BCryptPasswordEncoder – Empty encoded password Spring Boot Security

In spring boot security application, this error message “o.s.s.c.bcrypt.BCryptPasswordEncoder : Empty encoded password” is seen often. The user is not allowed to login to the application by security authentication failure. In this post, we will see about this warning message

If users of the application attempt to login with a valid username and password, the spring boot security module will not allow access. Authentication failure will always be seen. If you check in the spring boot console log, you will not see any error message. You’ll see this warning message instead.

2020-02-21 09:56:35.923  WARN 16364 --- [           main] o.s.s.c.bcrypt.BCryptPasswordEncoder     : Empty encoded password

Root Cause

In the spring boot application, the spring boot security module is configured. The security module authenticates the username and password by validating with stored encoded password. The encoded password may be stored in database, InMemory database or any other storage media. The security module is unable to get the stored password or error while getting the password or the encoded password is null or empty string.

How to reproduce this issue

Create a spring boot application with spring boot security module enabled. Use the BCryptPasswordEncoder to encrypt a password. Validate the password with an empty encoded password. This error message will be shown in the spring boot console log.

package com.yawintutor;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;

@SpringBootApplication
public class SpringBootSecurityPasswordEncoderApplication {

	public static void main(String[] args) {
		SpringApplication.run(SpringBootSecurityPasswordEncoderApplication.class, args);

		BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
		String password = "password";
		String encodedPassword = passwordEncoder.encode(password);

		System.out.println();
		System.out.println("Password is         : " + password);
		System.out.println("Encoded Password is : " + encodedPassword);
		System.out.println();

		
		boolean isPasswordMatch = passwordEncoder.matches(password, "");
		System.out.println("Password : " + password + "   isPasswordMatch    : " + isPasswordMatch);
	}
}

Solution 1

Verify the encoded password stored in the database or any storage media. Is the encoded password contains 60 characters long. If the password is not stored or stored with empty string, ask the user to reset the password or create a dummy password and store after encoding using BCryptPasswordEncoder. Check this page to encrypt your password. https://www.yawintutor.com/encode-decode-using-bcryptpasswordencoder-in-spring-boot-security/

Solution 2

The spring boot application is unable to retrieve the encoded database from the storage devices like database or in network. Fix the network issue or the access issue. Identify any exception or block of code that blocks retrieval of the encoded password. Make sure the entity objects contains with encoded password. If any issue on getting encoded password, fix the issue.

Solution 3

Check the code bug that stops reading encoded password and assigning to the right variable in the program. If any code is missing or wrong, fix the code issue.

package com.yawintutor;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;

@SpringBootApplication
public class SpringBootSecurityPasswordEncoderApplication {

	public static void main(String[] args) {
		SpringApplication.run(SpringBootSecurityPasswordEncoderApplication.class, args);

		BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
		String password = "password";
		String encodedPassword = passwordEncoder.encode(password);

		System.out.println();
		System.out.println("Password is         : " + password);
		System.out.println("Encoded Password is : " + encodedPassword);
		System.out.println();

		
		boolean isPasswordMatch = passwordEncoder.matches(password, encodedPassword);
		System.out.println("Password : " + password + "   isPasswordMatch    : " + isPasswordMatch);
	}
}

Output

  .   ____          _            __ _ _
 /\\ / ___'_ __ _ _(_)_ __  __ _ \ \ \ \
( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \
 \\/  ___)| |_)| | | | | || (_| |  ) ) ) )
  '  |____| .__|_| |_|_| |_\__, | / / / /
 =========|_|==============|___/=/_/_/_/
 :: Spring Boot ::        (v2.2.4.RELEASE)

2020-02-21 10:27:23.323  INFO 19793 --- [           main] ngBootSecurityPasswordEncoderApplication : Starting SpringBootSecurityPasswordEncoderApplication on banl1691b9157 with PID 19793 (/Users/test/STS/workspace/SpringBootSecurityPasswordEncoder/target/classes started by test in /Users/test/STS/workspace/SpringBootSecurityPasswordEncoder)
2020-02-21 10:27:23.325  INFO 19793 --- [           main] ngBootSecurityPasswordEncoderApplication : No active profile set, falling back to default profiles: default
2020-02-21 10:27:23.752  INFO 19793 --- [           main] ngBootSecurityPasswordEncoderApplication : Started SpringBootSecurityPasswordEncoderApplication in 0.664 seconds (JVM running for 3.193)

Password is         : password
Encoded Password is : $2a$10$4.jV3xcv1tORCN9szDekKuJcQkJO.8zxti2lIJmoeSKxJRJ.sfd1i

Password : password   isPasswordMatch    : true