Doc DelegatingPasswordEncoder is default
Fixes gh-gh-2775
This commit is contained in:
Rob Winch
parent
8291f20796
commit
b91aa19b35
|
|
@ -445,7 +445,7 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
|
||||||
@Bean
|
@Bean
|
||||||
public UserDetailsService userDetailsService() throws Exception {
|
public UserDetailsService userDetailsService() throws Exception {
|
||||||
InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
|
InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
|
||||||
manager.createUser(User.withUsername("user").password("password").roles("USER").build());
|
manager.createUser(User.withDefaultPasswordEncoder().username("user").password("password").roles("USER").build());
|
||||||
return manager;
|
return manager;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -777,9 +777,11 @@ We have already seen an example of configuring in-memory authentication for a si
|
||||||
----
|
----
|
||||||
@Bean
|
@Bean
|
||||||
public UserDetailsService userDetailsService() throws Exception {
|
public UserDetailsService userDetailsService() throws Exception {
|
||||||
|
// ensure the passwords are encoded properly
|
||||||
|
UserBuilder users = User.withDefaultPasswordEncoder();
|
||||||
InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
|
InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
|
||||||
manager.createUser(User.withUsername("user").password("password").roles("USER").build());
|
manager.createUser(users.username("user").password("password").roles("USER").build());
|
||||||
manager.createUser(User.withUsername("admin").password("password").roles("USER","ADMIN").build());
|
manager.createUser(users.username("admin").password("password").roles("USER","ADMIN").build());
|
||||||
return manager;
|
return manager;
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
|
@ -796,12 +798,14 @@ private DataSource dataSource;
|
||||||
|
|
||||||
@Autowired
|
@Autowired
|
||||||
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
|
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
|
||||||
|
// ensure the passwords are encoded properly
|
||||||
|
UserBuilder users = User.withDefaultPasswordEncoder();
|
||||||
auth
|
auth
|
||||||
.jdbcAuthentication()
|
.jdbcAuthentication()
|
||||||
.dataSource(dataSource)
|
.dataSource(dataSource)
|
||||||
.withDefaultSchema()
|
.withDefaultSchema()
|
||||||
.withUser("user").password("password").roles("USER").and()
|
.withUser(users.username("user").password("password").roles("USER"))
|
||||||
.withUser("admin").password("password").roles("USER", "ADMIN");
|
.withUser(users.username("admin").password("password").roles("USER","ADMIN"));
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
|
||||||
|
|
@ -924,9 +928,11 @@ We can configure multiple HttpSecurity instances just as we can have multiple `<
|
||||||
public class MultiHttpSecurityConfig {
|
public class MultiHttpSecurityConfig {
|
||||||
@Bean <1>
|
@Bean <1>
|
||||||
public UserDetailsService userDetailsService() throws Exception {
|
public UserDetailsService userDetailsService() throws Exception {
|
||||||
|
// ensure the passwords are encoded properly
|
||||||
|
UserBuilder users = User.withDefaultPasswordEncoder();
|
||||||
InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
|
InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
|
||||||
manager.createUser(User.withUsername("user").password("password").roles("USER").build());
|
manager.createUser(users.username("user").password("password").roles("USER").build());
|
||||||
manager.createUser(User.withUsername("admin").password("password").roles("USER","ADMIN").build());
|
manager.createUser(users.username("admin").password("password").roles("USER","ADMIN").build());
|
||||||
return manager;
|
return manager;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -1298,13 +1304,39 @@ To add some users, you can define a set of test data directly in the namespace:
|
||||||
<authentication-manager>
|
<authentication-manager>
|
||||||
<authentication-provider>
|
<authentication-provider>
|
||||||
<user-service>
|
<user-service>
|
||||||
<user name="jimi" password="jimispassword" authorities="ROLE_USER, ROLE_ADMIN" />
|
<!-- Password is prefixed with {noop} to indicate to DelegatingPasswordEncoder that
|
||||||
<user name="bob" password="bobspassword" authorities="ROLE_USER" />
|
NoOpPasswordEncoder should be used. This is not safe for production, but makes reading
|
||||||
|
in samples easier. Normally passwords should be hashed using BCrypt -->
|
||||||
|
<user name="jimi" password="{noop}jimispassword" authorities="ROLE_USER, ROLE_ADMIN" />
|
||||||
|
<user name="bob" password="{noop}bobspassword" authorities="ROLE_USER" />
|
||||||
</user-service>
|
</user-service>
|
||||||
</authentication-provider>
|
</authentication-provider>
|
||||||
</authentication-manager>
|
</authentication-manager>
|
||||||
----
|
----
|
||||||
|
|
||||||
|
This is an example of a secure way of storing the same passwords. The password is prefixed
|
||||||
|
with `{bcrypt}` to instruct `DelegatingPasswordEncoder`, which supports any configured
|
||||||
|
`PasswordEncoder` for matching, that the passwords are hashed using
|
||||||
|
BCrypt:
|
||||||
|
|
||||||
|
[source,xml]
|
||||||
|
----
|
||||||
|
<authentication-manager>
|
||||||
|
<authentication-provider>
|
||||||
|
<user-service>
|
||||||
|
<user name="jimi" password="{bcrypt}$2a$10$ddEWZUl8aU0GdZPPpy7wbu82dvEw/pBpbRvDQRqA41y6mK1CoH00m"
|
||||||
|
authorities="ROLE_USER, ROLE_ADMIN" />
|
||||||
|
<user name="bob" password="{bcrypt}$2a$10$/elFpMBnAYYig6KRR5bvOOYeZr1ie1hSogJryg9qDlhza4oCw1Qka"
|
||||||
|
authorities="ROLE_USER" />
|
||||||
|
<user name="jimi" password="{noop}jimispassword" authorities="ROLE_USER, ROLE_ADMIN" />
|
||||||
|
<user name="bob" password="{noop}bobspassword" authorities="ROLE_USER" />
|
||||||
|
</user-service>
|
||||||
|
</authentication-provider>
|
||||||
|
</authentication-manager>
|
||||||
|
----
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
[subs="quotes"]
|
[subs="quotes"]
|
||||||
****
|
****
|
||||||
If you are familiar with pre-namespace versions of the framework, you can probably already guess roughly what's going on here. The `<http>` element is responsible for creating a `FilterChainProxy` and the filter beans which it uses. Common problems like incorrect filter ordering are no longer an issue as the filter positions are predefined.
