Adapt to password encoder changes in Spring Security

Closes gh-10762
pull/10764/head
Andy Wilkinson 7 years ago
parent 35c6b83fce
commit 66b55defa0

@ -21,6 +21,7 @@ import java.util.UUID;
import org.apache.commons.logging.Log; import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory; import org.apache.commons.logging.LogFactory;
import org.springframework.beans.factory.ObjectProvider;
import org.springframework.boot.autoconfigure.condition.ConditionalOnBean; import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean; import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Bean;
@ -31,6 +32,8 @@ import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.config.annotation.ObjectPostProcessor; import org.springframework.security.config.annotation.ObjectPostProcessor;
import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.factory.PasswordEncoderFactories;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.provisioning.InMemoryUserDetailsManager; import org.springframework.security.provisioning.InMemoryUserDetailsManager;
/** /**
@ -54,11 +57,15 @@ public class AuthenticationManagerConfiguration {
.getLog(AuthenticationManagerConfiguration.class); .getLog(AuthenticationManagerConfiguration.class);
@Bean @Bean
public InMemoryUserDetailsManager inMemoryUserDetailsManager() throws Exception { public InMemoryUserDetailsManager inMemoryUserDetailsManager(
ObjectProvider<PasswordEncoder> passwordEncoder) throws Exception {
String password = UUID.randomUUID().toString(); String password = UUID.randomUUID().toString();
logger.info(String.format("%n%nUsing default security password: %s%n", password)); logger.info(String.format("%n%nUsing default security password: %s%n", password));
String encodedPassword = passwordEncoder
.getIfAvailable(PasswordEncoderFactories::createDelegatingPasswordEncoder)
.encode(password);
return new InMemoryUserDetailsManager( return new InMemoryUserDetailsManager(
User.withUsername("user").password(password).roles().build()); User.withUsername("user").password(encodedPassword).roles().build());
} }
} }

@ -21,6 +21,7 @@ import java.util.UUID;
import org.apache.commons.logging.Log; import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory; import org.apache.commons.logging.LogFactory;
import org.springframework.beans.factory.ObjectProvider;
import org.springframework.boot.autoconfigure.condition.ConditionalOnClass; import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean; import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication; import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
@ -31,6 +32,8 @@ import org.springframework.security.core.userdetails.MapReactiveUserDetailsServi
import org.springframework.security.core.userdetails.ReactiveUserDetailsService; import org.springframework.security.core.userdetails.ReactiveUserDetailsService;
import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.crypto.factory.PasswordEncoderFactories;
import org.springframework.security.crypto.password.PasswordEncoder;
/** /**
* Default user {@link Configuration} for a reactive web application. Configures a * Default user {@link Configuration} for a reactive web application. Configures a
@ -52,10 +55,15 @@ public class ReactiveAuthenticationManagerConfiguration {
.getLog(ReactiveAuthenticationManagerConfiguration.class); .getLog(ReactiveAuthenticationManagerConfiguration.class);
@Bean @Bean
public MapReactiveUserDetailsService reactiveUserDetailsService() { public MapReactiveUserDetailsService reactiveUserDetailsService(
ObjectProvider<PasswordEncoder> passwordEncoder) {
String password = UUID.randomUUID().toString(); String password = UUID.randomUUID().toString();
logger.info(String.format("%n%nUsing default security password: %s%n", password)); logger.info(String.format("%n%nUsing default security password: %s%n", password));
UserDetails user = User.withUsername("user").password(password).roles().build(); String encodedPassword = passwordEncoder
.getIfAvailable(PasswordEncoderFactories::createDelegatingPasswordEncoder)
.encode(password);
UserDetails user = User.withUsername("user").password(encodedPassword).roles()
.build();
return new MapReactiveUserDetailsService(user); return new MapReactiveUserDetailsService(user);
} }

