The joy of tiny mistakes with big effects

Last Update: 29.08.2018. By Jens in Newsletter

I was in the progress of writing today’s tutorial and stumbled upon a stupid little mistake I made in the Kanban API we run at the beginning of this year. So, instead of the tutorial, you’ll get that.

Offending line:

if (dbPassword.equals(passwordEncoder.encode(rawPassword))) { Who spots the error?

passwordEncoder is an interface and part of Spring Security. It defines how passwords are stored in the DB. In my case, I used the BCryptPasswordEncoder.

If you manually hash and salt the password, for example, there generated hash of the password is usually the same. Not with the advanced BCryptPasswordEncoder. There is a random factor in it. So, each time we generated a new password hash from the rawPassword, we get a slightly different key. As a result, checking with equals does not work.

The correct usages would be to use the matches method of the passwordEncoder anyways. This one will check our rawPassword String with a previously generated hash value.

if (passwordEncoder.matches(rawPassword, dbPassword)) { Ah, that’s the joy of coding. Tutorial will follow tomorrow though.

Search

Online Courses

Spring Security for APIs Essentials Course

Pocket Guides

Build your first Microservice with Spring Boot

4 ways of secure integration for your Spring Boot Microservice with a Single-page Application

Level up with Spring Boot Microservices and Spring Cloud

Contact

Main Topics

Our Tools