search

TilmeezUrRehmanBhatti / thymeleafdemo-employees-db

CRUD functionality using Spring Boot MVC
1 stars 0 forks source link

Encoded password does not look like BCrypt #2

Closed TilmeezUrRehmanBhatti closed 2 years ago

TilmeezUrRehmanBhatti commented 2 years ago

When i am using Spring Security UserDetailsService i am encounter Encoded password does not look like BCrypt, whereas without it working f9

From EmployeeServiceImpl

 @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {

        Employee employee = employeeRepository.findByUserName(username);

        System.out.println(employee);

        if (username == null) {
            throw new UsernameNotFoundException("Invalid user name or password");
        }

         return new User(employee.getUserName(),employee.getPassword(),
                mapRolesToAuthorities(employee.getRoles()));
}

   private Collection<? extends GrantedAuthority> mapRolesToAuthorities(Collection<Role> roles) {
        return roles.stream()
                .map(
                        role -> new SimpleGrantedAuthority(role.getName())).collect(Collectors.toList());
    }

from securityconfig.java

package com.tilmeez.springboot.thymeleafdemo.config;

import com.tilmeez.springboot.thymeleafdemo.service.EmployeeService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.LogoutConfigurer;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.provisioning.JdbcUserDetailsManager;
import org.springframework.security.provisioning.UserDetailsManager;
import org.springframework.security.web.SecurityFilterChain;

import javax.sql.DataSource;

@Configuration
@EnableWebSecurity
public class SecurityConfig {
    private  DataSource securityDataSource;

    private  EmployeeService employeeService;
    private  CustomAuthenticationSuccessHandler customAuthenticationSuccessHandler;

    @Autowired
    public SecurityConfig(DataSource securityDataSource, EmployeeService employeeService, CustomAuthenticationSuccessHandler customAuthenticationSuccessHandler) {
        this.securityDataSource = securityDataSource;
        this.employeeService = employeeService;
        this.customAuthenticationSuccessHandler = customAuthenticationSuccessHandler;
    }

    @Bean
    public UserDetailsManager userDetailsManager() {
        return new JdbcUserDetailsManager(securityDataSource);
    }

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception{

        return http
                .authorizeRequests(configure ->
                        configure
                                .antMatchers("/employees/showForm*").hasAnyRole("MANAGER", "ADMIN")
                                .antMatchers("/employees/save*").hasAnyRole("MANAGER", "ADMIN")
                                .antMatchers("/employees/delete").hasRole("ADMIN")
                                .antMatchers("/employees/**").hasRole("EMPLOYEE")
                                .antMatchers("/resources/**").permitAll())
                .formLogin(configure ->
                        configure
                                .loginPage("/showMyLoginPage")
                                .loginProcessingUrl("/authenticateTheUser")
                                .successHandler(customAuthenticationSuccessHandler)
                                .permitAll())
                .logout(LogoutConfigurer::permitAll)
                .exceptionHandling(configure ->
                        configure
                                .accessDeniedPage("/access-denied"))
                .build();
    }

    // bcrypt bean definition
    @Bean
    public BCryptPasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    // authenticationProvider bean definition
    @Bean
    public DaoAuthenticationProvider authenticationProvider() {

        DaoAuthenticationProvider auth = new DaoAuthenticationProvider();

        //set the custom employee details service
        auth.setUserDetailsService(employeeService);

        // set th password encoder
        auth.setPasswordEncoder(passwordEncoder());

        return auth;
    }

}
Toerktumlare commented 2 years ago

you can start out with the following:

since you are using formLogin Spring Security will BY DEFAULT set up most things for you, the only thing you need to provide is a password encoder, and an implementation of the UserDetailsService both as Bean this means the following you can fully remove the following code:

    // authenticationProvider bean definition
    @Bean
    public DaoAuthenticationProvider authenticationProvider() {

        DaoAuthenticationProvider auth = new DaoAuthenticationProvider();

        //set the custom employee details service
        auth.setUserDetailsService(employeeService);

        // set th password encoder
        auth.setPasswordEncoder(passwordEncoder());

        return auth;
    }

Since you provide the UserDetailsServices as a Beanand a PasswordEncoder as a Bean Spring Security will build an AuthenticationProvider for you.

TilmeezUrRehmanBhatti commented 2 years ago

@Tandolf I also try this i am still getting same error , if i debug it matches plan text with bcrypt password from database and that i am not understanding why. I don't think it's because of the password its somewhere in the code where we are not handling incoming passwords from the user to BCrypt and then matching, while debugging I noticed it try to match with the plain password with is entered by me(user) with BCrypt password from Database. And i don't know how to handle this or convert the input password to BCrypt because normally it's handled by spring security (If I am not wrong)

TilmeezUrRehmanBhatti commented 2 years ago

This issue is related to column size. As I am using Postgres, it might be of type issue.

https://mkyong.com/spring-security/spring-security-encoded-password-does-not-look-like-bcrypt/

Alter the password column type from char to varchar, it solves my problem

Toerktumlare commented 2 years ago

thank you for wasting others time.