by If you remember from Tutorial 2, we stored our password in MySQL database in plain text. Now, this is not ideal way since plain text password are vulnerable to attack.
- Tutorial 1 – Introduction to Spring Security
- Tutorial 2 – Storing Login Details in MySQL
- Tutorial 3 – Using BCrypt Password Encoder
- Tutorial 4 – Custom Login Form
In this tutorial, we would learn about different encoders we can use for to encoder out password. Then we would see how to generate an encoded password using BCrypt. Finally, we would set a password encoder and test the application.
Before we follow the steps, here are the passwordencoders that can be used and their description
- ldap – LdapShaPasswordEncoder
- noop – NoOpPasswordEncoder
- pbkdf2 – Pbkdf2PasswordEncoder
- scrypt – SCryptPasswordEncoder
- SHA-1 – new MessageDigestPasswordEncoder(“SHA-1”)
- SHA-256 – new MessageDigestPasswordEncoder(“SHA-256”)
- sha256 – StandardPasswordEncoder
- MD4 – Md4PasswordEncoder – Generate Tool
- MD5 – new MessageDigestPasswordEncoder(“MD5”) – Generate Tool
- argon2 – Argon2PasswordEncoder
- bcrypt – BCryptPasswordEncoder (Also used for encoding) – Generate Tool
I’m not going to discuss all these encoders one by one. But I recommend you read them up to know the merits and demerits
We would use BCrypt which is is the default password hash algorithm used for OpenBSD and other systems including some Linux distributions as well as SUSE Linux. According to Wikipedia, “it incorporates a salt to protect against rainbow table attacks. It is also an adaptive function which means that over time, the iteration count can be increased to make it slower, therefore it remains resistant to brute-force search attacks even with very high computation power.”
Follow the steps below to add BcryptEncoder to our application.
Step 1: Visit https://www.browserling.com/tools/bcrypt and generate two passwords: abcd and 1234
Step 2: Open the userdb database we created in Tutorial 2
Step 3: Create two records: user1 with password generated for 1234; user2 with password generated for abcd
Step 4: Open the AppSecurityConfig file and replace the
provider.setPasswordEncoder(NoOpPasswordEncoder.getInstance());
with this line
provider.setPasswordEncoder(new BCryptPasswordEncoder());
At this point, the file would be as shown below:
Step 5 – Launched the application
Step 6 – Enter the username ‘user1’ and password ‘1234’ and check that you can login
Step 7 – Also try for ‘user2’ and ‘abcd’
If you are up to this point, then congratulations, you are doing great!
The next tutorial, Tutorial 4, we would then add our own custom login form.
3 thoughts on “Spring Security Tutorial 3 – Encoding Your Password”