Adapt to password encoder changes in Spring Security

wilkinsona · wilkinsona · commit 66b55defa0a9 · 2017-10-24T21:50:19.000+01:00
Closes gh-10762
diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/AuthenticationManagerConfiguration.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/AuthenticationManagerConfiguration.java
@@ -21,6 +21,7 @@
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
+import org.springframework.beans.factory.ObjectProvider;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.context.annotation.Bean;
@@ -31,6 +32,8 @@
 import org.springframework.security.config.annotation.ObjectPostProcessor;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.crypto.factory.PasswordEncoderFactories;
+import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 
 /**
@@ -54,11 +57,15 @@ public class AuthenticationManagerConfiguration {
 			.getLog(AuthenticationManagerConfiguration.class);
 
 	@Bean
-	public InMemoryUserDetailsManager inMemoryUserDetailsManager() throws Exception {
+	public InMemoryUserDetailsManager inMemoryUserDetailsManager(
+			ObjectProvider<PasswordEncoder> passwordEncoder) throws Exception {
 		String password = UUID.randomUUID().toString();
 		logger.info(String.format("%n%nUsing default security password: %s%n", password));
+		String encodedPassword = passwordEncoder
+				.getIfAvailable(PasswordEncoderFactories::createDelegatingPasswordEncoder)
+				.encode(password);
 		return new InMemoryUserDetailsManager(
-				User.withUsername("user").password(password).roles().build());
+				User.withUsername("user").password(encodedPassword).roles().build());
 	}
 
 }
diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/reactive/ReactiveAuthenticationManagerConfiguration.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/reactive/ReactiveAuthenticationManagerConfiguration.java
@@ -21,6 +21,7 @@
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
+import org.springframework.beans.factory.ObjectProvider;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
@@ -31,6 +32,8 @@
 import org.springframework.security.core.userdetails.ReactiveUserDetailsService;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.crypto.factory.PasswordEncoderFactories;
+import org.springframework.security.crypto.password.PasswordEncoder;
 
 /**
  * Default user {@link Configuration} for a reactive web application. Configures a
@@ -52,10 +55,15 @@ public class ReactiveAuthenticationManagerConfiguration {
 			.getLog(ReactiveAuthenticationManagerConfiguration.class);
 
 	@Bean
-	public MapReactiveUserDetailsService reactiveUserDetailsService() {
+	public MapReactiveUserDetailsService reactiveUserDetailsService(
+			ObjectProvider<PasswordEncoder> passwordEncoder) {
 		String password = UUID.randomUUID().toString();
 		logger.info(String.format("%n%nUsing default security password: %s%n", password));
-		UserDetails user = User.withUsername("user").password(password).roles().build();
+		String encodedPassword = passwordEncoder
+				.getIfAvailable(PasswordEncoderFactories::createDelegatingPasswordEncoder)
+				.encode(password);
+		UserDetails user = User.withUsername("user").password(encodedPassword).roles()
+				.build();
 		return new MapReactiveUserDetailsService(user);
 	}
 
diff --git a/spring-boot-project/spring-boot-test-autoconfigure/src/test/java/org/springframework/boot/test/autoconfigure/security/SecurityTestApplication.java b/spring-boot-project/spring-boot-test-autoconfigure/src/test/java/org/springframework/boot/test/autoconfigure/security/SecurityTestApplication.java
@@ -34,9 +34,9 @@
 public class SecurityTestApplication {
 
 	@Bean
-	public InMemoryUserDetailsManager inMemoryUserDetailsManager() throws Exception {
-		return new InMemoryUserDetailsManager(
-				User.withUsername("user").password("secret").roles("USER").build());
+	public InMemoryUserDetailsManager inMemoryUserDetailsManager() {
+		return new InMemoryUserDetailsManager(User.withDefaultPasswordEncoder()
+				.username("user").password("secret").roles("USER").build());
 	}
 
