DaoAuthenticationProvider uses DelegatingPasswordEncoder

This means that passwords will be encoded with BCrypt by default Fixes: gh-2775
2017-10-23 13:35:42 -05:00 · 2017-10-23 13:35:42 -05:00 · 8291f20796
parent d19b222b55
commit 8291f20796
40 changed files with 197 additions and 150 deletions
--- a/config/src/main/java/org/springframework/security/config/annotation/authentication/configurers/userdetails/AbstractDaoAuthenticationConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/authentication/configurers/userdetails/AbstractDaoAuthenticationConfigurer.java
@ -18,7 +18,6 @@ package org.springframework.security.config.annotation.authentication.configurer
 import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
 import org.springframework.security.config.annotation.ObjectPostProcessor;
 import org.springframework.security.config.annotation.SecurityBuilder;
 import org.springframework.security.config.annotation.SecurityConfigurer;
 import org.springframework.security.config.annotation.authentication.ProviderManagerBuilder;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.crypto.password.PasswordEncoder;
--- a/config/src/test/groovy/org/springframework/security/config/annotation/authentication/AuthenticationManagerBuilderTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/annotation/authentication/AuthenticationManagerBuilderTests.groovy
@ -35,6 +35,7 @@ import org.springframework.security.config.annotation.configuration.ObjectPostPr
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.core.Authentication
 import org.springframework.security.core.userdetails.PasswordEncodedUser
 import org.springframework.security.core.userdetails.UserDetailsService
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
@ -90,10 +91,10 @@ class AuthenticationManagerBuilderTests extends BaseSpringSpec {
 		protected void configure(AuthenticationManagerBuilder auth) throws Exception {
 			auth
 				.inMemoryAuthentication()
-					.withUser("user").password("password").roles("USER").and()
+					.withUser(PasswordEncodedUser.user())
 					.and()
 				.inMemoryAuthentication()
-					.withUser("admin").password("password").roles("USER","ADMIN")
+					.withUser(PasswordEncodedUser.admin())
 		}
 	}
--- a/config/src/test/groovy/org/springframework/security/config/annotation/authentication/NamespaceAuthenticationManagerTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/annotation/authentication/NamespaceAuthenticationManagerTests.groovy
@ -25,6 +25,7 @@ import org.springframework.security.config.annotation.authentication.builders.Au
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.core.Authentication
 import org.springframework.security.core.userdetails.PasswordEncodedUser
 /**
 *
@ -50,7 +51,7 @@ class NamespaceAuthenticationManagerTests extends BaseSpringSpec {
 		protected void configure(AuthenticationManagerBuilder auth) throws Exception {
 			auth
 				.inMemoryAuthentication()
-					.withUser("user").password("password").roles("USER")
+					.withUser(PasswordEncodedUser.user())
 		}
 		// Only necessary to have access to verify the AuthenticationManager
@ -68,7 +69,7 @@ class NamespaceAuthenticationManagerTests extends BaseSpringSpec {
 			Authentication auth = authenticationManager.authenticate(new UsernamePasswordAuthenticationToken("user","password"))
 		then:
 			auth.credentials == "password"
-			auth.principal.password == "password"
+			auth.principal.password
 	}
 	@EnableWebSecurity
@ -77,7 +78,7 @@ class NamespaceAuthenticationManagerTests extends BaseSpringSpec {
 			auth
 				.eraseCredentials(false)
 				.inMemoryAuthentication()
-					.withUser("user").password("password").roles("USER")
+					.withUser(PasswordEncodedUser.user())
 		}
 		// Only necessary to have access to verify the AuthenticationManager
@ -95,7 +96,7 @@ class NamespaceAuthenticationManagerTests extends BaseSpringSpec {
 			Authentication auth = authenticationManager.authenticate(new UsernamePasswordAuthenticationToken("user","password"))
 		then:
 			auth.credentials == "password"
-			auth.principal.password == "password"
+			auth.principal.password
 	}
 	@EnableWebSecurity
@ -105,7 +106,7 @@ class NamespaceAuthenticationManagerTests extends BaseSpringSpec {
 			auth
 				.eraseCredentials(false)
 				.inMemoryAuthentication()
-					.withUser("user").password("password").roles("USER")
+					.withUser(PasswordEncodedUser.user())
 		}
 	}
 }
--- a/config/src/test/groovy/org/springframework/security/config/annotation/authentication/NamespaceJdbcUserServiceTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/annotation/authentication/NamespaceJdbcUserServiceTests.groovy
@ -15,6 +15,8 @@
 */
 package org.springframework.security.config.annotation.authentication
 import org.springframework.security.core.userdetails.PasswordEncodedUser
 import javax.sql.DataSource
 import org.springframework.beans.factory.annotation.Autowired
@ -89,9 +91,7 @@ class NamespaceJdbcUserServiceTests extends BaseSpringSpec {
 					// imports the default schema (will fail if already exists)
 					.withDefaultSchema()
 					// adds this user automatically (will fail if already exists)
-					.withUser("user")
+					.withUser(PasswordEncodedUser.user())
 						.password("password")
 						.roles("USER")
 		}
 		// Only necessary to have access to verify the AuthenticationManager
--- a/config/src/test/groovy/org/springframework/security/config/annotation/authentication/configuration/AuthenticationConfigurationTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/annotation/authentication/configuration/AuthenticationConfigurationTests.groovy
@ -39,6 +39,7 @@ import org.springframework.security.config.annotation.web.configuration.WebSecur
 import org.springframework.security.core.AuthenticationException
 import org.springframework.security.core.authority.AuthorityUtils
 import org.springframework.security.core.context.SecurityContextHolder
 import org.springframework.security.core.userdetails.PasswordEncodedUser
 import org.springframework.security.core.userdetails.User
 import org.springframework.security.core.userdetails.UserDetailsService
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder
@ -64,7 +65,7 @@ class AuthenticationConfigurationTests extends BaseSpringSpec {
 	static class GlobalMethodSecurityAutowiredConfig {
 		@Autowired
 		public void configureGlobal(AuthenticationManagerBuilder auth) {
-			auth.inMemoryAuthentication().withUser("user").password("password").roles("USER")
+			auth.inMemoryAuthentication().withUser(PasswordEncodedUser.user())
 		}
 	}
@ -88,7 +89,7 @@ class AuthenticationConfigurationTests extends BaseSpringSpec {
 	static class WebSecurityConfig extends WebSecurityConfigurerAdapter {
 		@Autowired
