Why the same password does not match by the PasswordEncoder?

Question

I did a lot of test, and a cant find the way to make it work. With the next basic spring-boot project, you can test how even the passwords are the same, the match method always return false.

pom.xml

<?xml version="1.0" encoding="UTF-8"?><project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>

<groupId>com.example</groupId>
<artifactId>basic</artifactId>
<version>0.0.1-SNAPSHOT</version>
<packaging>jar</packaging>

<name>basic</name>
<description>Basic project for Spring Boot</description>

<parent>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-parent</artifactId>
    <version>2.0.3.RELEASE</version>
    <relativePath/>
</parent>

<properties>
    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
    <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
    <java.version>1.8</java.version>
</properties>

<dependencies>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter</artifactId>
    </dependency>

    <dependency>
        <groupId>org.springframework.security.oauth</groupId>
        <artifactId>spring-security-oauth2</artifactId>
        <version>2.3.3.RELEASE</version>
    </dependency>

    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-configuration-processor</artifactId>
        <optional>true</optional>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-test</artifactId>
        <scope>test</scope>
    </dependency>
</dependencies>

<build>
    <plugins>
        <plugin>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-maven-plugin</artifactId>
            <configuration>
                <fork>true</fork>
            </configuration>
        </plugin>
    </plugins>
</build>

BasicApplication.java

package com.example;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;

@SpringBootApplication
public class BasicApplication {

    public static PasswordEncoder oauthClientPasswordEncoder = new BCryptPasswordEncoder(4);
    private static final Logger LOG = LoggerFactory.getLogger(BasicApplication.class);

    public static void main(String[] args) {
        SpringApplication.run(BasicApplication.class, args);
        String secret = oauthClientPasswordEncoder.encode("secreto");
        LOG.info("Client pass: secreto, " + oauthClientPasswordEncoder.matches(secret, "secreto"));
    }
}

Logs

Attaching agents: []

  .   ____          _            __ _ _
 /\\ / ___'_ __ _ _(_)_ __  __ _ \ \ \ \
( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \
 \\/  ___)| |_)| | | | | || (_| |  ) ) ) )
  '  |____| .__|_| |_|_| |_\__, | / / / /
 =========|_|==============|___/=/_/_/_/
 :: Spring Boot ::        (v2.0.3.RELEASE)

2019-04-04 18:06:09.183  INFO 4111 --- [           main] com.example.BasicApplication             : Starting BasicApplication on --.local with PID 4111 (/Users/--/NetBeansProjects/java/BasicSpringbootTest/target/classes started by -- in /Users/--/NetBeansProjects/java/BasicSpringbootTest)
2019-04-04 18:06:09.187  INFO 4111 --- [           main] com.example.BasicApplication             : No active profile set, falling back to default profiles: default
2019-04-04 18:06:09.227  INFO 4111 --- [           main] s.c.a.AnnotationConfigApplicationContext : Refreshing org.springframework.context.annotation.AnnotationConfigApplicationContext@6b67034: startup date [Thu Apr 04 18:06:09 CST 2019]; root of context hierarchy
2019-04-04 18:06:09.826  INFO 4111 --- [           main] o.s.j.e.a.AnnotationMBeanExporter        : Registering beans for JMX exposure on startup
2019-04-04 18:06:09.838  INFO 4111 --- [           main] com.example.BasicApplication             : Started BasicApplication in 16.44 seconds (JVM running for 17.75)
2019-04-04 18:06:09.845  WARN 4111 --- [           main] o.s.s.c.bcrypt.BCryptPasswordEncoder     : Encoded password does not look like BCrypt
2019-04-04 18:06:09.845  INFO 4111 --- [           main] com.example.BasicApplication             : Client pass: secreto, false
2019-04-04 18:06:09.854  INFO 4111 --- [       Thread-2] s.c.a.AnnotationConfigApplicationContext : Closing org.springframework.context.annotation.AnnotationConfigApplicationContext@6b67034: startup date [Thu Apr 04 18:06:09 CST 2019]; root of context hierarchy
2019-04-04 18:06:09.858  INFO 4111 --- [       Thread-2] o.s.j.e.a.AnnotationMBeanExporter        : Unregistering JMX-exposed beans on shutdown

Well, and how it looks like my post is mostly code, here are some more details:

I looked for the same problem: Encoded password does not look like BCrypt, but all solutions relate to human error, or bugs from external resources.

Is weird that you can use the BCrypPasswordEncoder in your AuthorizationServerConfigurerAdapter for configuring Spring Security OAuth2 in your project this way:

SpringSecurityConfig.java

@Configuration
@EnableWebSecurity
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {

    [...] // bunch of code

    @Bean
    public PasswordEncoder oauthClientPasswordEncoder() {
        return new BCryptPasswordEncoder(4);
    }
}

AuthorizationServerConfig.java

@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {

    [...] // bunch of code

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        ClientDetailsServiceBuilder.ClientBuilder cb = clients
            .inMemory()
            .withClient("pms_read")
            .resourceIds("pms")
            .secret("BCRYPTED_PASSWORD_BY_BCRYPTPASSWORDENCODER") 
            .redirectUris("http://uri.com")
            .authorities("APP")
            .scopes("read");
    }
}

And it works!, but if you want to match the passwords manually, you just cant.

Answer 1

Ok, as @chrylis comments, the rawPassword must be the first parameter, and the encodedPassword the second.

This way:

public static void main(String[] args) {
    SpringApplication.run(BasicApplication.class, args);
    String secret = oauthClientPasswordEncoder.encode("secreto");
    LOG.info("Client pass: secreto, " + oauthClientPasswordEncoder.matches("secreto", secret));
}

And it works! Thank you very much!