Encrypting InMemoryAuthentication passwords with Bcrypt

Question

Before I use Bcrypt on a custom implementation of UserDetailsService, I first want to see if I can use it in an in-memory database.

package com.patrick.Secu         


        

Answer 1

With creating/exposing the PasswordEncoder bean this warning pops up which ultimately prevents me from accessing the login path:

o.s.s.c.bcrypt.BCryptPasswordEncoder     : Encoded password does not look like BCrypt

This is because the password you're providing is not encoded with BCrypt. Instead of passing "password" directly as the password it needs to be encoded first.

For testing purposes, an easy way of doing this would be to just get a hold of your password encoder and encode it in your configure method like this

@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    String password = passwordEncoder().encode("password");
    auth.inMemoryAuthentication().withUser("admin").password(password).roles("ADMIN");
}

@Bean
public PasswordEncoder passwordEncoder() {
    return new BCryptPasswordEncoder();
}

Answer 2

With Spring Security 5 you can prefix password with id of selected PasswordEncoder. If you want to use plain password, then simply use {noop} prefix, this will delegate password encoder to NoOpPasswordEncoder.

Example code:

@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
   auth.inMemoryAuthentication()
          .withUser("admin").password("{noop}password").roles("ADMIN");
}