CODEWITHSUNDEEP
javaspringspring-bootspring-security
Peter Penzov
Peter Penzov

Reputation: 1648

Configure NoOpPasswordEncoder in Spring

I have this configuration in Spring for passwords.

@Bean
public PasswordEncoder passwordEncoder() {
    return NoOpPasswordEncoder.getInstance();
}

But looks like it's deprecated, I don't need to encrypt rest keys. I need to store them in plain text. How I can configure this?

Upvotes: 2

Views: 12859

Answers (5)

Mehdi Rahimi
Mehdi Rahimi

Reputation: 2536

This PasswordEncoder is not secure and instead you should use BCryptPasswordEncoder, SCryptPasswordEncoder, etc in production environment.

You can use it in test environment and ignore the warning, because there are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.

There is an alternative if you don't want to see the warning. You can use {noop} as the following example:

UserDetails user = User.withUsername("user")
           .password("{noop}password")
           .roles("USER")
           .build();

Upvotes: 0

Aliyu Sahabo Adam
Aliyu Sahabo Adam

Reputation: 11

Just add "{noop}yourpasswordhere"

Example

var user = User.withUsername("john")
               .password("{noop}1234")
               .build();

Upvotes: 1

Shadov
Shadov

Reputation: 5592

This PasswordEncoder has been deprecated, because of this issue - SEC-2564: Deprecate all salted digest password encoding #2776 (Spring Security at GitHub). It's not like it was secure or more reliable before deprecation (since it does nothing anyway), it was just deprecated as a part of something bigger.

If you want to use that PasswordEncoder, you can do that and ignore the deprecation, just know that it does completely nothing (maybe besides giving someone not familiar with the codebase a false sense of security) and as the docs says - should be used only for testing.

If you really want to avoid using this class, and you want to keep stuff in plaintext, and still for some reason declare PasswordEncoder as a bean (I don't really understand why would someone want combination of those 3 things) then you can implement your own PasswordEncoder, it's a simple interface.

Upvotes: 1

Jenson
Jenson

Reputation: 724

Though a little late, here is what I found:

If you want to store the password as plaintext you will have to prefix it with {noop}. Default PasswordEncoder i.e DelegatingPasswordEncoder should take care of matching it. For e.g. if your plaintext password is abc123ABC you will have to store it in database as {noop}abc123ABC

(Valid for Spring Security 5.x onwards)

Upvotes: 5

Chr Isme
Chr Isme

Reputation: 41

just copy the code to MyNoOpPasswordEncoder, done! :-)

Upvotes: 2

Related Questions