SpringBoot Define/Enable BCrypt as default password encoder

According with Spring Security is recommended use BCrypt to encode a password. And to accomplish this approach is suggested use Spring Boot CLI.

So far with Spring Boot 3.1.4 is mandatory declare manually

@Configuration
@EnableWebSecurity
class SecurityConfig {

  @Bean
  PasswordEncoder passwordEncoder() {
      return new BCryptPasswordEncoder();
  }

}

Otherwise for example the spring.security.user.password property always fails - it because never is "accepted" as valid through the Login page form

spring.security.user.name=manueljordan
spring.security.user.password=$2a$10$pKG7w6PBXMGS7bao7N2oDe2biCxpvMyYAhLURGxNJs795yFw.yCGa
spring.security.user.roles=ADMIN,OVERSIGHT

Thanks for your understanding.

Comment From: wilkinsona

So far with Spring Boot 3.1.4 is mandatory declare manually

I don't think this is mandatory. For example, our Security smoke test, spring-boot-smoke-test-secure, uses a plain text password and does not define a PasswordEncoder bean. A BCryptPasswordEncoder bean is only mandatory if you're using a BCrypt-encoded password and I don't think we can assume that will be the case. The user may not even be using password-based security at all in which case the PasswordEncoder bean would be redundant. Thanks anyway for the suggestion but I don't think this is something that Spring Boot can do for you.

Comment From: manueljordan

spring-boot-smoke-test-secure, uses a plain text password and does not define a PasswordEncoder bean

Use plain text password would be valid for developing purposes, but not for Production

A BCryptPasswordEncoder bean is only mandatory if you're using a BCrypt-encoded password and I don't think we can assume that will be the case

But BCrypt is recommended by Spring Security itself and is the default decode approach offered by Spring Boot CLI - both should be considered to apply “Opinionated Defaults Configuration”?

Pls, consider my thoughts polite and friendly

Comment From: philwebb

It's been a while since I looked at this, but I thought Spring Security used the DelegatingPasswordEncoder by default. That should allow you to specify a password in the following form without needing to declare a PasswordEncoder bean:

spring.security.user.name=manueljordan
spring.security.user.password={bcrypt}$2a$10$pKG7w6PBXMGS7bao7N2oDe2biCxpvMyYAhLURGxNJs795yFw.yCGa
spring.security.user.roles=ADMIN,OVERSIGHT

Comment From: manueljordan

Yes, it is correct. It was confirmed. Sorry by the issue.

Normally for plain/pure Spring Framework + Spring Security app, it can be declared as:

@Bean
PasswordEncoder passwordEncoder() {
   return PasswordEncoderFactories.createDelegatingPasswordEncoder();
}