BCryptPasswordEncoder Bad strength Spring Boot Security

In the spring boot security application, The error message “Exception in thread “main” java.lang.IllegalArgumentException: Bad strength” is seen when the application starts. The BCryptPasswordEncoder is throwing this exception as it cannot create and initialize the object. Here, we will see about this exception in this post.

The spring boot security application fails to start by throwing an exception that says “Bad Energy” in the BCryptPasswordEncoder. This exception is due to the inappropriate configuration of the BCryptPasswordEncoder class.

Exception in thread "main" java.lang.IllegalArgumentException: Bad strength
	at org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder.<init>(BCryptPasswordEncoder.java:94)
	at org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder.<init>(BCryptPasswordEncoder.java:76)
	at org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder.<init>(BCryptPasswordEncoder.java:53)
	at com.yawintutor.SpringBootSecurityPasswordEncoderApplication.main(SpringBootSecurityPasswordEncoderApplication.java:13)


Root Cause

The Spring Boot application uses the BCryptPasswordEncoder to encode and validate user passwords for the application. The default BCryptPasswordEncoder is the default implementation of the BCrypt algorithm. The BCryptPasswordEncoder class allows the complexity of the encoding algorithm to be increased by using the strength value as an argument.

The value of strength should be any value between 4 and 31 (including 4 and 31). The default value for this is 10. If the strength value is not allowed, the “Bad Strength” exception will be thrown by the BCryptPasswordEncoder class.



How to reproduce this issue

In spring boot application, enable spring boot security in the pom.xml file. Create a BCryptPasswordEncoder class with a constructor. Add value of the constructor parameter other than 4 to 31. Restart the spring boot application, the exception will be thrown at the application startup.

The strength value is set in the example below as 50 which isn’t between 4 and 31.

SpringBootSecurityPasswordEncoderApplication.java

package com.yawintutor;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;

@SpringBootApplication
public class SpringBootSecurityPasswordEncoderApplication {

	public static void main(String[] args) {
		SpringApplication.run(SpringBootSecurityPasswordEncoderApplication.class, args);

		BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder(50);
		String password = "password";
		String encodedPassword = passwordEncoder.encode(password);

		System.out.println();
		System.out.println("Password is         : " + password);
		System.out.println("Encoded Password is : " + encodedPassword);
		System.out.println();

	}

}


Solution 1

Check the BCryptPasswordEncoder constructor or the BCryptPasswordEncoder bean Check the value of the strength set in the constructor. If the value is different from 4 to 31 then change the value. The defaults to 10. If you are not sure of the value, set it as “-1” to take the default value of the application (10). Restart and verify the value of the spring boot application.



Solution 2

Remove the constructor parameter from the BCryptPasswordEncoder class. Use the default BCryptPasswordEncoder builder. This will set the default value to 10.

package com.yawintutor;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;

@SpringBootApplication
public class SpringBootSecurityPasswordEncoderApplication {

	public static void main(String[] args) {
		SpringApplication.run(SpringBootSecurityPasswordEncoderApplication.class, args);

		BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder(10);
		String password = "password";
		String encodedPassword = passwordEncoder.encode(password);

		System.out.println();
		System.out.println("Password is         : " + password);
		System.out.println("Encoded Password is : " + encodedPassword);
		System.out.println();

	}

}



Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *