Adapt to password encoder changes in Spring Security

Closes gh-10762
7 years ago · 66b55defa0
parent 35c6b83fce
commit 66b55defa0
17 changed files with 100 additions and 59 deletions
--- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/AuthenticationManagerConfiguration.java
+++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/AuthenticationManagerConfiguration.java
@ -21,6 +21,7 @@ import java.util.UUID;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;

+import org.springframework.beans.factory.ObjectProvider;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.context.annotation.Bean;
@ -31,6 +32,8 @@ import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.config.annotation.ObjectPostProcessor;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.crypto.factory.PasswordEncoderFactories;
+import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;

 /**
@ -54,11 +57,15 @@ public class AuthenticationManagerConfiguration {
 			.getLog(AuthenticationManagerConfiguration.class);

 	@Bean
-	public InMemoryUserDetailsManager inMemoryUserDetailsManager() throws Exception {
+	public InMemoryUserDetailsManager inMemoryUserDetailsManager(
+			ObjectProvider<PasswordEncoder> passwordEncoder) throws Exception {
 		String password = UUID.randomUUID().toString();
 		logger.info(String.format("%n%nUsing default security password: %s%n", password));
+		String encodedPassword = passwordEncoder
+				.getIfAvailable(PasswordEncoderFactories::createDelegatingPasswordEncoder)
+				.encode(password);
 		return new InMemoryUserDetailsManager(
-				User.withUsername("user").password(password).roles().build());
+				User.withUsername("user").password(encodedPassword).roles().build());
 	}

 }
--- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/reactive/ReactiveAuthenticationManagerConfiguration.java
+++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/reactive/ReactiveAuthenticationManagerConfiguration.java
@ -21,6 +21,7 @@ import java.util.UUID;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;

+import org.springframework.beans.factory.ObjectProvider;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
@ -31,6 +32,8 @@ import org.springframework.security.core.userdetails.MapReactiveUserDetailsServi
 import org.springframework.security.core.userdetails.ReactiveUserDetailsService;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.crypto.factory.PasswordEncoderFactories;
+import org.springframework.security.crypto.password.PasswordEncoder;

 /**
 * Default user {@link Configuration} for a reactive web application. Configures a
@ -52,10 +55,15 @@ public class ReactiveAuthenticationManagerConfiguration {
 			.getLog(ReactiveAuthenticationManagerConfiguration.class);

 	@Bean
-	public MapReactiveUserDetailsService reactiveUserDetailsService() {
+	public MapReactiveUserDetailsService reactiveUserDetailsService(
+			ObjectProvider<PasswordEncoder> passwordEncoder) {
 		String password = UUID.randomUUID().toString();
 		logger.info(String.format("%n%nUsing default security password: %s%n", password));
-		UserDetails user = User.withUsername("user").password(password).roles().build();
+		String encodedPassword = passwordEncoder
+				.getIfAvailable(PasswordEncoderFactories::createDelegatingPasswordEncoder)
+				.encode(password);
+		UserDetails user = User.withUsername("user").password(encodedPassword).roles()
+				.build();
 		return new MapReactiveUserDetailsService(user);
 	}

--- a/spring-boot-project/spring-boot-test-autoconfigure/src/test/java/org/springframework/boot/test/autoconfigure/security/SecurityTestApplication.java
+++ b/spring-boot-project/spring-boot-test-autoconfigure/src/test/java/org/springframework/boot/test/autoconfigure/security/SecurityTestApplication.java
@ -34,9 +34,9 @@ import org.springframework.web.bind.annotation.RestController;
 public class SecurityTestApplication {

 	@Bean
-	public InMemoryUserDetailsManager inMemoryUserDetailsManager() throws Exception {
-		return new InMemoryUserDetailsManager(
-				User.withUsername("user").password("secret").roles("USER").build());
+	public InMemoryUserDetailsManager inMemoryUserDetailsManager() {
+		return new InMemoryUserDetailsManager(User.withDefaultPasswordEncoder()
+				.username("user").password("secret").roles("USER").build());
 	}

 	@RestController
--- a/spring-boot-samples/spring-boot-sample-actuator-custom-security/src/main/java/sample/actuator/customsecurity/SecurityConfiguration.java
+++ b/spring-boot-samples/spring-boot-sample-actuator-custom-security/src/main/java/sample/actuator/customsecurity/SecurityConfiguration.java
@ -1,20 +1,40 @@
+/*
+ * Copyright 2012-2017 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
 package sample.actuator.customsecurity;

 import org.springframework.boot.actuate.autoconfigure.security.EndpointRequest;
 import org.springframework.boot.autoconfigure.security.StaticResourceRequest;
+import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.provisioning.InMemoryUserDetailsManager;

