Variation In Spring Securtiy In Password Authentication In 2.0.0

Spring Security provides authentication and authorization support in order to Secure Spring-based applications. It integrates with Spring MVC and comes bundled with popular security algorithm implementations.In doing practical I was found that Some changes regarding password encyption.Encryption of our data is important for securing our data from unauthorized access. while working with spring security we are using encryption algorithms to encrypt our data as like we are storing our password in the database in encrypted form.In this blog, I want to share Spring security behavior with respect to version(2.0.0).Password storage has undergone a major overhaul to provide more secure defaults and the ability to migrate how passwords are stored. The PasswordEncoder(by default) is now DelegatingPasswordEncoder which has active change.This change make sure that passwords are now encoded using BCrypt by default.
 

1.)Before Spring security (2.0.0) we are using some encryption beans like BCryptPasswordEncoder, ShaPasswordEncoder and Md5PasswordEncoder.it encoded our password which is entered by user and matches with database encoded password which is already stored.

The simple BCryptPasswordEncoder as a bean in our configuration is:

@Bean
public PasswordEncoder passwordEncoder() {
    return new BCryptPasswordEncoder();
}

2.)while switching the from version 1.5.10 of spring security to updated(2.0.0) I was facing some changes in spring security password encoding functionality.

by default, spring security is encrypting password internally .then while entering a password it is unable to authenticate.

3.)To overcome above issues I found that following solution.

@Autowired
    protected void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {   
        auth.inMemoryAuthentication().withUser("xyz").password("{noop}demo").roles("USER");
    }
    
    @Override
    protected void configure(HttpSecurity httpsecurity)throws  Exception {
        httpsecurity.authorizeRequests().anyRequest().fullyAuthenticated().and().httpBasic();
        httpsecurity.csrf().disable();
        
    }

4.)In above method inMemoryauthentication defining password with a keyword {noop}. noop is derive as NoOpPasswordEncoder.This is important to know because unlike encryption, passwords hashes are designed so that there is no other way to recover our plaintext, it makes it difficult to transfer the passwords. While it is simple for users to use to NoOpPasswordEncoder, we chose to include it by default to make it simple for the getting started experience.