How to use Spring security without password encoding?

Unsure if it is what you're after but a little cheap workaround I used so I didn't have to worry about encoding my database yet was

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

@Autowired
  DataSource dataSource;

  @Autowired
  public void configAuthentication(AuthenticationManagerBuilder auth) throws Exception {
    auth.jdbcAuthentication().dataSource(dataSource)
        .usersByUsernameQuery("select username,CONCAT('{noop}',password),true from 
public.\"Users\" where username=?")
        .authoritiesByUsernameQuery("select username,role from public.\"Users\" where 
username=?");
}
...

Note instead of grabbing the password I am concatenating it with {noop} first to tell the system to not use encoding.

Probably a sin but it works for now.


With Spring Security 5 encryption on passwords is always enabled. The encryption used by default is bcrypt. What is neat about Spring Security 5 is that it actually allows you to specify, in your password, which encryption was used to create the has.

For this see the Password Storage Format in the Spring Security Reference Guide. In short it allows you to prefix your password for a well known key to an algorithm. The storage format is {<encryption>}<your-password-hash>.

When using nothing it would become {noop}your-password (which would use the NoOpPasswordEncoder and {bcrypt}$a2...... would use the BcryptPasswordEncoder. There are several algorithms supported out-of-the-box, but you can also define your own.

To define your own create your own PasswordEncoder and register it under a key with the DelegatingPasswordEncoder.


Maybe you can implement this simple code to evade Spring Encoder

public class PasswordEnconderTest implements PasswordEncoder {
    @Override
    public String encode(CharSequence charSequence) {
        return charSequence.toString();
    }

    @Override
    public boolean matches(CharSequence charSequence, String s) {
        return charSequence.toString().equals(s);
    }
}

and add in your WebSecurityConfig:

@Bean
public PasswordEncoder passwordEncoder(){
    return new PasswordEnconderTest();
}

it's not recommended but you can implement

Tags:

Java

Spring

Spring Security

Spring Boot

Spring Data Jpa

Related

Where can i find androidmk tool to convert Android.mk to Android.bp? Recursively render a deep nested data in React Flutter textfield that auto expands when text is entered and then starts scrolling the text when a certain height is reached Xcode 9 and Xcode 10 giving different results, even with same swift version How can I use the legacy build system with Xcode 10's `xcodebuild`? Kotlin - return new inserted id from Room database using Persistence Room:runtime lib Opening PDF file in new tab angular 4? Is it well-defined to hold a misaligned pointer, as long as you don't ever dereference it? Execute task every second using Work Manager API How to adjust the position of the internal terminal The version of CocoaPods used to generate the lockfile (1.5.3) is higher than the version of the current executable (1.5.2) How to Add/Update/Remove array elements in firebase firestore android using Hashmap? A Store Database

Recent Posts