@ -34,9 +34,9 @@ import org.springframework.web.bind.annotation.RestController;
public class SecurityTestApplication { public class SecurityTestApplication {
@Bean @Bean
public InMemoryUserDetailsManager inMemoryUserDetailsManager() throws Exception { public InMemoryUserDetailsManager inMemoryUserDetailsManager() {
return new InMemoryUserDetailsManager( return new InMemoryUserDetailsManager(User.withDefaultPasswordEncoder()
User.withUsername("user").password("secret").roles("USER").build()); .username("user").password("secret").roles("USER").build());
} }
@RestController @RestController

@ -1,20 +1,40 @@
/*
* Copyright 2012-2017 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package sample.actuator.customsecurity; package sample.actuator.customsecurity;
import org.springframework.boot.actuate.autoconfigure.security.EndpointRequest; import org.springframework.boot.actuate.autoconfigure.security.EndpointRequest;
import org.springframework.boot.autoconfigure.security.StaticResourceRequest; import org.springframework.boot.autoconfigure.security.StaticResourceRequest;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
@Configuration @Configuration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter { public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override @Bean
protected void configure(AuthenticationManagerBuilder auth) throws Exception { public InMemoryUserDetailsManager inMemoryUserDetailsManager() {
auth.inMemoryAuthentication().withUser("user").password("password") return new InMemoryUserDetailsManager(
.authorities("ROLE_USER").and().withUser("admin").password("admin") User.withDefaultPasswordEncoder().username("user").password("password")
.authorities("ROLE_ACTUATOR", "ROLE_USER"); .authorities("ROLE_USER").build(),
User.withDefaultPasswordEncoder().username("admin").password("admin")
.authorities("ROLE_ACTUATOR", "ROLE_USER").build());
} }
@Override @Override

@ -26,9 +26,9 @@ import org.springframework.security.provisioning.InMemoryUserDetailsManager;
public class SampleActuatorLog4J2Application { public class SampleActuatorLog4J2Application {
@Bean @Bean
public InMemoryUserDetailsManager inMemoryUserDetailsManager() throws Exception { public InMemoryUserDetailsManager inMemoryUserDetailsManager() {
return new InMemoryUserDetailsManager( return new InMemoryUserDetailsManager(User.withDefaultPasswordEncoder()
User.withUsername("user").password("password").roles("USER").build()); .username("user").password("password").roles("USER").build());
} }
public static void main(String[] args) throws Exception { public static void main(String[] args) throws Exception {

@ -33,9 +33,9 @@ import org.springframework.web.bind.annotation.RequestMapping;
public class SampleActuatorUiApplication { public class SampleActuatorUiApplication {
@Bean @Bean
public InMemoryUserDetailsManager inMemoryUserDetailsManager() throws Exception { public InMemoryUserDetailsManager inMemoryUserDetailsManager() {
return new InMemoryUserDetailsManager( return new InMemoryUserDetailsManager(User.withDefaultPasswordEncoder()
User.withUsername("user").password("password").roles("USER").build()); .username("user").password("password").roles("USER").build());
} }
@GetMapping("/") @GetMapping("/")

@ -34,9 +34,9 @@ public class SampleActuatorApplication {
} }
@Bean @Bean
public InMemoryUserDetailsManager inMemoryUserDetailsManager() throws Exception { public InMemoryUserDetailsManager inMemoryUserDetailsManager() {
return new InMemoryUserDetailsManager( return new InMemoryUserDetailsManager(User.withDefaultPasswordEncoder()
User.withUsername("user").password("password").roles("USER").build()); .username("user").password("password").roles("USER").build());
} }
@Bean @Bean

@ -42,8 +42,8 @@ public class SampleSecureWebFluxApplication {
@Bean @Bean
public ReactiveUserDetailsService userDetailsRepository() { public ReactiveUserDetailsService userDetailsRepository() {
return new MapReactiveUserDetailsService( return new MapReactiveUserDetailsService(User.withDefaultPasswordEncoder()
User.withUsername("foo").password("password").roles("USER").build()); .username("foo").password("password").roles("USER").build());
} }
} }

