1

Here is my security configuration code:

@EnableWebSecurity
@EnableGlobalMethodSecurity (
        prePostEnabled=true
    )
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception{
        auth.inMemoryAuthentication()
                .withUser("chandra").password("{noop}1234").roles("USER").and()
                .withUser("admin").password("{noop}admin123").roles("ADMIN");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers("/addItem","/delete").hasRole("ADMIN")
                .antMatchers("/getAllItems").hasRole("USER")
                .and().csrf().disable().headers().frameOptions().disable()
                .and()
                .formLogin();
    }
}

But while compiling spring is still generating the password for me.

Using generated security password: 49f04bde-ac1f-4e30-870b-ba0dd93d50f3

I checked whether the configuration is being loaded or not by print statements and found the security config is loading. Is there any change I should make to make it work with the given user ids and passwords.

Thanks in advance.

Anjan Kailash
  • 63
  • 8
  • Have you tried to log in with given user? – Andrew Sasha Mar 21 '19 at 11:08
  • See for understanding provider managers https://stackoverflow.com/questions/53404327/what-is-the-difference-between-registering-an-authenticationprovider-with-httpse – Andrew Sasha Mar 21 '19 at 11:09
  • yes in post man i tried and form is being loaded, so I removed .and.formLogin() and tried again with my credentials ('chandra', '1234') but got 403 forbidden.@Andrew Sasha – Anjan Kailash Mar 21 '19 at 11:16
  • Hi I am facing the same issue now. Has there been an accepted answer or solution to this question? – james Sep 13 '19 at 13:41
  • [enter link description here](https://stackoverflow.com/a/49829952/7550229) you should set password encoding – M Shafaghi Aug 18 '20 at 14:33

1 Answers1

0

Just a default hint about plain text passwords, you can imagine, what comes next. :-)

Anyway for testing purposes you could define a no operation password encoder like this in your @Configuration class:

To make your prepended noopworking, be sure to expose the following bean:

@Bean
public PasswordEncoder passwordEncoder() {
    return PasswordEncoderFactories.createDelegatingPasswordEncoder();
}

For further information, please consult the respective chapter in the reference manual. As an alternative you could provide the good old password manager itself:

import org.springframework.security.crypto.password.PasswordEncoder;

[…]

@Bean
public NoOpPasswordEncoder passwordEncoder() {
    return NoOpPasswordEncoder.getInstance();
}
mle
  • 2,466
  • 1
  • 19
  • 25