How to recover password in spring(4.0) security java config?

Question

I'm trying to recover password in spring security and I have included .antMatchers("/loginrecover").permitAll() this in SecurityConfig.java.

How do I implement login password recovery in Spring security?

Answer 1

I would prefer password reset than recovery as Passoword is a sensitive data which must be encrypted and saved in DB, in no way one must be able to get the clear text password from encrypted password again it depends,unless I know more about your requirement I cant comment.

For resetting/recovering password you can sent out an email to the user with a LINK to reset password or the password itself in the mail.

Ask for users registered email id from view and send it to Controller mapped with /loginrecover from the controller invoke service which will sent out a mail to the user. Use JAVA Mail api for that, refer below for a code snippet to sent out mail.

public void sendMail(String emailId)
    {
        MimeMessage message =  this.mailSender.createMimeMessage();
        MimeMessageHelper mimeHelper;
        try {
            mimeHelper = new MimeMessageHelper(message,true);
            mimeHelper.setTo(emailId);
            mimeHelper.setFrom("no-reply@yourdomain.com");
            mimeHelper.setSubject("Password Reset");
            mimeHelper.setText("<html><body>hi,<br/><a href='http://yourdomain:8080/Context/newPassword/"+someHash+"/'> Click here</a> to reset password</body></html>",true);
            mailSender.send(message);
        } catch (MessagingException e) {
            System.out.println("Error Sending email "+ e.getMessage());
        }

    }

The someHash must be a unique way to identify your user and make sure it cant be guessed by others, you may use SHA256 hashing technique for it.