@Configuration
 public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

-	@Override
-	protected void configure(AuthenticationManagerBuilder auth) throws Exception {
-		auth.inMemoryAuthentication().withUser("user").password("password")
-				.authorities("ROLE_USER").and().withUser("admin").password("admin")
-				.authorities("ROLE_ACTUATOR", "ROLE_USER");
+	@Bean
+	public InMemoryUserDetailsManager inMemoryUserDetailsManager() {
+		return new InMemoryUserDetailsManager(
+				User.withDefaultPasswordEncoder().username("user").password("password")
+						.authorities("ROLE_USER").build(),
+				User.withDefaultPasswordEncoder().username("admin").password("admin")
+						.authorities("ROLE_ACTUATOR", "ROLE_USER").build());
 	}

 	@Override
--- a/spring-boot-samples/spring-boot-sample-actuator-log4j2/src/main/java/sample/actuator/log4j2/SampleActuatorLog4J2Application.java
+++ b/spring-boot-samples/spring-boot-sample-actuator-log4j2/src/main/java/sample/actuator/log4j2/SampleActuatorLog4J2Application.java
@ -26,9 +26,9 @@ import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 public class SampleActuatorLog4J2Application {

 	@Bean
-	public InMemoryUserDetailsManager inMemoryUserDetailsManager() throws Exception {
-		return new InMemoryUserDetailsManager(
-				User.withUsername("user").password("password").roles("USER").build());
+	public InMemoryUserDetailsManager inMemoryUserDetailsManager() {
+		return new InMemoryUserDetailsManager(User.withDefaultPasswordEncoder()
+				.username("user").password("password").roles("USER").build());
 	}

 	public static void main(String[] args) throws Exception {
--- a/spring-boot-samples/spring-boot-sample-actuator-ui/src/main/java/sample/actuator/ui/SampleActuatorUiApplication.java
+++ b/spring-boot-samples/spring-boot-sample-actuator-ui/src/main/java/sample/actuator/ui/SampleActuatorUiApplication.java
@ -33,9 +33,9 @@ import org.springframework.web.bind.annotation.RequestMapping;
 public class SampleActuatorUiApplication {

 	@Bean
-	public InMemoryUserDetailsManager inMemoryUserDetailsManager() throws Exception {
-		return new InMemoryUserDetailsManager(
-				User.withUsername("user").password("password").roles("USER").build());
+	public InMemoryUserDetailsManager inMemoryUserDetailsManager() {
+		return new InMemoryUserDetailsManager(User.withDefaultPasswordEncoder()
+				.username("user").password("password").roles("USER").build());
 	}

 	@GetMapping("/")
--- a/spring-boot-samples/spring-boot-sample-actuator/src/main/java/sample/actuator/SampleActuatorApplication.java
+++ b/spring-boot-samples/spring-boot-sample-actuator/src/main/java/sample/actuator/SampleActuatorApplication.java
@ -34,9 +34,9 @@ public class SampleActuatorApplication {
 	}

 	@Bean
-	public InMemoryUserDetailsManager inMemoryUserDetailsManager() throws Exception {
-		return new InMemoryUserDetailsManager(
-				User.withUsername("user").password("password").roles("USER").build());
+	public InMemoryUserDetailsManager inMemoryUserDetailsManager() {
+		return new InMemoryUserDetailsManager(User.withDefaultPasswordEncoder()
+				.username("user").password("password").roles("USER").build());
 	}

 	@Bean
--- a/spring-boot-samples/spring-boot-sample-secure-webflux/src/main/java/sample/secure/webflux/SampleSecureWebFluxApplication.java
+++ b/spring-boot-samples/spring-boot-sample-secure-webflux/src/main/java/sample/secure/webflux/SampleSecureWebFluxApplication.java
@ -42,8 +42,8 @@ public class SampleSecureWebFluxApplication {

 	@Bean
 	public ReactiveUserDetailsService userDetailsRepository() {
-		return new MapReactiveUserDetailsService(
-				User.withUsername("foo").password("password").roles("USER").build());
+		return new MapReactiveUserDetailsService(User.withDefaultPasswordEncoder()
+				.username("foo").password("password").roles("USER").build());
 	}

 }
--- a/spring-boot-samples/spring-boot-sample-secure/src/main/java/sample/secure/SampleSecureApplication.java
+++ b/spring-boot-samples/spring-boot-sample-secure/src/main/java/sample/secure/SampleSecureApplication.java
@ -38,9 +38,9 @@ public class SampleSecureApplication implements CommandLineRunner {
 	private SampleService service;

