how can I do encryption. So that in the database it does not show the user password. I am now saved in the database - login and password, user role. I need Password must be encrypted (BCrypt) in the database
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/admin/**").hasRole("ADMIN")
.antMatchers("/user/**").hasRole("USER")
.antMatchers("/**").permitAll()
.and()
.formLogin()
.loginPage("/login")
.defaultSuccessUrl("/allStudents")
.and()
.logout()
.and()
.csrf().disable();
}
@Bean
public PasswordEncoder weDoNotWantEncryption() {
return new PasswordEncoder() {
@Override
public String encode(CharSequence rawPassword) {
return rawPassword.toString();
}
@Override
public boolean matches(CharSequence rawPassword, String encodedPassword) {
return rawPassword.toString().equals(encodedPassword);
}
};
}
}
Very simply - just replace your weDoNotWantEncryption()
function with one that returns a BCrypt instance:
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
BCryptPasswordEncoder
implements PasswordEncoder
(as the name suggests) and so already has good methods defined for encode()
and matches()
.
Note that this will (of course) render any passwords currently in your database unusable, although given that those passwords are stored in plaintext, I assume (and hope/pray) that this is in a test environment, rather than production.