 	@RestController
diff --git a/spring-boot-samples/spring-boot-sample-actuator-custom-security/src/main/java/sample/actuator/customsecurity/SecurityConfiguration.java b/spring-boot-samples/spring-boot-sample-actuator-custom-security/src/main/java/sample/actuator/customsecurity/SecurityConfiguration.java
@@ -1,20 +1,40 @@
+/*
+ * Copyright 2012-2017 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
 package sample.actuator.customsecurity;
 
 import org.springframework.boot.actuate.autoconfigure.security.EndpointRequest;
 import org.springframework.boot.autoconfigure.security.StaticResourceRequest;
+import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 
 @Configuration
 public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
 
-	@Override
-	protected void configure(AuthenticationManagerBuilder auth) throws Exception {
-		auth.inMemoryAuthentication().withUser("user").password("password")
-				.authorities("ROLE_USER").and().withUser("admin").password("admin")
-				.authorities("ROLE_ACTUATOR", "ROLE_USER");
+	@Bean
+	public InMemoryUserDetailsManager inMemoryUserDetailsManager() {
+		return new InMemoryUserDetailsManager(
+				User.withDefaultPasswordEncoder().username("user").password("password")
+						.authorities("ROLE_USER").build(),
+				User.withDefaultPasswordEncoder().username("admin").password("admin")
+						.authorities("ROLE_ACTUATOR", "ROLE_USER").build());
 	}
 
 	@Override
diff --git a/spring-boot-samples/spring-boot-sample-actuator-log4j2/src/main/java/sample/actuator/log4j2/SampleActuatorLog4J2Application.java b/spring-boot-samples/spring-boot-sample-actuator-log4j2/src/main/java/sample/actuator/log4j2/SampleActuatorLog4J2Application.java
@@ -26,9 +26,9 @@
 public class SampleActuatorLog4J2Application {
 
 	@Bean
-	public InMemoryUserDetailsManager inMemoryUserDetailsManager() throws Exception {
-		return new InMemoryUserDetailsManager(
-				User.withUsername("user").password("password").roles("USER").build());
+	public InMemoryUserDetailsManager inMemoryUserDetailsManager() {
+		return new InMemoryUserDetailsManager(User.withDefaultPasswordEncoder()
+				.username("user").password("password").roles("USER").build());
 	}
 
 	public static void main(String[] args) throws Exception {
diff --git a/spring-boot-samples/spring-boot-sample-actuator-ui/src/main/java/sample/actuator/ui/SampleActuatorUiApplication.java b/spring-boot-samples/spring-boot-sample-actuator-ui/src/main/java/sample/actuator/ui/SampleActuatorUiApplication.java
@@ -33,9 +33,9 @@
 public class SampleActuatorUiApplication {
 
 	@Bean
-	public InMemoryUserDetailsManager inMemoryUserDetailsManager() throws Exception {
-		return new InMemoryUserDetailsManager(
-				User.withUsername("user").password("password").roles("USER").build());
+	public InMemoryUserDetailsManager inMemoryUserDetailsManager() {
+		return new InMemoryUserDetailsManager(User.withDefaultPasswordEncoder()
+				.username("user").password("password").roles("USER").build());
 	}
 
 	@GetMapping("/")
diff --git a/spring-boot-samples/spring-boot-sample-actuator/src/main/java/sample/actuator/SampleActuatorApplication.java b/spring-boot-samples/spring-boot-sample-actuator/src/main/java/sample/actuator/SampleActuatorApplication.java
@@ -34,9 +34,9 @@ public static void main(String[] args) throws Exception {
 	}
 
 	@Bean
-	public InMemoryUserDetailsManager inMemoryUserDetailsManager() throws Exception {
-		return new InMemoryUserDetailsManager(
-				User.withUsername("user").password("password").roles("USER").build());
+	public InMemoryUserDetailsManager inMemoryUserDetailsManager() {
+		return new InMemoryUserDetailsManager(User.withDefaultPasswordEncoder()
+				.username("user").password("password").roles("USER").build());
 	}
 
 	@Bean
diff --git a/spring-boot-samples/spring-boot-sample-secure-webflux/src/main/java/sample/secure/webflux/SampleSecureWebFluxApplication.java b/spring-boot-samples/spring-boot-sample-secure-webflux/src/main/java/sample/secure/webflux/SampleSecureWebFluxApplication.java
@@ -42,8 +42,8 @@ public RouterFunction<ServerResponse> monoRouterFunction(EchoHandler echoHandler
 
 	@Bean
 	public ReactiveUserDetailsService userDetailsRepository() {
-		return new MapReactiveUserDetailsService(
-				User.withUsername("foo").password("password").roles("USER").build());
+		return new MapReactiveUserDetailsService(User.withDefaultPasswordEncoder()
+				.username("foo").password("password").roles("USER").build());
 	}
 
 }
diff --git a/spring-boot-samples/spring-boot-sample-secure/src/main/java/sample/secure/SampleSecureApplication.java b/spring-boot-samples/spring-boot-sample-secure/src/main/java/sample/secure/SampleSecureApplication.java
@@ -38,9 +38,9 @@ public class SampleSecureApplication implements CommandLineRunner {
 	private SampleService service;
 
 	@Bean
-	public InMemoryUserDetailsManager inMemoryUserDetailsManager() throws Exception {
-		return new InMemoryUserDetailsManager(
-				User.withUsername("user").password("password").roles("USER").build());
+	public InMemoryUserDetailsManager inMemoryUserDetailsManager() {
+		return new InMemoryUserDetailsManager(User.withDefaultPasswordEncoder()
+				.username("user").password("password").roles("USER").build());
 	}
 
 	@Override
diff --git a/spring-boot-samples/spring-boot-sample-servlet/src/main/java/sample/servlet/SampleServletApplication.java b/spring-boot-samples/spring-boot-sample-servlet/src/main/java/sample/servlet/SampleServletApplication.java
@@ -38,9 +38,9 @@
 public class SampleServletApplication extends SpringBootServletInitializer {
 
 	@Bean
-	public InMemoryUserDetailsManager inMemoryUserDetailsManager() throws Exception {
-		return new InMemoryUserDetailsManager(
-				User.withUsername("user").password("password").roles("USER").build());
+	public InMemoryUserDetailsManager inMemoryUserDetailsManager() {
+		return new InMemoryUserDetailsManager(User.withDefaultPasswordEncoder()
+				.username("user").password("password").roles("USER").build());
 	}
 
 	@SuppressWarnings("serial")
diff --git a/spring-boot-samples/spring-boot-sample-session/src/main/java/sample/session/SampleSessionApplication.java b/spring-boot-samples/spring-boot-sample-session/src/main/java/sample/session/SampleSessionApplication.java
@@ -30,9 +30,9 @@ public static void main(String[] args) throws Exception {
 	}
 
 	@Bean
-	public InMemoryUserDetailsManager inMemoryUserDetailsManager() throws Exception {
-		return new InMemoryUserDetailsManager(
-				User.withUsername("user").password("password").roles("USER").build());
+	public InMemoryUserDetailsManager inMemoryUserDetailsManager() {
+		return new InMemoryUserDetailsManager(User.withDefaultPasswordEncoder()
+				.username("user").password("password").roles("USER").build());
 	}
 
 }
diff --git a/spring-boot-samples/spring-boot-sample-web-method-security/src/main/java/sample/security/method/SampleMethodSecurityApplication.java b/spring-boot-samples/spring-boot-sample-web-method-security/src/main/java/sample/security/method/SampleMethodSecurityApplication.java
@@ -18,7 +18,6 @@
 
 import java.util.Date;
 import java.util.Map;
-import java.util.UUID;
 
 import org.springframework.boot.actuate.autoconfigure.security.EndpointRequest;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
@@ -73,10 +72,11 @@ protected static class AuthenticationSecurity {
 