@ -38,9 +38,9 @@ public class SampleSecureApplication implements CommandLineRunner {
private SampleService service; private SampleService service;
@Bean @Bean
public InMemoryUserDetailsManager inMemoryUserDetailsManager() throws Exception { public InMemoryUserDetailsManager inMemoryUserDetailsManager() {
return new InMemoryUserDetailsManager( return new InMemoryUserDetailsManager(User.withDefaultPasswordEncoder()
User.withUsername("user").password("password").roles("USER").build()); .username("user").password("password").roles("USER").build());
} }
@Override @Override

@ -38,9 +38,9 @@ import org.springframework.security.provisioning.InMemoryUserDetailsManager;
public class SampleServletApplication extends SpringBootServletInitializer { public class SampleServletApplication extends SpringBootServletInitializer {
@Bean @Bean
public InMemoryUserDetailsManager inMemoryUserDetailsManager() throws Exception { public InMemoryUserDetailsManager inMemoryUserDetailsManager() {
return new InMemoryUserDetailsManager( return new InMemoryUserDetailsManager(User.withDefaultPasswordEncoder()
User.withUsername("user").password("password").roles("USER").build()); .username("user").password("password").roles("USER").build());
} }
@SuppressWarnings("serial") @SuppressWarnings("serial")

@ -30,9 +30,9 @@ public class SampleSessionApplication {
} }
@Bean @Bean
public InMemoryUserDetailsManager inMemoryUserDetailsManager() throws Exception { public InMemoryUserDetailsManager inMemoryUserDetailsManager() {
return new InMemoryUserDetailsManager( return new InMemoryUserDetailsManager(User.withDefaultPasswordEncoder()
User.withUsername("user").password("password").roles("USER").build()); .username("user").password("password").roles("USER").build());
} }
} }

@ -18,7 +18,6 @@ package sample.security.method;
import java.util.Date; import java.util.Date;
import java.util.Map; import java.util.Map;
import java.util.UUID;
import org.springframework.boot.actuate.autoconfigure.security.EndpointRequest; import org.springframework.boot.actuate.autoconfigure.security.EndpointRequest;
import org.springframework.boot.autoconfigure.SpringBootApplication; import org.springframework.boot.autoconfigure.SpringBootApplication;
@ -73,10 +72,11 @@ public class SampleMethodSecurityApplication implements WebMvcConfigurer {
@Bean @Bean
public InMemoryUserDetailsManager inMemoryUserDetailsManager() throws Exception { public InMemoryUserDetailsManager inMemoryUserDetailsManager() throws Exception {
String password = UUID.randomUUID().toString();
return new InMemoryUserDetailsManager( return new InMemoryUserDetailsManager(
User.withUsername("admin").password("admin").roles("ADMIN", "USER", "ACTUATOR").build(), User.withDefaultPasswordEncoder().username("admin").password("admin")
User.withUsername("user").password("user").roles("USER").build()); .roles("ADMIN", "USER", "ACTUATOR").build(),
User.withDefaultPasswordEncoder().username("user").password("user")
.roles("USER").build());
} }
} }

@ -21,10 +21,12 @@ import java.util.Map;
import org.springframework.boot.autoconfigure.SpringBootApplication; import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.boot.builder.SpringApplicationBuilder; import org.springframework.boot.builder.SpringApplicationBuilder;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import org.springframework.stereotype.Controller; import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMapping;
@ -67,9 +69,10 @@ public class SampleWebSecureCustomApplication implements WebMvcConfigurer {
.failureUrl("/login?error").permitAll().and().logout().permitAll(); .failureUrl("/login?error").permitAll().and().logout().permitAll();
} }
@Override @Bean
public void configure(AuthenticationManagerBuilder auth) throws Exception { public InMemoryUserDetailsManager InMemoryUserDetailsManager() {
auth.inMemoryAuthentication().withUser("user").password("user").roles("USER"); return new InMemoryUserDetailsManager(User.withDefaultPasswordEncoder()
.username("user").password("user").roles("USER").build());
} }
} }