 	@Bean
-	public InMemoryUserDetailsManager inMemoryUserDetailsManager() throws Exception {
-		return new InMemoryUserDetailsManager(
-				User.withUsername("user").password("password").roles("USER").build());
+	public InMemoryUserDetailsManager inMemoryUserDetailsManager() {
+		return new InMemoryUserDetailsManager(User.withDefaultPasswordEncoder()
+				.username("user").password("password").roles("USER").build());
 	}

 	@Override
--- a/spring-boot-samples/spring-boot-sample-servlet/src/main/java/sample/servlet/SampleServletApplication.java
+++ b/spring-boot-samples/spring-boot-sample-servlet/src/main/java/sample/servlet/SampleServletApplication.java
@ -38,9 +38,9 @@ import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 public class SampleServletApplication extends SpringBootServletInitializer {

 	@Bean
-	public InMemoryUserDetailsManager inMemoryUserDetailsManager() throws Exception {
-		return new InMemoryUserDetailsManager(
-				User.withUsername("user").password("password").roles("USER").build());
+	public InMemoryUserDetailsManager inMemoryUserDetailsManager() {
+		return new InMemoryUserDetailsManager(User.withDefaultPasswordEncoder()
+				.username("user").password("password").roles("USER").build());
 	}

 	@SuppressWarnings("serial")
--- a/spring-boot-samples/spring-boot-sample-session/src/main/java/sample/session/SampleSessionApplication.java
+++ b/spring-boot-samples/spring-boot-sample-session/src/main/java/sample/session/SampleSessionApplication.java
@ -30,9 +30,9 @@ public class SampleSessionApplication {
 	}

 	@Bean
-	public InMemoryUserDetailsManager inMemoryUserDetailsManager() throws Exception {
-		return new InMemoryUserDetailsManager(
-				User.withUsername("user").password("password").roles("USER").build());
+	public InMemoryUserDetailsManager inMemoryUserDetailsManager() {
+		return new InMemoryUserDetailsManager(User.withDefaultPasswordEncoder()
+				.username("user").password("password").roles("USER").build());
 	}

 }
--- a/spring-boot-samples/spring-boot-sample-web-method-security/src/main/java/sample/security/method/SampleMethodSecurityApplication.java
+++ b/spring-boot-samples/spring-boot-sample-web-method-security/src/main/java/sample/security/method/SampleMethodSecurityApplication.java
@ -18,7 +18,6 @@ package sample.security.method;

 import java.util.Date;
 import java.util.Map;
-import java.util.UUID;

 import org.springframework.boot.actuate.autoconfigure.security.EndpointRequest;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
@ -73,10 +72,11 @@ public class SampleMethodSecurityApplication implements WebMvcConfigurer {

 		@Bean
 		public InMemoryUserDetailsManager inMemoryUserDetailsManager() throws Exception {
-			String password = UUID.randomUUID().toString();
 			return new InMemoryUserDetailsManager(
-					User.withUsername("admin").password("admin").roles("ADMIN", "USER", "ACTUATOR").build(),
-					User.withUsername("user").password("user").roles("USER").build());
+					User.withDefaultPasswordEncoder().username("admin").password("admin")
+							.roles("ADMIN", "USER", "ACTUATOR").build(),
+					User.withDefaultPasswordEncoder().username("user").password("user")
+							.roles("USER").build());
 		}

 	}
--- a/spring-boot-samples/spring-boot-sample-web-secure-custom/src/main/java/sample/web/secure/custom/SampleWebSecureCustomApplication.java
+++ b/spring-boot-samples/spring-boot-sample-web-secure-custom/src/main/java/sample/web/secure/custom/SampleWebSecureCustomApplication.java
@ -21,10 +21,12 @@ import java.util.Map;

 import org.springframework.boot.autoconfigure.SpringBootApplication;
 import org.springframework.boot.builder.SpringApplicationBuilder;
+import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
@ -67,9 +69,10 @@ public class SampleWebSecureCustomApplication implements WebMvcConfigurer {
 					.failureUrl("/login?error").permitAll().and().logout().permitAll();
 		}

-		@Override
-		public void configure(AuthenticationManagerBuilder auth) throws Exception {
-			auth.inMemoryAuthentication().withUser("user").password("user").roles("USER");
+		@Bean
+		public InMemoryUserDetailsManager InMemoryUserDetailsManager() {
+			return new InMemoryUserDetailsManager(User.withDefaultPasswordEncoder()
+					.username("user").password("user").roles("USER").build());
 		}