 		@Bean
 		public InMemoryUserDetailsManager inMemoryUserDetailsManager() throws Exception {
-			String password = UUID.randomUUID().toString();
 			return new InMemoryUserDetailsManager(
-					User.withUsername("admin").password("admin").roles("ADMIN", "USER", "ACTUATOR").build(),
-					User.withUsername("user").password("user").roles("USER").build());
+					User.withDefaultPasswordEncoder().username("admin").password("admin")
+							.roles("ADMIN", "USER", "ACTUATOR").build(),
+					User.withDefaultPasswordEncoder().username("user").password("user")
+							.roles("USER").build());
 		}
 
 	}
diff --git a/spring-boot-samples/spring-boot-sample-web-secure-custom/src/main/java/sample/web/secure/custom/SampleWebSecureCustomApplication.java b/spring-boot-samples/spring-boot-sample-web-secure-custom/src/main/java/sample/web/secure/custom/SampleWebSecureCustomApplication.java
@@ -21,10 +21,12 @@
 
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 import org.springframework.boot.builder.SpringApplicationBuilder;
+import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -67,9 +69,10 @@ protected void configure(HttpSecurity http) throws Exception {
 					.failureUrl("/login?error").permitAll().and().logout().permitAll();
 		}
 
-		@Override
-		public void configure(AuthenticationManagerBuilder auth) throws Exception {
-			auth.inMemoryAuthentication().withUser("user").password("user").roles("USER");
+		@Bean
+		public InMemoryUserDetailsManager InMemoryUserDetailsManager() {
+			return new InMemoryUserDetailsManager(User.withDefaultPasswordEncoder()
+					.username("user").password("user").roles("USER").build());
 		}
 
 	}
diff --git a/spring-boot-samples/spring-boot-sample-web-secure-jdbc/src/main/java/sample/web/secure/jdbc/SampleWebSecureJdbcApplication.java b/spring-boot-samples/spring-boot-sample-web-secure-jdbc/src/main/java/sample/web/secure/jdbc/SampleWebSecureJdbcApplication.java
@@ -21,13 +21,13 @@
 
 import javax.sql.DataSource;
 
-import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 import org.springframework.boot.builder.SpringApplicationBuilder;
+import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.provisioning.JdbcUserDetailsManager;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -63,19 +63,18 @@ public static void main(String[] args) throws Exception {
 	@Configuration
 	protected static class ApplicationSecurity extends WebSecurityConfigurerAdapter {
 
-		@Autowired
-		private DataSource dataSource;
-
 		@Override
 		protected void configure(HttpSecurity http) throws Exception {
 			http.authorizeRequests().antMatchers("/css/**").permitAll().anyRequest()
 					.fullyAuthenticated().and().formLogin().loginPage("/login")
 					.failureUrl("/login?error").permitAll().and().logout().permitAll();
 		}
 
-		@Override
-		public void configure(AuthenticationManagerBuilder auth) throws Exception {
-			auth.jdbcAuthentication().dataSource(this.dataSource);
+		@Bean
+		public JdbcUserDetailsManager jdbcUserDetailsManager(DataSource dataSource) {
+			JdbcUserDetailsManager jdbcUserDetailsManager = new JdbcUserDetailsManager();
+			jdbcUserDetailsManager.setDataSource(dataSource);
+			return jdbcUserDetailsManager;
 		}
 
