Spring Security 5 – There is no PasswordEncoder mapped for the id “null”

What is the issue?

type Exception report

message There is no PasswordEncoder mapped for the id “null”

description The server encountered an internal error that prevented it from fulfilling this request.

exception

Background

 If we are putting together a demo or a sample, it is a bit cumbersome to take time to hash the passwords of your users. There are convenience mechanisms to make this easier, but this is still not intended for production.

This does hash the password that is stored, but the passwords are still exposed in memory and in the compiled source code. Therefore, it is still not considered secure for a production environment. For production, you should hash your passwords externally.

How to fix this issue?

Add the below method in “DemoSecurityConfig.java” and import the corresponding classes.

When we use Spring Security 5, we need to explicitly provide the PasswordEncoder that our passwords are encoded with. Its not the requirement for the Spring Security 4.2.3. So,  to migrate our code from Spring Security 4.2.x we can revert to the previous behavior by exposing a NoOpPasswordEncoder bean. By providing the above method, we can run our application.

if you are using XML configuration, you can expose a PasswordEncoder with the id passwordEncoder:
Alternatively,
we can prefix all of your passwords with the correct id and continue to use DelegatingPasswordEncoder. For example, if you are using BCrypt, you would migrate your password from something like:
$2a$10$dXJ3SW6G7P50lGmMkkmwe.20cQQubK3.HZWzG3YB1tlRy.fqvM/BG
to
{bcrypt}$2a$10$dXJ3SW6G7P50lGmMkkmwe.20cQQubK3.HZWzG3YB1tlRy.fqvM/BG
For a complete listing of the mappings refer to the Javadoc on PasswordEncoderFactories.

The BCryptPasswordEncoder implementation uses the widely supported bcrypt algorithm to hash the passwords. In order to make it more resistent to password cracking, bcrypt is deliberately slow. Like other adaptive one-way functions, it should be tuned to take about 1 second to verify a password on your system.

References
https://docs.spring.io/spring-security/site/docs/5.0.0.BUILD-SNAPSHOT/reference/htmlsingle/#getting-started-experience
harinathk
 

Click Here to Leave a Comment Below 0 comments