 	}
--- a/spring-boot-samples/spring-boot-sample-web-secure-jdbc/src/main/java/sample/web/secure/jdbc/SampleWebSecureJdbcApplication.java
+++ b/spring-boot-samples/spring-boot-sample-web-secure-jdbc/src/main/java/sample/web/secure/jdbc/SampleWebSecureJdbcApplication.java
@ -21,13 +21,13 @@ import java.util.Map;

 import javax.sql.DataSource;

-import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 import org.springframework.boot.builder.SpringApplicationBuilder;
+import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.provisioning.JdbcUserDetailsManager;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
@ -63,9 +63,6 @@ public class SampleWebSecureJdbcApplication implements WebMvcConfigurer {
 	@Configuration
 	protected static class ApplicationSecurity extends WebSecurityConfigurerAdapter {

-		@Autowired
-		private DataSource dataSource;
-
 		@Override
 		protected void configure(HttpSecurity http) throws Exception {
 			http.authorizeRequests().antMatchers("/css/**").permitAll().anyRequest()
@ -73,9 +70,11 @@ public class SampleWebSecureJdbcApplication implements WebMvcConfigurer {
 					.failureUrl("/login?error").permitAll().and().logout().permitAll();
 		}

-		@Override
-		public void configure(AuthenticationManagerBuilder auth) throws Exception {
-			auth.jdbcAuthentication().dataSource(this.dataSource);
+		@Bean
+		public JdbcUserDetailsManager jdbcUserDetailsManager(DataSource dataSource) {
+			JdbcUserDetailsManager jdbcUserDetailsManager = new JdbcUserDetailsManager();
+			jdbcUserDetailsManager.setDataSource(dataSource);
+			return jdbcUserDetailsManager;
 		}

 	}
--- a/spring-boot-samples/spring-boot-sample-web-secure-jdbc/src/main/resources/data.sql
+++ b/spring-boot-samples/spring-boot-sample-web-secure-jdbc/src/main/resources/data.sql
@ -1,3 +1,3 @@
-insert into users (username, password, enabled) values ('user', 'user', true);
+insert into users (username, password, enabled) values ('user', '{noop}user', true);

 insert into authorities (username, authority) values ('user', 'ROLE_ADMIN');
--- a/spring-boot-samples/spring-boot-sample-web-secure/src/main/java/sample/web/secure/SampleWebSecureApplication.java
+++ b/spring-boot-samples/spring-boot-sample-web-secure/src/main/java/sample/web/secure/SampleWebSecureApplication.java
@ -22,10 +22,12 @@ import java.util.Map;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 import org.springframework.boot.autoconfigure.security.StaticResourceRequest;
 import org.springframework.boot.builder.SpringApplicationBuilder;
+import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
@ -74,11 +76,13 @@ public class SampleWebSecureApplication implements WebMvcConfigurer {
 			// @formatter:on
 		}

-		@Override
-		public void configure(AuthenticationManagerBuilder auth) throws Exception {
-			auth.inMemoryAuthentication().withUser("admin").password("admin")
-					.roles("ADMIN", "USER").and().withUser("user").password("user")
-					.roles("USER");
+		@Bean
+		public InMemoryUserDetailsManager InMemoryUserDetailsManager() {
+			return new InMemoryUserDetailsManager(
+					User.withDefaultPasswordEncoder().username("admin").password("admin")
+							.roles("ADMIN", "USER").build(),
+					User.withDefaultPasswordEncoder().username("user").password("user")
+							.roles("USER").build());
 		}

 	}
--- a/spring-boot-tests/spring-boot-integration-tests/spring-boot-security-tests/spring-boot-security-test-web-helloworld/src/main/java/sample/HelloWebSecurityApplication.java
+++ b/spring-boot-tests/spring-boot-integration-tests/spring-boot-security-tests/spring-boot-security-test-web-helloworld/src/main/java/sample/HelloWebSecurityApplication.java
@ -26,9 +26,9 @@ import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 public class HelloWebSecurityApplication {

 	@Bean
-	public InMemoryUserDetailsManager inMemoryUserDetailsManager() throws Exception {
-		return new InMemoryUserDetailsManager(
-				User.withUsername("user").password("password").roles("USER").build());
+	public InMemoryUserDetailsManager inMemoryUserDetailsManager() {
+		return new InMemoryUserDetailsManager(User.withDefaultPasswordEncoder()
+				.username("user").password("password").roles("USER").build());
 	}

 	public static void main(String[] args) {