|
If you are familiar with pre-namespace versions of the framework, you can probably already guess roughly what's going on here. The `<http>` element is responsible for creating a `FilterChainProxy` and the filter beans which it uses. Common problems like incorrect filter ordering are no longer an issue as the filter positions are predefined.
|
||||||
|
|
@ -1448,9 +1480,9 @@ Passwords should always be encoded using a secure hashing algorithm designed for
|
||||||
<authentication-provider>
|
<authentication-provider>
|
||||||
<password-encoder ref="bcryptEncoder"/>
|
<password-encoder ref="bcryptEncoder"/>
|
||||||
<user-service>
|
<user-service>
|
||||||
<user name="jimi" password="d7e6351eaa13189a5a3641bab846c8e8c69ba39f"
|
<user name="jimi" password="$2a$10$ddEWZUl8aU0GdZPPpy7wbu82dvEw/pBpbRvDQRqA41y6mK1CoH00m"
|
||||||
authorities="ROLE_USER, ROLE_ADMIN" />
|
authorities="ROLE_USER, ROLE_ADMIN" />
|
||||||
<user name="bob" password="4e7421b1b8765d8f9406d87e7cc6aa784c4ab97f"
|
<user name="bob" password="$2a$10$/elFpMBnAYYig6KRR5bvOOYeZr1ie1hSogJryg9qDlhza4oCw1Qka"
|
||||||
authorities="ROLE_USER" />
|
authorities="ROLE_USER" />
|
||||||
</user-service>
|
</user-service>
|
||||||
</authentication-provider>
|
</authentication-provider>
|
||||||
|
|
@ -2441,11 +2473,15 @@ Is easy to use create a custom `UserDetailsService` implementation that extracts
|
||||||
[source,xml]
|
[source,xml]
|
||||||
----
|
----
|
||||||
<user-service id="userDetailsService">
|
<user-service id="userDetailsService">
|
||||||
<user name="jimi" password="jimispassword" authorities="ROLE_USER, ROLE_ADMIN" />
|
<!-- Password is prefixed with {noop} to indicate to DelegatingPasswordEncoder that
|
||||||
<user name="bob" password="bobspassword" authorities="ROLE_USER" />
|
NoOpPasswordEncoder should be used. This is not safe for production, but makes reading
|
||||||
|
in samples easier. Normally passwords should be hashed using BCrypt -->
|
||||||
|
<user name="jimi" password="{noop}jimispassword" authorities="ROLE_USER, ROLE_ADMIN" />
|
||||||
|
<user name="bob" password="{noop}bobspassword" authorities="ROLE_USER" />
|
||||||
</user-service>
|
</user-service>
|
||||||
----
|
----
|
||||||
|
|
||||||
|
|
||||||
This also supports the use of an external properties file:
|
This also supports the use of an external properties file:
|
||||||
|
|
||||||
[source,xml]
|
[source,xml]
|
||||||
|
|
@ -6224,7 +6260,10 @@ Next you need to add a `CasAuthenticationProvider` and its collaborators:
|
||||||
</bean>
|
</bean>
|
||||||
|
|
||||||
<security:user-service id="userService">
|
<security:user-service id="userService">
|
||||||
<security:user name="joe" password="joe" authorities="ROLE_USER" />
|
<!-- Password is prefixed with {noop} to indicate to DelegatingPasswordEncoder that
|
||||||
|
NoOpPasswordEncoder should be used. This is not safe for production, but makes reading
|
||||||
|
in samples easier. Normally passwords should be hashed using BCrypt -->
|
||||||
|
<security:user name="joe" password="{noop}joe" authorities="ROLE_USER" />
|
||||||
...
|
...
|
||||||
</security:user-service>
|
</security:user-service>
|
||||||
----
|
----
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue