Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Document PasswordManagementConfigurer 

Issue gh-8657
This commit is contained in:
Josh Cummings 2021-07-01 16:57:31 -06:00
parent d121ab9565
commit bd88f37a50
No known key found for this signature in database
GPG Key ID: 49EF60DD7FF83443
1 changed files with 68 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

68
docs/manual/src/docs/asciidoc/_includes/about/authentication/password-storage.adoc
View File

@ -489,3 +489,71 @@ fun passwordEncoder(): PasswordEncoder {
====
XML Configuration requires the `NoOpPasswordEncoder` bean name to be `passwordEncoder`.
====
[[authentication-change-password-configuration]]
== Change Password Configuration
Most applications that allow a user to specify a password also require a feature for updating that password.
https://w3c.github.io/webappsec-change-password-url/[A Well-Know URL for Changing Passwords] indicates a mechanism by which password managers can discover the password update endpoint for a given application.
You can configure Spring Security to provide this discovery endpoint.
For example, if the change password endpoint in your application is `/change-password`, then you can configure Spring Security like so:
.Default Change Password Endpoint
====
.Java
[source,java,role="primary"]
----
http
.passwordManagement(Customizer.withDefaults())
----
.XML
[source,xml,role="secondary"]
----
<sec:password-management/>
----
.Kotlin
[source,kotlin,role="secondary"]
----
http {
passwordManagement { }
}
----
====
Then, when a password manager navigates to `/.well-known/change-password` then Spring Security will redirect your endpoint, `/change-password`.
Or, if your endpoint is something other than `/change-password`, you can also specify that like so:
.Change Password Endpoint
====
.Java
[source,java,role="primary"]
----
http
.passwordManagement((management) -> management
.changePasswordPage("/update-password")
)
----
.XML
[source,xml,role="secondary"]
----
<sec:password-management change-password-page="/update-password"/>
----
.Kotlin
[source,kotlin,role="secondary"]
----
http {
passwordManagement {
changePasswordPage = "/update-password"
}
}
----
====
With the above configuration, when a password manager navigates to `/.well-known/change-password`, then Spring Security will redirect to `/update-password`.