CODEWITHSUNDEEP
spring-security
maybesomename
maybesomename

Reputation: 162

How to properly get rid of automatic password generation in Spring Security?

I created a spring security setup with a custom filter. It does not use a UserDetailsSevice, so I did not create one. The authentication works as intended, but I still get the auto-generated password in the logs. I solved this by declaring an emptyUserDetailsSevice, but I wonder, is spring security still trying to find a username in the requests and authenticate them using the UserDetailsSevice, or was the default password generated by the default UserDetailsSevice, but used by noone? Is there a proper way to disable these? Can I get rid of default password generation without declaring my own UserDetailsSevice?

Here is my conf:

@Configuration
@EnableWebSecurity
@RequiredArgsConstructor
public class SecurityConfig {

    private final JwtAuthenticationFilter jwtAuthenticationFilter;
    private final JwtAuthenticationEntryPoint unauthorizedHandler;

    @Bean
    public InMemoryUserDetailsManager userDetailsService(PasswordEncoder passwordEncoder) {
//        We overwrite the default user detail service so it does not generate default user and password
        return new InMemoryUserDetailsManager();
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder(10);
    }

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {

        http.csrf(AbstractHttpConfigurer::disable);
        http.cors(AbstractHttpConfigurer::disable);
        http.sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS));
        http.exceptionHandling(exception -> exception
                .authenticationEntryPoint(unauthorizedHandler));
        http.addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
        http.authorizeHttpRequests(authorize -> authorize
                .requestMatchers(HttpMethod.OPTIONS).permitAll()
                .requestMatchers("/api/auth/**").permitAll()
                .requestMatchers("/error").permitAll()
                .requestMatchers("/api/public/**").permitAll()
                .anyRequest().authenticated());

        return http.build();
    }
}

Upvotes: 1

Views: 53

Answers (2)

Toerktumlare
Toerktumlare

Reputation: 14810

The problem here is that the you are building your own custom JWTFilter and including a InMemoryUserDetailsManager and a Password encoder. You should remove all of this.

If you want to accept JWTs there is already an implementation for this in Spring Security. Its called Oauth2ResourceServer and is documented in the spring security docs.

https://docs.spring.io/spring-security/reference/servlet/oauth2/resource-server/jwt.html

here is a proper tutorial that you can use https://thomasandolf.medium.com/spring-security-jwts-getting-started-ebdb4e4f1dd1

Also remember that handing out JWTs to the browser directly after authentication is called an implicit flow and is a non recommended legacy way of authentication that has several vulnerabilities.

https://oauth.net/2/grant-types/implicit/

Upvotes: -3

asgarov1
asgarov1

Reputation: 4171

We did that with:

@SpringBootApplication(exclude={UserDetailsServiceAutoConfiguration.class})

Upvotes: 0

Related Questions