}
Then call this value in your class:
@Value("${client.secret}")
private String clientSecret;
-
Use Spring Cloud to store your
.properties. -
The best for me: Store sensitive information in the db. (It requires different configuration, because you will no longer use
configurer.inMemory() ....).
from spring-security-registration.
hzlijianjun
commented on May 28, 2024
Maybe, You shoud check it :
https://stackoverflow.com/questions/49582971/encoded-password-does-not-look-like-bcrypt
from spring-security-registration.
prashdeep
commented on May 28, 2024
This issue is still reproducible with Spring boot version 2.2.0 and Spring security 5.2.0 version with inmemory authentication.
` @Autowired
public void configureGlobal(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
authenticationManagerBuilder
.inMemoryAuthentication()
.withUser("hari")
.password("welcome")
.roles("USER")
.and()
.withUser("kiran")
.password("testing")
.roles("USER", "ADMIN")
.and()
.passwordEncoder(passwordEncoder());
@bean
public BCryptPasswordEncoder passwordEncoder(){
return new BCryptPasswordEncoder();
}
`
2019-11-03 19:10:50.962 WARN 14504 --- [nio-8080-exec-1] o.s.s.c.bcrypt.BCryptPasswordEncoder : Encoded password does not look like BCrypt
from spring-security-registration.
Related Issues (20)
- Update the code in article spring-security-block-brute-force-authentication-attempts HOT 1
- error in registration process HOT 1
- Broken code in UserService.java HOT 3
- About security : HTTP 2 instead of HTTP 1.1 HOT 1
- MFA keeps failing: totp validation always returns false HOT 2
- When update all POM dependecies? HOT 2
- Login form submits to unexisting action HOT 3
- Runtime error due to rest-assured dependency HOT 3
- Unable to do API test with Rest Assured API framework- Getting below error - Not sure what is the issue HOT 2
- Failing tests HOT 1
- wont run after packaging war
- Make LoggedUser serializable or don't store it in the session. HOT 2
- Unable to resolve JDBC type code for column `roles.users` HOT 2
- MyLogoutSuccessHandler needs (to extend) SimpleUrlLogoutSuccessHandler HOT 1
- A successful login shouldn't reset the attempt counter HOT 2
- Full courses refund
- Spring Boot 3.0 Migration HOT 1
- Application does not run when deployed to web container (Liberty as an example) HOT 1
- unable to start this application with mysql HOT 2
- Linux io problem HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from spring-security-registration.