@ -21,13 +21,13 @@ import java.util.Map;
import javax.sql.DataSource; import javax.sql.DataSource;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.SpringBootApplication; import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.boot.builder.SpringApplicationBuilder; import org.springframework.boot.builder.SpringApplicationBuilder;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.provisioning.JdbcUserDetailsManager;
import org.springframework.stereotype.Controller; import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMapping;
@ -63,9 +63,6 @@ public class SampleWebSecureJdbcApplication implements WebMvcConfigurer {
@Configuration @Configuration
protected static class ApplicationSecurity extends WebSecurityConfigurerAdapter { protected static class ApplicationSecurity extends WebSecurityConfigurerAdapter {
@Autowired
private DataSource dataSource;
@Override @Override
protected void configure(HttpSecurity http) throws Exception { protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/css/**").permitAll().anyRequest() http.authorizeRequests().antMatchers("/css/**").permitAll().anyRequest()
@ -73,9 +70,11 @@ public class SampleWebSecureJdbcApplication implements WebMvcConfigurer {
.failureUrl("/login?error").permitAll().and().logout().permitAll(); .failureUrl("/login?error").permitAll().and().logout().permitAll();
} }
@Override @Bean
public void configure(AuthenticationManagerBuilder auth) throws Exception { public JdbcUserDetailsManager jdbcUserDetailsManager(DataSource dataSource) {
auth.jdbcAuthentication().dataSource(this.dataSource); JdbcUserDetailsManager jdbcUserDetailsManager = new JdbcUserDetailsManager();
jdbcUserDetailsManager.setDataSource(dataSource);
return jdbcUserDetailsManager;
} }
} }

@ -1,3 +1,3 @@
insert into users (username, password, enabled) values ('user', 'user', true); insert into users (username, password, enabled) values ('user', '{noop}user', true);
insert into authorities (username, authority) values ('user', 'ROLE_ADMIN'); insert into authorities (username, authority) values ('user', 'ROLE_ADMIN');

@ -22,10 +22,12 @@ import java.util.Map;
import org.springframework.boot.autoconfigure.SpringBootApplication; import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.boot.autoconfigure.security.StaticResourceRequest; import org.springframework.boot.autoconfigure.security.StaticResourceRequest;
import org.springframework.boot.builder.SpringApplicationBuilder; import org.springframework.boot.builder.SpringApplicationBuilder;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import org.springframework.stereotype.Controller; import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMapping;
@ -74,11 +76,13 @@ public class SampleWebSecureApplication implements WebMvcConfigurer {
// @formatter:on // @formatter:on
} }
@Override @Bean
public void configure(AuthenticationManagerBuilder auth) throws Exception { public InMemoryUserDetailsManager InMemoryUserDetailsManager() {
auth.inMemoryAuthentication().withUser("admin").password("admin") return new InMemoryUserDetailsManager(
.roles("ADMIN", "USER").and().withUser("user").password("user") User.withDefaultPasswordEncoder().username("admin").password("admin")
.roles("USER"); .roles("ADMIN", "USER").build(),
User.withDefaultPasswordEncoder().username("user").password("user")
.roles("USER").build());
} }
} }

@ -26,9 +26,9 @@ import org.springframework.security.provisioning.InMemoryUserDetailsManager;
public class HelloWebSecurityApplication { public class HelloWebSecurityApplication {
@Bean @Bean
public InMemoryUserDetailsManager inMemoryUserDetailsManager() throws Exception { public InMemoryUserDetailsManager inMemoryUserDetailsManager() {
return new InMemoryUserDetailsManager( return new InMemoryUserDetailsManager(User.withDefaultPasswordEncoder()
User.withUsername("user").password("password").roles("USER").build()); .username("user").password("password").roles("USER").build());
} }
public static void main(String[] args) { public static void main(String[] args) {

Loading…
Cancel
Save