首次使用Spring Security 5登录报错:Encoded password does not look like BCrypt
Hey there! Let's tackle that frustrating "Encoded password does not look like BCrypt" error you're hitting when trying to log in with Spring Security 5. I've helped lots of folks work through this, so let's break down the root causes and fixes based on your setup.
First, why does this happen?
Spring Security 5 expects your stored passwords to be in the standard BCrypt format—those 60-character strings starting with $2a$, $2b$, or $2y$. If your database has plain text passwords, or passwords encrypted with a different algorithm, or even malformed BCrypt strings, Spring throws this error because it can't parse the password correctly with its default BCrypt validator.
Let's fix this step by step
1. Make sure you're explicitly configuring a BCryptPasswordEncoder
Spring Security 5 removed the default password encoder, so you must explicitly define one and attach it to your JDBC authentication setup. Looking at your SecurityConfig code, you're missing this critical piece.
Update your config class to add a PasswordEncoder bean and wire it into your jdbcAuthentication setup:
@Configuration @EnableWebSecurity @EnableGlobalMethodSecurity(securedEnabled=true) public class SecurityConfig extends WebSecurityConfigurerAdapter{ // Define the BCrypt password encoder bean @Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); } @Autowired public void globalConfig(AuthenticationManagerBuilder auth, DataSource dataSource, PasswordEncoder passwordEncoder) throws Exception { auth.jdbcAuthentication() .dataSource(dataSource) .usersByUsernameQuery("SELECT username, password, enabled FROM users WHERE username = ?") // Replace with your full query // Optional: Add authorities query if you're using roles/permissions .authoritiesByUsernameQuery("SELECT username, authority FROM authorities WHERE username = ?") .passwordEncoder(passwordEncoder); // Attach the encoder here—this is key! } }
2. Verify your database password format
Check the password column in your users table. It must contain valid BCrypt strings, not plain text. For example:
- Valid BCrypt:
$2a$10$Z8HkX8U8r6L5eQ7wR9tY0uV1bN2mB3vC4nM6xK8jH0fD2sG5dF1aS - Invalid:
myPlainTextPasswordorSHA-256-hashed-string
3. Generate valid BCrypt passwords for your database
If you currently have plain text passwords, you need to convert them to BCrypt format first. Here are two easy ways to do this:
Option 1: A simple test class
public class BCryptPasswordGenerator { public static void main(String[] args) { String plainPassword = "your-user-password"; PasswordEncoder encoder = new BCryptPasswordEncoder(); System.out.println("BCrypt hash: " + encoder.encode(plainPassword)); } }
Run this, copy the output, and update the password column in your database with that string.
Option 2: Use a Spring Boot CommandLineRunner
Add this bean to your Spring Boot application class to generate hashes on startup:
@Bean CommandLineRunner generateBCryptHashes() { return args -> { PasswordEncoder encoder = new BCryptPasswordEncoder(); System.out.println("Hash for 'test123': " + encoder.encode("test123")); // Add more passwords as needed }; }
4. Double-check your custom SQL queries
Ensure your usersByUsernameQuery returns columns in this exact order:username, password, enabled
If the order is wrong (e.g., password comes after enabled), Spring will try to validate the wrong value as the password, causing the same error.
Final Check
Once you've updated your config, replaced your database passwords with valid BCrypt hashes, and confirmed your SQL queries are correct, restart your application and try logging in again. This should resolve the error!
内容的提问来源于stack exchange,提问作者Kader Moulay Ely
