From dca1f70f432c71fd179ab12e96ecbf58019ad47e Mon Sep 17 00:00:00 2001
From: Pekka Helenius <fincer89@hotmail.com>
Date: Fri, 9 Oct 2020 19:13:47 +0300
Subject: [PATCH] More specific Bcrypt configuration

Signed-off-by: Pekka Helenius <fincer89@hotmail.com>
---
 .../com/fjordtek/bookstore/BookstoreApplication.java     | 9 +++++++--
 .../com/fjordtek/bookstore/config/WebSecurityConfig.java | 8 +++++++-
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/bookstore/src/main/java/com/fjordtek/bookstore/BookstoreApplication.java b/bookstore/src/main/java/com/fjordtek/bookstore/BookstoreApplication.java
index b0f62cc..78e67bc 100644
--- a/bookstore/src/main/java/com/fjordtek/bookstore/BookstoreApplication.java
+++ b/bookstore/src/main/java/com/fjordtek/bookstore/BookstoreApplication.java
@@ -3,6 +3,7 @@
 package com.fjordtek.bookstore;
 
 import java.math.BigDecimal;
+import java.security.SecureRandom;
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -78,7 +79,11 @@ public class BookstoreApplication extends SpringBootServletInitializer {
 
 		return (args) -> {
 
-			PasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
+			/*
+			 * Set hash strength to 14 (2^14) + use RNG to randomize generated hash.
+			 * Default strength value is 10.
+			 */
+			PasswordEncoder passwordEncoder = new BCryptPasswordEncoder(14, new SecureRandom());
 
 			commonLogger.info("Add new roles to the database");
 			Role adminAR    = new Role(env.getProperty("auth.authority.admin"));
@@ -140,7 +145,7 @@ public class BookstoreApplication extends SpringBootServletInitializer {
 				commonLogger.info(role.toString());
 			}
 			commonLogger.info("Sample users in the database");
-			commonLogger.info("**ENCRYPTED PASSWORDS ARE PRINTED ONLY FOR DEMO PURPOSES**");
+			commonLogger.info("**HASHED PASSWORDS ARE PRINTED ONLY FOR DEMO PURPOSES**");
 			for (User user : userRepository.findAll()) {
 				commonLogger.info(user.toString());
 			}
diff --git a/bookstore/src/main/java/com/fjordtek/bookstore/config/WebSecurityConfig.java b/bookstore/src/main/java/com/fjordtek/bookstore/config/WebSecurityConfig.java
index b4c06d7..1325237 100644
--- a/bookstore/src/main/java/com/fjordtek/bookstore/config/WebSecurityConfig.java
+++ b/bookstore/src/main/java/com/fjordtek/bookstore/config/WebSecurityConfig.java
@@ -2,6 +2,8 @@
 
 package com.fjordtek.bookstore.config;
 
+import java.security.SecureRandom;
+
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.MessageSource;
 import org.springframework.context.annotation.Bean;
@@ -62,7 +64,11 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
 
     @Bean
     public BCryptPasswordEncoder bCryptPasswordEncoder() {
-        return new BCryptPasswordEncoder();
+		/*
+		 * Set hash strength to 14 (2^14) + use RNG to randomize generated hash.
+		 * Default strength value is 10.
+		 */
+		return new BCryptPasswordEncoder(14, new SecureRandom());
     }