 		public void configureGlobal(AuthenticationManagerBuilder auth) {
-			auth.inMemoryAuthentication().withUser("user").password("password").roles("USER")
+			auth.inMemoryAuthentication().withUser(PasswordEncodedUser.user())
 		}
 	}
@ -111,7 +112,7 @@ class AuthenticationConfigurationTests extends BaseSpringSpec {
 	static class WebMvcSecurityConfig extends WebSecurityConfigurerAdapter {
 		@Autowired
 		public void configureGlobal(AuthenticationManagerBuilder auth) {
-			auth.inMemoryAuthentication().withUser("user").password("password").roles("USER")
+			auth.inMemoryAuthentication().withUser(PasswordEncodedUser.user())
 		}
 	}
@ -148,7 +149,7 @@ class AuthenticationConfigurationTests extends BaseSpringSpec {
 	@Configuration
 	static class GlobalAuthenticationConfiguererAdapterImpl extends GlobalAuthenticationConfigurerAdapter {
 		public void init(AuthenticationManagerBuilder auth) throws Exception {
-			auth.inMemoryAuthentication().withUser("user").password("password").roles("USER")
+			auth.inMemoryAuthentication().withUser(PasswordEncodedUser.user())
 		}
 	}
@ -264,7 +265,7 @@ class AuthenticationConfigurationTests extends BaseSpringSpec {
 		public void init(AuthenticationManagerBuilder auth) throws Exception {
 			auth
 				.inMemoryAuthentication()
-					.withUser("user").password("password").roles("USER")
+					.withUser(PasswordEncodedUser.user())
 		}
 	}
@ -282,7 +283,7 @@ class AuthenticationConfigurationTests extends BaseSpringSpec {
 				return;
 			}
-			User user = new User("boot","password", AuthorityUtils.createAuthorityList("ROLE_USER"))
+			User user = User.withUserDetails(PasswordEncodedUser.user()).username("boot").build()
 			List<User> users = Arrays.asList(user);
 			InMemoryUserDetailsManager inMemory = new InMemoryUserDetailsManager(users);
@ -373,11 +374,11 @@ class AuthenticationConfigurationTests extends BaseSpringSpec {
 		when:
 		am.authenticate(new UsernamePasswordAuthenticationToken("user", "password"))
 		then:
-		1 * uds.loadUserByUsername("user") >> new User("user","password",AuthorityUtils.createAuthorityList("ROLE_USER"))
+		1 * uds.loadUserByUsername("user") >> PasswordEncodedUser.user()
 		when:
 		am.authenticate(new UsernamePasswordAuthenticationToken("user", "invalid"))
 		then:
-		1 * uds.loadUserByUsername("user") >> new User("user","password",AuthorityUtils.createAuthorityList("ROLE_USER"))
+		1 * uds.loadUserByUsername("user") >>  PasswordEncodedUser.user()
 		thrown(AuthenticationException.class)
 	}
@ -514,4 +515,4 @@ class AuthenticationConfigurationTests extends BaseSpringSpec {
 		@Autowired
 		Service service
 	}
-}
+}
--- a/config/src/test/groovy/org/springframework/security/config/annotation/web/SampleWebSecurityConfigurerAdapterTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/annotation/web/SampleWebSecurityConfigurerAdapterTests.groovy
@ -15,6 +15,8 @@
 */
 package org.springframework.security.config.annotation.web
 import org.springframework.security.core.userdetails.PasswordEncodedUser
 import javax.servlet.http.HttpServletResponse
 import org.springframework.beans.factory.annotation.Autowired
@ -93,7 +95,7 @@ public class SampleWebSecurityConfigurerAdapterTests extends BaseSpringSpec {
 		protected void configure(AuthenticationManagerBuilder auth) {
 			auth
 				.inMemoryAuthentication()
-					.withUser("user").password("password").roles("USER");
+					.withUser(PasswordEncodedUser.user());
 		}
 	}
@ -180,8 +182,8 @@ public class SampleWebSecurityConfigurerAdapterTests extends BaseSpringSpec {
 		protected void configure(AuthenticationManagerBuilder auth) {
 			auth
 				.inMemoryAuthentication()
-					.withUser("user").password("password").roles("USER").and()
+					.withUser(PasswordEncodedUser.user())
-					.withUser("admin").password("password").roles("USER", "ADMIN");
+					.withUser(PasswordEncodedUser.admin());
 		}
 	}
@ -276,8 +278,8 @@ public class SampleWebSecurityConfigurerAdapterTests extends BaseSpringSpec {
 		protected void configure(AuthenticationManagerBuilder auth) {
 			auth
 				.inMemoryAuthentication()
-					.withUser("user").password("password").roles("USER").and()
+				.withUser(PasswordEncodedUser.user())
-					.withUser("admin").password("password").roles("USER", "ADMIN");
+				.withUser(PasswordEncodedUser.admin());
 		}
 		@Configuration
--- a/config/src/test/groovy/org/springframework/security/config/annotation/web/WebSecurityConfigurerAdapterTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/annotation/web/WebSecurityConfigurerAdapterTests.groovy
@ -13,7 +13,9 @@
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
-package org.springframework.security.config.annotation.web;
+package org.springframework.security.config.annotation.web
 import org.springframework.security.core.userdetails.PasswordEncodedUser;
 import static org.junit.Assert.*
 import static org.springframework.security.config.annotation.web.WebSecurityConfigurerAdapterTestsConfigs.*
@ -94,7 +96,7 @@ class WebSecurityConfigurerAdapterTests extends BaseSpringSpec {
 		protected void configure(AuthenticationManagerBuilder auth) throws Exception {
 			auth
 				.inMemoryAuthentication()
-					.withUser("user").password("password").roles("USER")
+					.withUser(PasswordEncodedUser.user())
 		}
 		@Override
@ -117,7 +119,7 @@ class WebSecurityConfigurerAdapterTests extends BaseSpringSpec {
 		protected void configure(AuthenticationManagerBuilder auth) throws Exception {
 			auth
 				.inMemoryAuthentication()
-					.withUser("user").password("password").roles("USER")
+					.withUser(PasswordEncodedUser.user())
 		}
 		@Override
@ -153,7 +155,7 @@ class WebSecurityConfigurerAdapterTests extends BaseSpringSpec {
 		protected void configure(AuthenticationManagerBuilder auth) throws Exception {
 			auth
 				.inMemoryAuthentication()
-					.withUser("user").password("password").roles("USER")
+					.withUser("user").password("{noop}password").roles("USER")
 		}
 		@Override
@ -234,7 +236,7 @@ class WebSecurityConfigurerAdapterTests extends BaseSpringSpec {
 		protected void configure(AuthenticationManagerBuilder auth) throws Exception {
 			auth
 				.inMemoryAuthentication()
-					.withUser("user").password("password").roles("USER")
+					.withUser(PasswordEncodedUser.user())
 		}
 	}
--- a/config/src/test/groovy/org/springframework/security/config/annotation/web/configuration/BaseWebConfig.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/annotation/web/configuration/BaseWebConfig.groovy
@ -17,6 +17,7 @@ package org.springframework.security.config.annotation.web.configuration;
 import org.springframework.context.annotation.Configuration
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder
 import org.springframework.security.core.userdetails.PasswordEncodedUser
 /**
 *
