How to use Spring security without password encoding?

Others 2022-04-21 21:03:34 views: 0
Arjun :

I'm trying to learn Spring security currently. I used BCryptPasswordEncoder to encode user password before persisting into a database

Code:

@Override
    public void saveUser(User user) {
        user.setPassword(bCryptPasswordEncoder.encode(user.getPassword()));
        user.setActive(1);
        Role userRole = roleRepository.findByRole("ADMIN");
        user.setRoles(new HashSet<Role>(Arrays.asList(userRole)));
        userRepository.save(user);
    }

Then used it during authentication as well and User was getting authenticated as expected.

@Override
    protected void configure(AuthenticationManagerBuilder auth)
            throws Exception {
        auth.
            jdbcAuthentication()
                .usersByUsernameQuery(usersQuery)
                .authoritiesByUsernameQuery(rolesQuery)
                .dataSource(dataSource).passwordEncoder(bCryptPasswordEncoder);
    }

Then I removed .passwordEncoder(bCryptPasswordEncoder); from configure() method, still users with encoded password is getting authenticated successfully.

Then I removed password encoder from both the saveUser() and the configure() method, and persisted a User into the database(i.e without password encoding) and tried to access an authenticated page but I got AccessedDeniedException,

But users with encoded password still gets authenticated even though i removed passwordEncoder() from configure() method. Why is this happening?

Does spring security by default use password encoder during authentication?

If so how to use spring security without password encoding?

M. Deinum :

With Spring Security 5 encryption on passwords is always enabled. The encryption used by default is bcrypt. What is neat about Spring Security 5 is that it actually allows you to specify, in your password, which encryption was used to create the has.

For this see the Password Storage Format in the Spring Security Reference Guide. In short it allows you to prefix your password for a well known key to an algorithm. The storage format is {<encryption>}<your-password-hash>.

When using nothing it would become {noop}your-password (which would use the NoOpPasswordEncoder and {bcrypt}$a2...... would use the BcryptPasswordEncoder. There are several algorithms supported out-of-the-box, but you can also define your own.

To define your own create your own PasswordEncoder and register it under a key with the DelegatingPasswordEncoder.

Guess you like

Origin http://43.154.161.224:23101/article/api/json?id=71988&siteId=1
Recommended
Face Wall Intelligence releases the Eurux-8x22B open source large model - it can be called the "science champion"
Kaiyuan Daily | Google supports Hongmeng to take over; open source Rabbit R1; Android phones supported by Docker; Microsoft’s anxiety and ambition; Haier Electric shuts down the open platform
Ranking
Jianzhi offer interview questions 68-II. The nearest common ancestor of a binary tree (recursive)
jQuery Mobile development 1-UI components
Summary of Kotlin function knowledge
[ZZ] The Naked Truth About Anisotropic Filtering
Diagnosis: record a recovery of abnormal CRASH storage caused the database to be unable to be opened normally
Redis introduction and Linux installation Redis
Experiment 2 Introduction to switches
glances open source command-line system monitoring tools introduced
Use of selector
vue3 handwriting a carousel picture
Daily
More
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)

Code World

© 2018 codetd.com