-1

I'm using SpringBoot v2.4.2 to host a few JAX-RS (Jersey) based REST APIs. And these APIs are secured (BASIC auth) using Spring's in-memory authenticator i.e. by extending WebSecurityConfigurerAdapter.

Below is the code snippet:

@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    PasswordEncoder encoder = PasswordEncoderFactories.createDelegatingPasswordEncoder();
    auth.inMemoryAuthentication()
        .withUser(username)
        .password(encoder.encode(passwd));
}

Now the question is, how do I update this in-memory authentication mechanism if a user (in this case an administrator) updates his/her password. I do allow user to update password after login with the default username/password (only known to administrators).

How do I get the code flow/event back to configure(AuthenticationManagerBuilder auth) method to use the new password?

Thanks.

Narwhal
  • 43
  • 6
  • It is in-memory so the change will be gone after a restart, is that what you want? – M. Deinum Jun 30 '21 at 13:38
  • Changes will be in database and will be fetched while configuring the in-memory authenticator upon restart. – Narwhal Jun 30 '21 at 13:46
  • If there is a database why even bother with the in-memory stuff? Feels counterintuitive, just update the database and be done. Else you would need to update both parts (database and in-memory). – M. Deinum Jun 30 '21 at 13:47
  • The idea was to reduce hitting database for each login request. Hence in-memory usage helped there. Anyways thanks for the suggestion. – Narwhal Jun 30 '21 at 14:22

2 Answers2

1

The InMemoryUserDetailsManager implements two interfaces: UserDetailsManager and UserDetailsPasswordService.

These two interfaces have two methods: changePassword and updatePassword, respectively. You can inject any of them and use its implementation to change a user's password.

@Autowired
private UserDetailsManager userDetailsManager;

public void changePassword(String oldPassword, String newPassword) {
    this.userDetailsManager.changePassword(oldPassword, newPassword);
}

More details in the InMemoryUserDetailsManager implementation.

Marcus Hert da Coregio
  • 4,635
  • 9
  • 27
  • Thanks. I was looking for something like this and had found similar answer here https://stackoverflow.com/questions/45556821/spring-security-how-to-change-default-user-and-password. Appreciate your help. – Narwhal Jul 06 '21 at 10:55
0

I would recommend setting the password where you usually take it from and then refresh the principal. Means: update the password, log user off and on again. It might be fair to consider forcing a user to log in again after changing its password - which is common practise if auth&auth are built in.

Javali
  • 535
  • 4
  • 14
  • Thanks. I am using a simplest form of Spring's security and not dealing with principal/session directly. Also the password is not updated via reset form instead am taking it part of configuration settings so logging off is not an option for me.Wondering is there something in Spring way.. – Narwhal Jun 30 '21 at 12:55