@ -34,7 +35,7 @@ public abstract class BaseWebConfig extends WebSecurityConfigurerAdapter {
 	protected void configure(AuthenticationManagerBuilder auth) throws Exception {
 		auth
 			.inMemoryAuthentication()
-				.withUser("user").password("password").roles("USER").and()
+				.withUser(PasswordEncodedUser.user())
-				.withUser("admin").password("password").roles("USER", "ADMIN");
+				.withUser(PasswordEncodedUser.admin());
 	}
-}
+}
--- a/config/src/test/groovy/org/springframework/security/config/annotation/web/configuration/EnableWebSecurityTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/annotation/web/configuration/EnableWebSecurityTests.groovy
@ -20,6 +20,7 @@ import org.springframework.security.authentication.TestingAuthenticationToken
 import org.springframework.security.core.annotation.AuthenticationPrincipal
 import org.springframework.security.core.context.SecurityContext
 import org.springframework.security.core.context.SecurityContextImpl
 import org.springframework.security.core.userdetails.PasswordEncodedUser
 import org.springframework.security.core.userdetails.User
 import org.springframework.security.web.context.HttpSessionSecurityContextRepository
 import org.springframework.test.context.web.WebAppConfiguration
@ -65,7 +66,7 @@ class EnableWebSecurityTests extends BaseSpringSpec {
 		protected void configure(AuthenticationManagerBuilder auth) throws Exception {
 			auth
 				.inMemoryAuthentication()
-					.withUser("user").password("password").roles("USER");
+					.withUser(PasswordEncodedUser.user());
 		}
 		@Bean
--- a/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/CsrfConfigurerTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/CsrfConfigurerTests.groovy
@ -15,6 +15,8 @@
 */
 package org.springframework.security.config.annotation.web.configurers
 import org.springframework.security.core.userdetails.PasswordEncodedUser
 import javax.servlet.http.HttpServletResponse
 import spock.lang.Unroll
@ -135,8 +137,8 @@ class CsrfConfigurerTests extends BaseSpringSpec {
 		@Override
 		protected void configure(AuthenticationManagerBuilder auth) throws Exception {
 			auth
-					.inMemoryAuthentication()
+				.inMemoryAuthentication()
-					.withUser("user").password("password").roles("USER")
+					.withUser(PasswordEncodedUser.user());
 		}
 	}
@ -257,8 +259,8 @@ class CsrfConfigurerTests extends BaseSpringSpec {
 		@Override
 		protected void configure(AuthenticationManagerBuilder auth) throws Exception {
 			auth
-					.inMemoryAuthentication()
+				.inMemoryAuthentication()
-					.withUser("user").password("password").roles("USER")
+					.withUser(PasswordEncodedUser.user());
 		}
 	}
@ -447,8 +449,8 @@ class CsrfConfigurerTests extends BaseSpringSpec {
 		@Override
 		protected void configure(AuthenticationManagerBuilder auth) throws Exception {
 			auth
-					.inMemoryAuthentication()
+				.inMemoryAuthentication()
-					.withUser("user").password("password").roles("USER")
+					.withUser(PasswordEncodedUser.user());
 		}
 	}
@ -487,8 +489,8 @@ class CsrfConfigurerTests extends BaseSpringSpec {
 		@Override
 		protected void configure(AuthenticationManagerBuilder auth) throws Exception {
 			auth
-					.inMemoryAuthentication()
+				.inMemoryAuthentication()
-					.withUser("user").password("password").roles("USER")
+					.withUser(PasswordEncodedUser.user());
 		}
 	}
--- a/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/RememberMeConfigurerTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/RememberMeConfigurerTests.groovy
@ -15,6 +15,8 @@
 */
 package org.springframework.security.config.annotation.web.configurers
 import org.springframework.security.core.userdetails.PasswordEncodedUser
 import javax.servlet.http.Cookie
 import org.springframework.beans.factory.BeanCreationException
@ -75,7 +77,7 @@ public class RememberMeConfigurerTests extends BaseSpringSpec {
 		@Override
 		protected void configure(AuthenticationManagerBuilder auth) throws Exception {
-			User user = new User("user", "password", AuthorityUtils.createAuthorityList("ROLE_USER"))
+			User user = PasswordEncodedUser.user();
 			DaoAuthenticationProvider provider = new DaoAuthenticationProvider()
 			provider.userDetailsService = new InMemoryUserDetailsManager([user])
 			auth
@ -215,7 +217,7 @@ public class RememberMeConfigurerTests extends BaseSpringSpec {
 		public void configureGlobal(AuthenticationManagerBuilder auth) {
 			auth
 				.inMemoryAuthentication()
-					.withUser("user").password("password").roles("USER");
+					.withUser(PasswordEncodedUser.user());
 		}
 	}
@ -235,8 +237,8 @@ public class RememberMeConfigurerTests extends BaseSpringSpec {
 		@Autowired
 		public void configureGlobal(AuthenticationManagerBuilder auth) {
 			auth
-					.inMemoryAuthentication()
+				.inMemoryAuthentication()
-					.withUser("user").password("password").roles("USER");
+					.withUser(PasswordEncodedUser.user());
 		}
 	}
@ -261,8 +263,8 @@ public class RememberMeConfigurerTests extends BaseSpringSpec {
 		@Autowired
 		public void configureGlobal(AuthenticationManagerBuilder auth) {
 			auth
-					.inMemoryAuthentication()
+				.inMemoryAuthentication()
-					.withUser("user").password("password").roles("USER");
+					.withUser(PasswordEncodedUser.user());
 		}
 	}
--- a/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/RequestCacheConfigurerTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/RequestCacheConfigurerTests.groovy
@ -15,6 +15,8 @@
 */
 package org.springframework.security.config.annotation.web.configurers
 import org.springframework.security.core.userdetails.PasswordEncodedUser
 import javax.servlet.http.HttpServletResponse
 import org.springframework.context.annotation.Configuration
@ -178,7 +180,7 @@ class RequestCacheConfigurerTests extends BaseSpringSpec {
 		protected void configure(AuthenticationManagerBuilder auth) throws Exception {
 			auth
 				.inMemoryAuthentication()
-					.withUser("user").password("password").roles("USER")
+					.withUser(PasswordEncodedUser.user());
 		}
 	}
 }
--- a/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerTests.groovy
@ -15,6 +15,8 @@
 */
 package org.springframework.security.config.annotation.web.configurers
 import org.springframework.security.core.userdetails.PasswordEncodedUser
 import javax.servlet.http.HttpServletResponse
 import org.springframework.mock.web.MockFilterChain
@ -144,7 +146,7 @@ class SessionManagementConfigurerTests extends BaseSpringSpec {
 		protected void configure(AuthenticationManagerBuilder auth) {
 			auth
 				.inMemoryAuthentication()
-					.withUser("user").password("password").roles("USER")
+					.withUser(PasswordEncodedUser.user())
 		}
 	}
@ -200,7 +202,7 @@ class SessionManagementConfigurerTests extends BaseSpringSpec {
