It appears that org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder doesn't return the generated password salt:
public String encode(CharSequence rawPassword) {
String salt;
if(this.strength > 0) {
if(this.random != null) {
salt = BCrypt.gensalt(this.strength, this.random);
} else {
salt = BCrypt.gensalt(this.strength);
}
} else {
salt = BCrypt.gensalt();
}
return BCrypt.hashpw(rawPassword.toString(), salt);
}
Question : what purpose is that designed for? How can this be used, since it doesn't return a salt, which should be stored for the password checking?
Apparently, the salt is part of the encrypted String, which is separated by $.
More information can be found here: How can bcrypt have built-in salts?