Spring Security - Password Encoder

Spring Security provides the PasswordEncoder interface to securely store and verify user passwords in Java applications. Instead of saving passwords in plain text, passwords are encoded using secure hashing algorithms like BCrypt, PBKDF2, SCrypt, and Argon2.

• Prevents storing passwords in plain text.
• Supporting different hashing algorithms securely.
• Helps protect applications from password theft and brute-force attacks.

Why Use PasswordEncoder?

Using PasswordEncoder improves application security because:

• Passwords are stored in encoded form instead of plain text.
• Makes password cracking difficult.
• Adds protection against brute-force and rainbow table attacks.
• Supports secure password verification during authentication.

Step-by-Step Implementation of Password Encoder

Step 1: Create a Dynamic Web Project

• Open STS or Eclipse IDE.
• Create a new Dynamic Web Project.
• Configure Apache Tomcat Server.
• Add Spring MVC and Spring Security support.

Project Structure

Step 2: Add Dependencies to pom.xml File

Add the following dependencies to your pom.xml file

• Spring Web MVC
• Java Servlet API
• Spring Security Config
• Spring Security Web

Below is the complete pom.xml file. Please cross-verify if you have missed some dependencies.

Step 3:Configuring Dispatcher Servlet

Go to the src > main > java and create a class WebAppInitilizer.

• Extend AbstractAnnotationConfigDispatcherServletInitializer.
• Add configuration class inside getServletConfigClasses().

File: WebAppInitilizer.java

Step 4: Configure Spring MVC and PasswordEncoder

Create another class in the same location (src > main > java) and name it MyAppConfig.

• Use @ComponentScan("com") for component scanning.
• Create PasswordEncoder bean using BCryptPasswordEncoder.

File: MyAppConfig.java

Reference article:Spring – Configure Dispatcher Servlet in Three Different Ways

Step 5: Create Controller

Go to the src > main > java and create a class GfgController.

• Use @Controller annotation.
• Use @GetMapping() for URL mapping.

File: GfgController.java

Step 6: Create JSP View

Go to the src > main > webapp > WEB-INF > right-click > New > Folder and name the folder as views. Then views > right-click > New > JSP File and name your first view.

• Create JSP inside WEB-INF/views.
• JSP file name should match returned view name.

File: hello-gfg.jsp

Step 7: Setting Up ViewResolver in Spring MVC

Go to the src > main > java > MyAppConfig and set your ViewResolver.

File: MyAppConfig.java

Step 8: Configure Spring Security

Go to the src > main > java and create a class MySecurityAppConfig and annotate the class with @EnableWebSecurity annotation.

• Extend WebSecurityConfigurerAdapter.
• Use inMemoryAuthentication() for in-memory users.

File: MySecurityAppConfig.java

Step 9:Register Security Filter Chain

Go to the src > main > java and create a class SecurityInitializer.

• Extend AbstractSecurityWebApplicationInitializer.
• Registers Spring Security filter automatically.

File: SecurityInitializer.java

Now we are done with setting up our Spring Security Filter Chain.

Step 10: Create Users and Password Encoder

Modify the MyAppConfig file. Here we are going to create the PasswordEncoder Bean.

File: MyAppConfig.java

Modify the MySecurityAppConfig file. Here we are going to create the User, and we are going to provide the password in Bcrypt format. And we are also going to provide the roles to the user.

File: MySecurityAppConfig.java

Step 11: Run Your Spring MVC Application

To run our Spring MVC Application right-click on your project > Run As > Run on Server. After that use the following URL to run your controller.

http://localhost:8080/springsecurity/gfg

The time when you hot the URL you can see it will redirect automatically to this URL

http://localhost:8080/springsecurity/login

And the output is something like this.

👁 Image

Now sign in with the following credentials

• Username: gfg
• Password: gfg123

👁 Spring-Security---Password-Encoder-1.png

And now you can access your endpoint.

👁 Image