how to compare a password text with the bcrypt hashes?
Actually I found my answer .
I realized that I can use matches
function in the class org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder.
System.out.println(b.matches("passw0rd", "$2a$10$tztZsPFZ.T.82Gl/VIuMt.RDjayTwuMLAkRkO9SB.rd92vHWKZmRm"));
you can use matches
method in BCryptPasswordEncoder, something like this:
b.matches("passw0rd", hash)
Spring Security just reads the salt from previously generated hash and rehashes the input password again with same salt. And it compares both final hashes and obviously it will be same.
Example:
Password: test
Hash: $2a$10$nCgoWdqJwQs9prt7X5a/2eWLn88I8pon6iNat90u4rq4mHqtoPGQy
Hash has 3 segments each separated by $
symbol. 2a
is version of the Bcrypt, 10
is the total rounds and nCgoWdqJwQs9prt7X5a/2e
is the salt.
So spring security takes the password test
and salt nCgoWdqJwQs9prt7X5a/2e
and runs the hashing method. Obviously it generates the same hash as the password and salt matches.