Encoded password does not look like BCrypt in SpringBoot 2.1.4.RELEASE

Question

I have a SpringBoot 2.1.4.RELEASE RESTful Web Service app., using Spring Initializer, embedded Tomcat, Thymeleaf template engine, and package as an executable JAR file.

I have this configuration file:

@Profile("dev")
@Configuration
@EnableWebSecurity
public class DevWebSecurityConfig extends WebSecurityConfigurerAdapter {

    private static final Logger LOG = LoggerFactory.getLogger(DevWebSecurityConfig.class);

    @Autowired
    private UserSecurityService userSecurityService;

    @Autowired
    private Environment env;

    @Value("${server.servlet.context-path}")
    private String serverContextPath;

    /** The encryption SALT. */
    private static final String SALT = "12323*&^%of";

    @Bean
    public BCryptPasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder(12, new SecureRandom(SALT.getBytes()));
    }



    @Override
    protected void configure(HttpSecurity http) throws Exception {

        final List<String> activeProfiles = Arrays.asList(env.getActiveProfiles());
        if (activeProfiles.contains("dev")) {
            http.csrf().disable();
            http.headers().frameOptions().disable();
        }

        http
                .authorizeRequests()
                .antMatchers(publicMatchers()).permitAll()
                .anyRequest().authenticated()
                .and()
                .formLogin().loginPage("/login").defaultSuccessUrl("/guerrilla/teatre")
                .failureUrl("/login?error").permitAll()
                .and()
                .logout().permitAll();
    }




    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
         auth
                        .inMemoryAuthentication()
                        .withUser("carles.xuriguera@gmail.com").password("password")
                        .roles("ADMIN");        
    }


    private String[] publicMatchers() {

         /** Public URLs. */
        final String[] PUBLIC_MATCHERS = {
                "/webjars/**",
                serverContextPath + "/css/**",
                serverContextPath + "/js/**",
                serverContextPath + "/fonts/**",
                serverContextPath + "/images/**",                
                serverContextPath ,
                "/",
                "/error/**/*",
                "/console/**",
                SignupController.SIGNUP_URL_MAPPING,
                SignupController.USER_VALIDATION_URL_MAPPING
        };

        return PUBLIC_MATCHERS;

    }

}

but when I log in the system using the credentials: carles.xuriguera@gmail.com / password I got this message on the login page : Error ! "Bad credentials" and I see this message on the console:

2019-04-15 10:50  [http-nio-2233-exec-4] WARN  o.s.s.c.b.BCryptPasswordEncoder.matches(90) - Encoded password does not look like BCrypt

I also tried using

$2y$12$EE25qVSZ2Td1D5k9mFHoYubKRqrRqCUGuwnLc9aNjosKMLeY/7/72 that is the Bcrypt of password, but neverheless I got the same error:

Encoded password does not look like BCrypt

Answer 1

Try this.

 @Override
 public UserDetails loadUserByUsername(String userName) throws UsernameNotFoundException {
    User user = userRepository.findByuserName(userName);
    if (user == null) {
        throw new UsernameNotFoundException("userName" + userName + "Not found in the database");
    }

    return new org.springframework.security.core.userdetails.User(user.getName(), new BCryptPasswordEncoder().encode(user.getPassword()), getGrantedAuth(user));
}

Answer 2

You must specify the encrypted password and not the raw password.

Also make sure that the encrypted password starts with "$2a$" since 2a is the only version that the BCryptPasswordEncoder accepts.

The spring security version 5.2.0.M1 supports 2a, 2b and 2y.

Issue from spring security