Spring Security Tutorial 3 – Encoding Your Password

Spring Security Tutorial 3 - Using BCrypt Password Encoder

If you remember from Tutorial 2, we stored our password in MySQL database in plain text. Now, this is not ideal way since plain text password are vulnerable to attack.

In this tutorial, we would learn about different encoders we can use for to encoder out password. Then we would see how to generate an encoded password using BCrypt. Finally, we would set a password encoder and test the application.

Before we follow the steps, here are the passwordencoders that can be used and their description

I’m not going to discuss all these encoders one by one. But I recommend you read them up to know the merits and demerits

We would use BCrypt which is is the default password hash algorithm used for OpenBSD and other systems including some Linux distributions  as well as SUSE Linux. According to Wikipedia, “it incorporates a salt to protect against rainbow table attacks. It is also an adaptive function which means that over time, the iteration count can be increased to make it slower, therefore it remains resistant to brute-force search attacks even with very high computation power.”

Follow the steps below to add BcryptEncoder to our application.

Step 1: Visit https://www.browserling.com/tools/bcrypt and generate two passwords: abcd and 1234

Step 2: Open the userdb database we created in Tutorial 2

Step 3: Create two records: user1 with password generated for 1234; user2 with password generated for abcd

Step 4: Open the AppSecurityConfig file and replace the

provider.setPasswordEncoder(NoOpPasswordEncoder.getInstance());

 

with this line

provider.setPasswordEncoder(new BCryptPasswordEncoder());

 

At  this point, the file would be as shown below:

 

Step 5 – Launched the application

Step 6 – Enter the username ‘user1’ and password ‘1234’ and check that you can login

Step 7 – Also try for ‘user2’ and ‘abcd’

 

If you are up to this point, then congratulations, you are doing great!

The next tutorial, Tutorial 4, we would then add our own custom login form.

3 Comments on “Spring Security Tutorial 3 – Encoding Your Password”

Leave a Reply

Your email address will not be published. Required fields are marked *