 		protected void configure(AuthenticationManagerBuilder auth) {
 			auth
 				.inMemoryAuthentication()
-					.withUser("user").password("password").roles("USER")
+					.withUser(PasswordEncodedUser.user())
 		}
 	}
--- a/config/src/test/java/org/springframework/security/config/ConfigTestUtils.java
+++ b/config/src/test/java/org/springframework/security/config/ConfigTestUtils.java
@ -19,10 +19,10 @@ public abstract class ConfigTestUtils {
 	public static final String AUTH_PROVIDER_XML = "<authentication-manager alias='authManager'>"
 			+ "    <authentication-provider>"
 			+ "        <user-service id='us'>"
-			+ "            <user name='bob' password='bobspassword' authorities='ROLE_A,ROLE_B' />"
+			+ "            <user name='bob' password='{noop}bobspassword' authorities='ROLE_A,ROLE_B' />"
-			+ "            <user name='bill' password='billspassword' authorities='ROLE_A,ROLE_B,AUTH_OTHER' />"
+			+ "            <user name='bill' password='{noop}billspassword' authorities='ROLE_A,ROLE_B,AUTH_OTHER' />"
-			+ "            <user name='admin' password='password' authorities='ROLE_ADMIN,ROLE_USER' />"
+			+ "            <user name='admin' password='{noop}password' authorities='ROLE_ADMIN,ROLE_USER' />"
-			+ "            <user name='user' password='password' authorities='ROLE_USER' />"
+			+ "            <user name='user' password='{noop}password' authorities='ROLE_USER' />"
 			+ "        </user-service>"
 			+ "    </authentication-provider>"
 			+ "</authentication-manager>";
--- a/config/src/test/java/org/springframework/security/config/DataSourcePopulator.java
+++ b/config/src/test/java/org/springframework/security/config/DataSourcePopulator.java
@ -46,13 +46,13 @@ public class DataSourcePopulator implements InitializingBean {
 		 * is disabled) Encoded password for bill is "wombat" Encoded password for bob is
 		 * "wombat" Encoded password for jane is "wombat"
 		 */
-		template.execute("INSERT INTO USERS VALUES('rod','koala',TRUE);");
+		template.execute("INSERT INTO USERS VALUES('rod','{noop}koala',TRUE);");
-		template.execute("INSERT INTO USERS VALUES('dianne','65d15fe9156f9c4bbffd98085992a44e',TRUE);");
+		template.execute("INSERT INTO USERS VALUES('dianne','{MD5}65d15fe9156f9c4bbffd98085992a44e',TRUE);");
-		template.execute("INSERT INTO USERS VALUES('scott','2b58af6dddbd072ed27ffc86725d7d3a',TRUE);");
+		template.execute("INSERT INTO USERS VALUES('scott','{MD5}2b58af6dddbd072ed27ffc86725d7d3a',TRUE);");
-		template.execute("INSERT INTO USERS VALUES('peter','22b5c9accc6e1ba628cedc63a72d57f8',FALSE);");
+		template.execute("INSERT INTO USERS VALUES('peter','{MD5}22b5c9accc6e1ba628cedc63a72d57f8',FALSE);");
-		template.execute("INSERT INTO USERS VALUES('bill','2b58af6dddbd072ed27ffc86725d7d3a',TRUE);");
+		template.execute("INSERT INTO USERS VALUES('bill','{MD5}2b58af6dddbd072ed27ffc86725d7d3a',TRUE);");
-		template.execute("INSERT INTO USERS VALUES('bob','2b58af6dddbd072ed27ffc86725d7d3a',TRUE);");
+		template.execute("INSERT INTO USERS VALUES('bob','{MD5}2b58af6dddbd072ed27ffc86725d7d3a',TRUE);");
-		template.execute("INSERT INTO USERS VALUES('jane','2b58af6dddbd072ed27ffc86725d7d3a',TRUE);");
+		template.execute("INSERT INTO USERS VALUES('jane','{MD5}2b58af6dddbd072ed27ffc86725d7d3a',TRUE);");
 		template.execute("INSERT INTO AUTHORITIES VALUES('rod','ROLE_USER');");
 		template.execute("INSERT INTO AUTHORITIES VALUES('rod','ROLE_SUPERVISOR');");
 		template.execute("INSERT INTO AUTHORITIES VALUES('dianne','ROLE_USER');");
--- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerServlet31Tests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerServlet31Tests.java
@ -45,6 +45,7 @@ import org.springframework.security.config.annotation.web.configuration.EnableWe
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextImpl;
 import org.springframework.security.core.userdetails.PasswordEncodedUser;
 import org.springframework.security.web.context.HttpRequestResponseHolder;
 import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
 import org.springframework.security.web.csrf.CsrfToken;
@ -126,7 +127,7 @@ public class SessionManagementConfigurerServlet31Tests {
 		protected void configure(AuthenticationManagerBuilder auth) throws Exception {
 			auth
 				.inMemoryAuthentication()
-					.withUser("user").password("password").roles("USER");
+					.withUser(PasswordEncodedUser.user());
 		}
 		// @formatter:on
 	}
--- a/config/src/test/java/org/springframework/security/config/authentication/AuthenticationConfigurationGh3935Tests.java
+++ b/config/src/test/java/org/springframework/security/config/authentication/AuthenticationConfigurationGh3935Tests.java
@ -32,6 +32,7 @@ import org.springframework.security.config.annotation.web.configuration.EnableWe
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.core.userdetails.PasswordEncodedUser;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.web.FilterChainProxy;
@ -66,9 +67,7 @@ public class AuthenticationConfigurationGh3935Tests {
 	public void delegateUsesExisitingAuthentication() {
 		String username = "user";
 		String password = "password";
-		User user = new User(username, password,
+		when(this.uds.loadUserByUsername(username)).thenReturn(PasswordEncodedUser.user());
 				AuthorityUtils.createAuthorityList("ROLE_USER"));
 		when(this.uds.loadUserByUsername(username)).thenReturn(user);
 		AuthenticationManager authenticationManager = this.adapter.authenticationManager;
 		assertThat(authenticationManager).isNotNull();
@ -77,7 +76,7 @@ public class AuthenticationConfigurationGh3935Tests {
 				new UsernamePasswordAuthenticationToken(username, password));
 		verify(this.uds).loadUserByUsername(username);
-		assertThat(auth.getPrincipal()).isEqualTo(user);
+		assertThat(auth.getPrincipal()).isEqualTo(PasswordEncodedUser.user());
 	}
 	@EnableWebSecurity
--- a/config/src/test/java/org/springframework/security/config/authentication/AuthenticationManagerBeanDefinitionParserTests.java
+++ b/config/src/test/java/org/springframework/security/config/authentication/AuthenticationManagerBeanDefinitionParserTests.java
@ -39,7 +39,7 @@ public class AuthenticationManagerBeanDefinitionParserTests {
 	private static final String CONTEXT = "<authentication-manager id='am'>"
 			+ "    <authentication-provider>"
 			+ "        <user-service>"
-			+ "            <user name='bob' password='bobspassword' authorities='ROLE_A,ROLE_B' />"
+			+ "            <user name='bob' password='{noop}bobspassword' authorities='ROLE_A,ROLE_B' />"
 			+ "        </user-service>" + "    </authentication-provider>"
 			+ "</authentication-manager>";
 	private AbstractXmlApplicationContext appContext;
--- a/config/src/test/java/org/springframework/security/config/authentication/AuthenticationProviderBeanDefinitionParserTests.java