 	}
diff --git a/spring-boot-samples/spring-boot-sample-web-secure-jdbc/src/main/resources/data.sql b/spring-boot-samples/spring-boot-sample-web-secure-jdbc/src/main/resources/data.sql
@@ -1,3 +1,3 @@
-insert into users (username, password, enabled) values ('user', 'user', true);
+insert into users (username, password, enabled) values ('user', '{noop}user', true);
 
 insert into authorities (username, authority) values ('user', 'ROLE_ADMIN');
diff --git a/spring-boot-samples/spring-boot-sample-web-secure/src/main/java/sample/web/secure/SampleWebSecureApplication.java b/spring-boot-samples/spring-boot-sample-web-secure/src/main/java/sample/web/secure/SampleWebSecureApplication.java
@@ -22,10 +22,12 @@
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 import org.springframework.boot.autoconfigure.security.StaticResourceRequest;
 import org.springframework.boot.builder.SpringApplicationBuilder;
+import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -74,11 +76,13 @@ protected void configure(HttpSecurity http) throws Exception {
 			// @formatter:on
 		}
 
-		@Override
-		public void configure(AuthenticationManagerBuilder auth) throws Exception {
-			auth.inMemoryAuthentication().withUser("admin").password("admin")
-					.roles("ADMIN", "USER").and().withUser("user").password("user")
-					.roles("USER");
+		@Bean
+		public InMemoryUserDetailsManager InMemoryUserDetailsManager() {
+			return new InMemoryUserDetailsManager(
+					User.withDefaultPasswordEncoder().username("admin").password("admin")
+							.roles("ADMIN", "USER").build(),
+					User.withDefaultPasswordEncoder().username("user").password("user")
+							.roles("USER").build());
 		}
 
 	}
diff --git a/spring-boot-tests/spring-boot-integration-tests/spring-boot-security-tests/spring-boot-security-test-web-helloworld/src/main/java/sample/HelloWebSecurityApplication.java b/spring-boot-tests/spring-boot-integration-tests/spring-boot-security-tests/spring-boot-security-test-web-helloworld/src/main/java/sample/HelloWebSecurityApplication.java
@@ -26,9 +26,9 @@
 public class HelloWebSecurityApplication {
 
 	@Bean
-	public InMemoryUserDetailsManager inMemoryUserDetailsManager() throws Exception {
-		return new InMemoryUserDetailsManager(
-				User.withUsername("user").password("password").roles("USER").build());
+	public InMemoryUserDetailsManager inMemoryUserDetailsManager() {
+		return new InMemoryUserDetailsManager(User.withDefaultPasswordEncoder()
+				.username("user").password("password").roles("USER").build());
 	}
 
 	public static void main(String[] args) {

Original file line number	Diff line number	Diff line change
`@@ -34,9 +34,9 @@ public static void main(String[] args) throws Exception {`
`34`	`34`	`}`
`35`	`35`
`36`	`36`	`@Bean`
`37`		`- public InMemoryUserDetailsManager inMemoryUserDetailsManager() throws Exception {`
`38`		`- return new InMemoryUserDetailsManager(`
`39`		`- User.withUsername("user").password("password").roles("USER").build());`
	`37`	`+ public InMemoryUserDetailsManager inMemoryUserDetailsManager() {`
	`38`	`+ return new InMemoryUserDetailsManager(User.withDefaultPasswordEncoder()`
	`39`	`+ .username("user").password("password").roles("USER").build());`
`40`	`40`	`}`
`41`	`41`
`42`	`42`	`@Bean`
Original file line number	Diff line number	Diff line change
`@@ -42,8 +42,8 @@ public RouterFunction<ServerResponse> monoRouterFunction(EchoHandler echoHandler`
`42`	`42`
`43`	`43`	`@Bean`
`44`	`44`	`public ReactiveUserDetailsService userDetailsRepository() {`
`45`		`- return new MapReactiveUserDetailsService(`
`46`		`- User.withUsername("foo").password("password").roles("USER").build());`
	`45`	`+ return new MapReactiveUserDetailsService(User.withDefaultPasswordEncoder()`
	`46`	`+ .username("foo").password("password").roles("USER").build());`
`47`	`47`	`}`
`48`	`48`
`49`	`49`	`}`