Spring Boot JWT - Adding BCrypt Security - Getting Access Denied

Question

I have an application server which uses Spring boot framework with JWT token. I want to encrypt the user password, but running into login issues. I am able to encrypt user's password using userModel.setPassword(new BCryptPasswordEncoder().encode(userModel.getPassword())); but when trying to login I am getting Encoded password does not look like BCrypt. I tried to change my authenticate method and encrypt the password from login but it didn't work.

       new UsernamePasswordAuthenticationToken(
        authenticationRequest.getUsername(),
        new BCryptPasswordEncoder().encode( authenticationRequest.getPassword())));

I would appreciate your help, if you could point me to the direct direction or give me solution. below is my Security config file.

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    private final MyUserDetailService myUserDetailService;
    private final JwtRequestFilter jwtRequestFilter;

    public SecurityConfig(MyUserDetailService myUserDetailService, JwtRequestFilter jwtRequestFilter) {
        this.myUserDetailService = myUserDetailService;
        this.jwtRequestFilter = jwtRequestFilter;
    }

    @Override
    // Authentication : User --> Roles
    protected void configure(AuthenticationManagerBuilder auth)
            throws Exception {

        auth.authenticationProvider(authProvider());
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    @Bean
    public DaoAuthenticationProvider authProvider() {
        DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider();
        authProvider.setUserDetailsService(myUserDetailService);
        authProvider.setPasswordEncoder(passwordEncoder());
        return authProvider;
    }

    @Override
    // Authorization : Role -> Access
    protected void configure(HttpSecurity http) throws Exception {

        http
                .csrf().disable()
                .formLogin().disable()
                .headers().frameOptions().disable()
                .and()
                .authorizeRequests()
                .antMatchers("/authenticate").permitAll()                .and()
                .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS);
        http.addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class);
    }

    @Override
    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Bean
    CorsConfigurationSource corsConfigurationSource() {
        final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", new CorsConfiguration().applyPermitDefaultValues());
        return source;
    }
}

I am not able to authenticate(login) using the encrypted password or the raw password. Please let me know what I can do to fix.

Thank you for your help.

Answer 1

Hey i had the same problem like you, i am just from solving it.

new UsernamePasswordAuthenticationToken(
  authenticationRequest.getUsername(), 
  authenticationRequest.getPassword())
);

replace that part of your code with mine. By calling again new BCryptPasswordEncoder().encode you create another salt value different from the one previously created when saving the user in your Database. And by login you will never get the same value as the one in the Database.

Answer 2

The exception is thrown if the stored password in the database is not encrypted correctly.

Make sure it starts with $2a$ or $2b$ or $2y$ and is exactly 60 chars long.