+++ b/config/src/test/java/org/springframework/security/config/authentication/AuthenticationProviderBeanDefinitionParserTests.java
@ -51,7 +51,7 @@ public class AuthenticationProviderBeanDefinitionParserTests {
 	public void worksWithEmbeddedUserService() {
 		setContext(" <authentication-provider>"
 				+ "        <user-service>"
-				+ "            <user name='bob' password='bobspassword' authorities='ROLE_A' />"
+				+ "            <user name='bob' password='{noop}bobspassword' authorities='ROLE_A' />"
 				+ "        </user-service>" + "    </authentication-provider>");
 		getProvider().authenticate(bob);
 	}
@ -63,7 +63,7 @@ public class AuthenticationProviderBeanDefinitionParserTests {
 						+ "        <authentication-provider user-service-ref='myUserService' />"
 						+ "    </authentication-manager>"
 						+ "    <user-service id='myUserService'>"
-						+ "       <user name='bob' password='bobspassword' authorities='ROLE_A' />"
+						+ "       <user name='bob' password='{noop}bobspassword' authorities='ROLE_A' />"
 						+ "    </user-service>");
 		getProvider().authenticate(bob);
 	}
--- a/config/src/test/java/org/springframework/security/config/http/SessionManagementConfigServlet31Tests.java
+++ b/config/src/test/java/org/springframework/security/config/http/SessionManagementConfigServlet31Tests.java
@ -56,7 +56,7 @@ import org.springframework.util.ReflectionUtils;
 public class SessionManagementConfigServlet31Tests {
 	private static final String XML_AUTHENTICATION_MANAGER = "<authentication-manager>"
 			+ "  <authentication-provider>" + "    <user-service>"
-			+ "      <user name='user' password='password' authorities='ROLE_USER' />"
+			+ "      <user name='user' password='{noop}password' authorities='ROLE_USER' />"
 			+ "    </user-service>" + "  </authentication-provider>"
 			+ "</authentication-manager>";
--- a/config/src/test/resources/CustomJdbcUserServiceSampleConfig.sql
+++ b/config/src/test/resources/CustomJdbcUserServiceSampleConfig.sql
@ -5,7 +5,7 @@ create table groups (id bigint generated by default as identity(start with 0) pr
 create table group_authorities (group_id bigint not null,authority varchar(50) not null,constraint fk_group_authorities_group foreign key(group_id) references groups(id));
 create table group_members (id bigint generated by default as identity(start with 0) primary key,username varchar(50) not null,group_id bigint not null,constraint fk_group_members_group foreign key(group_id) references groups(id));
-insert into users values('user','password');
+insert into users values('user','{noop}password');
 insert into roles values('user','USER');
 insert into groups values(1,'OPERATIONS');
--- a/config/src/test/resources/org/springframework/security/config/users.properties
+++ b/config/src/test/resources/org/springframework/security/config/users.properties
@ -1,2 +1,2 @@
-joe=joespassword,ROLE_A
+joe={noop}joespassword,ROLE_A
-bob=bobspassword,ROLE_A,ROLE_B
+bob={noop}bobspassword,ROLE_A,ROLE_B
--- a/config/src/test/resources/users.properties
+++ b/config/src/test/resources/users.properties
@ -16,4 +16,4 @@
 #  */
 #
-user=password,ROLE_USER
+user={noop}password,ROLE_USER
--- a/core/src/main/java/org/springframework/security/authentication/dao/DaoAuthenticationProvider.java
+++ b/core/src/main/java/org/springframework/security/authentication/dao/DaoAuthenticationProvider.java
@ -24,7 +24,7 @@ import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
-import org.springframework.security.crypto.password.NoOpPasswordEncoder;
+import org.springframework.security.crypto.factory.PasswordEncoderFactories;
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.util.Assert;
@ -63,7 +63,7 @@ public class DaoAuthenticationProvider extends AbstractUserDetailsAuthentication
 	private UserDetailsService userDetailsService;
 	public DaoAuthenticationProvider() {
-		setPasswordEncoder(NoOpPasswordEncoder.getInstance());
+		setPasswordEncoder(PasswordEncoderFactories.createDelegatingPasswordEncoder());
 	}
 	// ~ Methods
--- a/core/src/test/java/org/springframework/security/authentication/dao/DaoAuthenticationProviderTests.java
+++ b/core/src/test/java/org/springframework/security/authentication/dao/DaoAuthenticationProviderTests.java
@ -50,6 +50,7 @@ import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.springframework.security.core.userdetails.cache.EhCacheBasedUserCache;
 import org.springframework.security.core.userdetails.cache.NullUserCache;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.crypto.password.NoOpPasswordEncoder;
 import org.springframework.security.crypto.password.PasswordEncoder;
 /**
@ -70,7 +71,7 @@ public class DaoAuthenticationProviderTests {
 		UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(
 				"rod", "KOala");
-		DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
+		DaoAuthenticationProvider provider = createProvider();
 		provider.setUserDetailsService(new MockAuthenticationDaoUserrod());
 		provider.setUserCache(new MockUserCache());
@ -86,7 +87,7 @@ public class DaoAuthenticationProviderTests {
 	@Test
 	public void testReceivedBadCredentialsWhenCredentialsNotProvided() {
 		// Test related to SEC-434
-		DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
+		DaoAuthenticationProvider provider = createProvider();
 		provider.setUserDetailsService(new MockAuthenticationDaoUserrod());
 		provider.setUserCache(new MockUserCache());
@ -106,7 +107,7 @@ public class DaoAuthenticationProviderTests {
 		UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(
 				"peter", "opal");
-		DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
+		DaoAuthenticationProvider provider = createProvider();
 		provider.setUserDetailsService(
 				new MockAuthenticationDaoUserPeterAccountExpired());
 		provider.setUserCache(new MockUserCache());
@ -125,7 +126,7 @@ public class DaoAuthenticationProviderTests {
 		UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(
 				"peter", "opal");
-		DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
+		DaoAuthenticationProvider provider = createProvider();
 		provider.setUserDetailsService(new MockAuthenticationDaoUserPeterAccountLocked());
 		provider.setUserCache(new MockUserCache());
@ -143,7 +144,7 @@ public class DaoAuthenticationProviderTests {
 		UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(
 				"peter", "opal");
-		DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
+		DaoAuthenticationProvider provider = createProvider();
 		provider.setUserDetailsService(
 				new MockAuthenticationDaoUserPeterCredentialsExpired());
 		provider.setUserCache(new MockUserCache());
@ -174,7 +175,7 @@ public class DaoAuthenticationProviderTests {
