Spring Boot: How to specify the PasswordEncoder?
In spring-security-core:5.0.0.RC1
, the default PasswordEncoder
is built as a DelegatingPasswordEncoder
. When you store the users in memory, you are providing the passwords in plain text and when trying to retrieve the encoder from the DelegatingPasswordEncoder
to validate the password it can't find one that matches the way in which these passwords were stored.
Use this way to create users instead.
User.withDefaultPasswordEncoder().username("user").password("user").roles("USER").build();
You can also simply prefix {noop}
to your passwords in order for the DelegatingPasswordEncoder
use the NoOpPasswordEncoder
to validate these passwords. Notice that NoOpPasswordEncoder
is deprecated though, as it is not a good practice to store passwords in plain text.
User.withUsername("user").password("{noop}user").roles("USER").build();
For more information, check this post.
https://spring.io/blog/2017/11/01/spring-security-5-0-0-rc1-released#password-encoding
Use NoOpPasswordEncoder
for inMemoryAuthentication
auth.inMemoryAuthentication()
.withUser("user")
.password("{noop}password")
.roles("USER")
You need to have some sort of a password encoder, but
withDefaultPasswordEncoder()
is deprecated and no more suitable for production. Use this instead:
PasswordEncoder encoder =
PasswordEncoderFactories.createDelegatingPasswordEncoder();
...
UserDetails user = User.withUsername("someusername")
.password(encoder.encode("somepassword"))
.roles("USER").build();
Ref: https://docs.spring.io/spring-security/site/docs/5.0.2.BUILD-SNAPSHOT/api/index.html?org/springframework/security/core/userdetails/User.html