mirror of
https://github.com/spring-projects/spring-security.git
synced 2025-06-01 09:42:13 +00:00
Document PasswordManagementConfigurer
Issue gh-8657
This commit is contained in:
parent
d121ab9565
commit
bd88f37a50
@ -489,3 +489,71 @@ fun passwordEncoder(): PasswordEncoder {
|
|||||||
====
|
====
|
||||||
XML Configuration requires the `NoOpPasswordEncoder` bean name to be `passwordEncoder`.
|
XML Configuration requires the `NoOpPasswordEncoder` bean name to be `passwordEncoder`.
|
||||||
====
|
====
|
||||||
|
|
||||||
|
[[authentication-change-password-configuration]]
|
||||||
|
== Change Password Configuration
|
||||||
|
|
||||||
|
Most applications that allow a user to specify a password also require a feature for updating that password.
|
||||||
|
|
||||||
|
https://w3c.github.io/webappsec-change-password-url/[A Well-Know URL for Changing Passwords] indicates a mechanism by which password managers can discover the password update endpoint for a given application.
|
||||||
|
|
||||||
|
You can configure Spring Security to provide this discovery endpoint.
|
||||||
|
For example, if the change password endpoint in your application is `/change-password`, then you can configure Spring Security like so:
|
||||||
|
|
||||||
|
.Default Change Password Endpoint
|
||||||
|
====
|
||||||
|
.Java
|
||||||
|
[source,java,role="primary"]
|
||||||
|
----
|
||||||
|
http
|
||||||
|
.passwordManagement(Customizer.withDefaults())
|
||||||
|
----
|
||||||
|
|
||||||
|
.XML
|
||||||
|
[source,xml,role="secondary"]
|
||||||
|
----
|
||||||
|
<sec:password-management/>
|
||||||
|
----
|
||||||
|
|
||||||
|
.Kotlin
|
||||||
|
[source,kotlin,role="secondary"]
|
||||||
|
----
|
||||||
|
http {
|
||||||
|
passwordManagement { }
|
||||||
|
}
|
||||||
|
----
|
||||||
|
====
|
||||||
|
|
||||||
|
Then, when a password manager navigates to `/.well-known/change-password` then Spring Security will redirect your endpoint, `/change-password`.
|
||||||
|
|
||||||
|
Or, if your endpoint is something other than `/change-password`, you can also specify that like so:
|
||||||
|
|
||||||
|
.Change Password Endpoint
|
||||||
|
====
|
||||||
|
.Java
|
||||||
|
[source,java,role="primary"]
|
||||||
|
----
|
||||||
|
http
|
||||||
|
.passwordManagement((management) -> management
|
||||||
|
.changePasswordPage("/update-password")
|
||||||
|
)
|
||||||
|
----
|
||||||
|
|
||||||
|
.XML
|
||||||
|
[source,xml,role="secondary"]
|
||||||
|
----
|
||||||
|
<sec:password-management change-password-page="/update-password"/>
|
||||||
|
----
|
||||||
|
|
||||||
|
.Kotlin
|
||||||
|
[source,kotlin,role="secondary"]
|
||||||
|
----
|
||||||
|
http {
|
||||||
|
passwordManagement {
|
||||||
|
changePasswordPage = "/update-password"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
----
|
||||||
|
====
|
||||||
|
|
||||||
|
With the above configuration, when a password manager navigates to `/.well-known/change-password`, then Spring Security will redirect to `/update-password`.
|
||||||
|
Loading…
x
Reference in New Issue
Block a user