 		UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(
 				"peter", "opal");
-		DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
+		DaoAuthenticationProvider provider = createProvider();
 		provider.setUserDetailsService(new MockAuthenticationDaoUserPeter());
 		provider.setUserCache(new MockUserCache());
@ -192,7 +193,7 @@ public class DaoAuthenticationProviderTests {
 		UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(
 				"rod", "koala");
-		DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
+		DaoAuthenticationProvider provider = createProvider();
 		provider.setUserDetailsService(new MockAuthenticationDaoSimulateBackendError());
 		provider.setUserCache(new MockUserCache());
@ -209,7 +210,7 @@ public class DaoAuthenticationProviderTests {
 		UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(
 				null, "koala");
-		DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
+		DaoAuthenticationProvider provider = createProvider();
 		provider.setUserDetailsService(new MockAuthenticationDaoUserrod());
 		provider.setUserCache(new MockUserCache());
@ -227,7 +228,7 @@ public class DaoAuthenticationProviderTests {
 		UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(
 				"rod", "INVALID_PASSWORD");
-		DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
+		DaoAuthenticationProvider provider = createProvider();
 		provider.setUserDetailsService(new MockAuthenticationDaoUserrod());
 		provider.setUserCache(new MockUserCache());
@ -245,7 +246,7 @@ public class DaoAuthenticationProviderTests {
 		UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(
 				"INVALID_USER", "koala");
-		DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
+		DaoAuthenticationProvider provider = createProvider();
 		provider.setHideUserNotFoundExceptions(false); // we want
 														// UsernameNotFoundExceptions
 		provider.setUserDetailsService(new MockAuthenticationDaoUserrod());
@ -265,7 +266,7 @@ public class DaoAuthenticationProviderTests {
 		UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(
 				"INVALID_USER", "koala");
-		DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
+		DaoAuthenticationProvider provider = createProvider();
 		assertThat(provider.isHideUserNotFoundExceptions()).isTrue();
 		provider.setUserDetailsService(new MockAuthenticationDaoUserrod());
 		provider.setUserCache(new MockUserCache());
@ -284,7 +285,7 @@ public class DaoAuthenticationProviderTests {
 		UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(
 				"RoD", "koala");
-		DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
+		DaoAuthenticationProvider provider = createProvider();
 		provider.setUserDetailsService(new MockAuthenticationDaoUserrod());
 		provider.setUserCache(new MockUserCache());
@ -303,7 +304,7 @@ public class DaoAuthenticationProviderTests {
 				"rod", "koala");
 		token.setDetails("192.168.0.1");
-		DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
+		DaoAuthenticationProvider provider = createProvider();
 		provider.setUserDetailsService(new MockAuthenticationDaoUserrod());
 		provider.setUserCache(new MockUserCache());
@ -327,7 +328,7 @@ public class DaoAuthenticationProviderTests {
 		UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(
 				"rod", "koala");
-		DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
+		DaoAuthenticationProvider provider = createProvider();
 		provider.setUserDetailsService(new MockAuthenticationDaoUserrod());
 		provider.setUserCache(new MockUserCache());
@ -352,7 +353,7 @@ public class DaoAuthenticationProviderTests {
 		UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(
 				"rod", "koala");
-		DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
+		DaoAuthenticationProvider provider = createProvider();
 		provider.setUserDetailsService(new MockAuthenticationDaoUserrod());
 		provider.setUserCache(new MockUserCache());
 		provider.setForcePrincipalAsString(true);
@ -373,7 +374,7 @@ public class DaoAuthenticationProviderTests {
 		UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(
 				"rod", "koala");
-		DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
+		DaoAuthenticationProvider provider = createProvider();
 		provider.setUserDetailsService(new MockAuthenticationDaoReturnsNull());
 		try {
@ -410,7 +411,7 @@ public class DaoAuthenticationProviderTests {
 		MockAuthenticationDaoUserrod authenticationDao = new MockAuthenticationDaoUserrod();
 		MockUserCache cache = new MockUserCache();
-		DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
+		DaoAuthenticationProvider provider = createProvider();
 		provider.setUserDetailsService(authenticationDao);
 		provider.setUserCache(cache);
@ -448,7 +449,7 @@ public class DaoAuthenticationProviderTests {
 	@Test
 	public void testStartupFailsIfNoUserCacheSet() throws Exception {
-		DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
+		DaoAuthenticationProvider provider = createProvider();
 		provider.setUserDetailsService(new MockAuthenticationDaoUserrod());
 		assertThat(provider.getUserCache().getClass()).isEqualTo(NullUserCache.class);
 		provider.setUserCache(null);
@ -464,7 +465,7 @@ public class DaoAuthenticationProviderTests {
 	@Test
 	public void testStartupSuccess() throws Exception {
-		DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
+		DaoAuthenticationProvider provider = createProvider();
 		UserDetailsService userDetailsService = new MockAuthenticationDaoUserrod();
 		provider.setUserDetailsService(userDetailsService);
 		provider.setUserCache(new MockUserCache());
@ -475,7 +476,7 @@ public class DaoAuthenticationProviderTests {
 	@Test
 	public void testSupports() {
-		DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
+		DaoAuthenticationProvider provider = createProvider();
 		assertThat(provider.supports(UsernamePasswordAuthenticationToken.class)).isTrue();
 		assertThat(!provider.supports(TestingAuthenticationToken.class)).isTrue();
 	}
@ -527,7 +528,7 @@ public class DaoAuthenticationProviderTests {
 	public void testUserNotFoundDefaultEncoder() {
 		UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(
 				"missing", null);
-		DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
+		DaoAuthenticationProvider provider = createProvider();
 		provider.setHideUserNotFoundExceptions(false);
 		provider.setUserDetailsService(new MockAuthenticationDaoUserrod());
 		try {
@ -713,4 +714,10 @@ public class DaoAuthenticationProviderTests {
 			}
 		}
 	}
 	private DaoAuthenticationProvider createProvider() {
 		DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
 		provider.setPasswordEncoder(NoOpPasswordEncoder.getInstance());
 		return provider;
 	}
 }
--- a/itest/context/src/integration-test/resources/python-method-access-app-context.xml
+++ b/itest/context/src/integration-test/resources/python-method-access-app-context.xml
@ -26,7 +26,7 @@
 	<authentication-manager>
 		<authentication-provider>
 			<user-service>
-				<user name="bob" password="bobspassword" authorities="ROLE_A,ROLE_B"/>
+				<user name="bob" password="{noop}bobspassword" authorities="ROLE_A,ROLE_B"/>
 			</user-service>
 		</authentication-provider>
 	</authentication-manager>
--- a/itest/context/src/integration-test/resources/sec-936-app-context.xml
+++ b/itest/context/src/integration-test/resources/sec-936-app-context.xml
@ -10,7 +10,7 @@
 	<security:authentication-manager alias="authenticationManager">
 		<security:authentication-provider>
 			<security:user-service>
-				<security:user name="bob" password="bobspassword" authorities="ROLE_A,ROLE_B"/>
+				<security:user name="bob" password="{noop}bobspassword" authorities="ROLE_A,ROLE_B"/>
 			</security:user-service>
 		</security:authentication-provider>
 	</security:authentication-manager>
--- a/itest/web/src/integration-test/resources/spring/in-memory-provider.xml
+++ b/itest/web/src/integration-test/resources/spring/in-memory-provider.xml
@ -9,11 +9,11 @@
 	<authentication-manager alias="authenticationManager">
 		<authentication-provider>
 			<user-service>
-			  <user name="miles" password="milespassword" authorities="ROLE_USER,ROLE_JAZZ,ROLE_TRUMPETER"/>
+			  <user name="miles" password="{noop}milespassword" authorities="ROLE_USER,ROLE_JAZZ,ROLE_TRUMPETER"/>
-			  <user name="johnc" password="johncspassword" authorities="ROLE_USER,ROLE_JAZZ,ROLE_SAXOPHONIST"/>
+			  <user name="johnc" password="{noop}johncspassword" authorities="ROLE_USER,ROLE_JAZZ,ROLE_SAXOPHONIST"/>
-			  <user name="jimi" password="jimispassword" authorities="ROLE_USER,ROLE_ROCK,ROLE_GUITARIST"/>
+			  <user name="jimi" password="{noop}jimispassword" authorities="ROLE_USER,ROLE_ROCK,ROLE_GUITARIST"/>
-			  <user name="bessie" password="bessiespassword" authorities="ROLE_USER,ROLE_JAZZ,ROLE_SINGER"/>
+			  <user name="bessie" password="{noop}bessiespassword" authorities="ROLE_USER,ROLE_JAZZ,ROLE_SINGER"/>
-			  <user name="theescapist&lt;&gt;&amp;." password="theescapistspassword" authorities="ROLE_USER"/>
+			  <user name="theescapist&lt;&gt;&amp;." password="{noop}theescapistspassword" authorities="ROLE_USER"/>
 			</user-service>
 		</authentication-provider>
 	</authentication-manager>
--- a/samples/boot/helloworld/src/main/java/org/springframework/security/samples/config/SecurityConfig.java
+++ b/samples/boot/helloworld/src/main/java/org/springframework/security/samples/config/SecurityConfig.java
@ -20,6 +20,7 @@ import org.springframework.security.config.annotation.authentication.builders.Au
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.core.userdetails.User;
 /**
 * @author Joe Grandja
@ -44,7 +45,7 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
 	public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
 		auth
 			.inMemoryAuthentication()
-				.withUser("user").password("password").roles("USER");
+				.withUser(User.withDefaultPasswordEncoder().username("user").password("password").roles("USER"));
 	}
 	// @formatter:on
 }
--- a/samples/javaconfig/form/src/main/java/org/springframework/security/samples/config/SecurityConfig.java
+++ b/samples/javaconfig/form/src/main/java/org/springframework/security/samples/config/SecurityConfig.java
@ -20,6 +20,7 @@ import org.springframework.security.config.annotation.authentication.builders.Au
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.core.userdetails.User;
@EnableWebSecurity
 public class SecurityConfig extends WebSecurityConfigurerAdapter {
@ -47,7 +48,7 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
 			AuthenticationManagerBuilder auth) throws Exception {
 		auth
 			.inMemoryAuthentication()
-				.withUser("user").password("password").roles("USER");
+				.withUser(User.withDefaultPasswordEncoder().username("user").password("password").roles("USER"));
 	}
 	// @formatter:on
 }
--- a/samples/javaconfig/hellomvc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java
+++ b/samples/javaconfig/hellomvc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java
@ -18,6 +18,7 @@ package org.springframework.security.samples.config;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.core.userdetails.User;
@EnableWebSecurity
 public class SecurityConfig {
@ -28,7 +29,7 @@ public class SecurityConfig {
 			AuthenticationManagerBuilder auth) throws Exception {
 		auth
 			.inMemoryAuthentication()
-				.withUser("user").password("password").roles("USER");
+				.withUser(User.withDefaultPasswordEncoder().username("user").password("password").roles("USER"));
 	}
 	// @formatter:on
 }
--- a/samples/javaconfig/helloworld/src/main/java/org/springframework/security/samples/config/SecurityConfig.java
+++ b/samples/javaconfig/helloworld/src/main/java/org/springframework/security/samples/config/SecurityConfig.java
@ -18,6 +18,7 @@ package org.springframework.security.samples.config;
 import org.springframework.context.annotation.Bean;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
@ -27,9 +28,8 @@ public class SecurityConfig {
 	// @formatter:off
 	@Bean
 	public UserDetailsService userDetailsService() throws Exception {
-		InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
+		UserDetails user = User.withDefaultPasswordEncoder().username("user").password("password").roles("USER").build();
-		manager.createUser(User.withUsername("user").password("password").roles("USER").build());
+		return new InMemoryUserDetailsManager(user);
 		return manager;
 	}
 	// @formatter:on
 }
--- a/samples/javaconfig/inmemory/src/main/java/org/springframework/security/samples/config/SecurityConfig.java
+++ b/samples/javaconfig/inmemory/src/main/java/org/springframework/security/samples/config/SecurityConfig.java
@ -15,21 +15,23 @@
 */
 package org.springframework.security.samples.config;
-import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Bean;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
@EnableWebSecurity
 public class SecurityConfig {
 	// @formatter:off
-	@Autowired
+	@Bean
-	public void configureGlobal(
+	public UserDetailsService userDetailsService() throws Exception {
-			AuthenticationManagerBuilder auth) throws Exception {
+		User.UserBuilder builder = User.withDefaultPasswordEncoder();
-		auth
+		UserDetails user = builder.username("user").password("password").roles("USER").build();
-			.inMemoryAuthentication()
+		UserDetails admin = builder.username("admin").password("password").roles("USER", "ADMIN").build();
-				.withUser("user").password("password").roles("USER").and()
+		return new InMemoryUserDetailsManager(user, admin);
 				.withUser("admin").password("password").roles("USER","ADMIN");
 	}
 		// @formatter:on
 }
--- a/samples/javaconfig/jdbc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java
+++ b/samples/javaconfig/jdbc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java
@ -20,6 +20,7 @@ import javax.sql.DataSource;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.core.userdetails.User;
@EnableWebSecurity
 public class SecurityConfig {
@ -33,7 +34,7 @@ public class SecurityConfig {
 			.jdbcAuthentication()
 				.dataSource(dataSource)
 				.withDefaultSchema()
-				.withUser("user").password("password").roles("USER");
+				.withUser(User.withDefaultPasswordEncoder().username("user").password("password").roles("USER"));
 	}
 	// @formatter:on
-}
+}
--- a/samples/xml/helloworld/src/main/webapp/WEB-INF/spring/security.xml
+++ b/samples/xml/helloworld/src/main/webapp/WEB-INF/spring/security.xml
@ -6,6 +6,6 @@
 	<http />
 	<user-service>
-		<user name="user" password="password" authorities="ROLE_USER" />
+		<user name="user" password="{noop}password" authorities="ROLE_USER" />
 	</user-service>
-</b:beans>
+</b:beans>
--- a/test/src/test/java/org/springframework/security/test/web/servlet/response/SecurityMockMvcResultMatchersTests.java
+++ b/test/src/test/java/org/springframework/security/test/web/servlet/response/SecurityMockMvcResultMatchersTests.java
@ -20,9 +20,14 @@ import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.test.context.ContextConfiguration;
 import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
 import org.springframework.test.context.web.WebAppConfiguration;
@ -81,11 +86,10 @@ public class SecurityMockMvcResultMatchersTests {
 	static class Config extends WebSecurityConfigurerAdapter {
 		// @formatter:off
-		@Autowired
+		@Bean
-		public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
+		public UserDetailsService userDetailsService() {
-			auth
+			UserDetails user = User.withDefaultPasswordEncoder().username("user").password("password").roles("USER", "SELLER").build();
-				.inMemoryAuthentication()
+			return new InMemoryUserDetailsManager(user);
 					.withUser("user").roles("USER","SELLER").password("password");
 		}
 		// @formatter:on
--- a/test/src/test/java/org/springframework/security/test/web/servlet/response/SecurityMockWithAuthoritiesMvcResultMatchersTests.java
+++ b/test/src/test/java/org/springframework/security/test/web/servlet/response/SecurityMockWithAuthoritiesMvcResultMatchersTests.java
@ -27,10 +27,15 @@ import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.test.context.ContextConfiguration;
 import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
 import org.springframework.test.context.web.WebAppConfiguration;
@ -77,11 +82,10 @@ public class SecurityMockWithAuthoritiesMvcResultMatchersTests {
 	static class Config extends WebSecurityConfigurerAdapter {
 		// @formatter:off
-		@Autowired
+		@Bean
-		public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
+		public UserDetailsService userDetailsService() {
-			auth
+			UserDetails user = User.withDefaultPasswordEncoder().username("user").password("password").roles("ADMIN", "SELLER").build();
-				.inMemoryAuthentication()
+			return new InMemoryUserDetailsManager(user);
 					.withUser("user").authorities("ROLE_ADMIN", "ROLE_SELLER").password("password");
 		}
 		// @formatter:on
--- a/test/src/test/java/org/springframework/security/test/web/servlet/showcase/login/AuthenticationTests.java
+++ b/test/src/test/java/org/springframework/security/test/web/servlet/showcase/login/AuthenticationTests.java
@ -26,9 +26,14 @@ import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.test.context.ContextConfiguration;
 import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
 import org.springframework.test.context.web.WebAppConfiguration;
@ -83,11 +88,10 @@ public class AuthenticationTests {
 	@EnableWebMvc
 	static class Config extends WebSecurityConfigurerAdapter {
 		// @formatter:off
-		@Autowired
+		@Bean
-		public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
+		public UserDetailsService userDetailsService() {
-			auth
+			UserDetails user = User.withDefaultPasswordEncoder().username("user").password("password").roles("USER").build();
-				.inMemoryAuthentication()
+			return new InMemoryUserDetailsManager(user);
 					.withUser("user").password("password").roles("USER");
 		}
 		// @formatter:on
 	}
--- a/test/src/test/java/org/springframework/security/test/web/servlet/showcase/login/CustomConfigAuthenticationTests.java
+++ b/test/src/test/java/org/springframework/security/test/web/servlet/showcase/login/CustomConfigAuthenticationTests.java
@ -31,6 +31,10 @@ import org.springframework.security.config.annotation.authentication.builders.Au
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
 import org.springframework.security.web.context.SecurityContextRepository;
 import org.springframework.test.context.ContextConfiguration;
@ -106,11 +110,10 @@ public class CustomConfigAuthenticationTests {
 		// @formatter:on
 		// @formatter:off
-		@Autowired
+		@Bean
-		public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
+		public UserDetailsService userDetailsService() {
-			auth
+			UserDetails user = User.withDefaultPasswordEncoder().username("user").password("password").roles("USER").build();
-				.inMemoryAuthentication()
+			return new InMemoryUserDetailsManager(user);
 					.withUser("user").password("password").roles("USER");
 		}
 		// @formatter:on
--- a/test/src/test/java/org/springframework/security/test/web/servlet/showcase/login/CustomLoginRequestBuilderAuthenticationTests.java
+++ b/test/src/test/java/org/springframework/security/test/web/servlet/showcase/login/CustomLoginRequestBuilderAuthenticationTests.java
@ -23,10 +23,14 @@ import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.context.annotation.Bean;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestBuilders;
 import org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestBuilders.FormLoginRequestBuilder;
 import org.springframework.test.context.ContextConfiguration;
@ -92,11 +96,10 @@ public class CustomLoginRequestBuilderAuthenticationTests {
 		// @formatter:on
 		// @formatter:off
-		@Autowired
+		@Bean
-		public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
+		public UserDetailsService userDetailsService() {
-			auth
+			UserDetails user = User.withDefaultPasswordEncoder().username("user").password("password").roles("USER").build();
-				.inMemoryAuthentication()
+			return new InMemoryUserDetailsManager(user);
 					.withUser("user").password("password").roles("USER");
 		}
 		// @formatter:on
 	}
`@ -1,2 +1,2 @@`
	`joe=joespassword,ROLE_A`	`joe={noop}joespassword,ROLE_A`
	`bob=bobspassword,ROLE_A,ROLE_B`	`bob={noop}bobspassword,ROLE_A,ROLE_B`