发表新帖
发表新帖

Remove “Using default security password” on Spring Boot

后端 未结
关注
18 2121
小鲜肉
小鲜肉 2020-12-04 12:13

I added one custom Security Config in my application on Spring Boot, but the message about \"Using default security password\" is still there in LOG file.

Is there a

相关标签:
18条回答
  • 天命终不由人
    2020-12-04 12:32

    Check documentation for org.springframework.boot.autoconfigure.security.servlet.UserDetailsServiceAutoConfiguration there are conditions when autoconfig will be halt.

    In my case I forgot to define my custom AuthenticationProvider as bean.

    @Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(getAuthenticationProvider());
    }

    @Bean
    AuthenticationProvider getAuthenticationProvider() {
        return new CustomAuthenticationProvider(adminService, onlyCorporateEmail);
    }
}
    0 讨论(0)
  • 执笔经年
    2020-12-04 12:34

    Just use the rows below:

    spring.security.user.name=XXX
spring.security.user.password=XXX

    to set the default security user name and password at your application.properties (name might differ) within the context of the Spring Application.

    To avoid default configuration (as a part of autoconfiguration of the SpringBoot) at all - use the approach mentioned in Answers earlier:

    @SpringBootApplication(exclude = {SecurityAutoConfiguration.class })

    or

    @EnableAutoConfiguration(exclude = { SecurityAutoConfiguration.class })
    0 讨论(0)
  • 我寻月下人不归
    2020-12-04 12:38

    To remove default user you need to configure authentication menager with no users for example:

    @configuration
class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication();
    }
}

    this will remove default password message and default user because in that case you are configuring InMemoryAuthentication and you will not specify any user in next steps

    0 讨论(0)
  • 清歌不尽
    2020-12-04 12:38

    It didn't work for me when I excluded SecurityAutoConfiguration using @SpringBootApplication annotation, but did work when I excluded it in @EnableAutoConfiguration:

    @EnableAutoConfiguration(exclude = { SecurityAutoConfiguration.class })
    0 讨论(0)
  • 北海茫月
    2020-12-04 12:41

    When spring boot is used we should exclude the SecurityAutoConfiguration.class both in application class and where exactly you are configuring the security like below.

    Then only we can avoid the default security password.

    import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration;
import org.springframework.data.jpa.repository.config.EnableJpaRepositories;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;

@SpringBootApplication(exclude = {SecurityAutoConfiguration.class })
@EnableJpaRepositories
@EnableResourceServer
public class Application {

    public static void main(String[] args) {
        SpringApplication.run(Application.class, args);
    }
}

    import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

    @Configuration
    @EnableWebSecurity
    @EnableAutoConfiguration(exclude = { 
            org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration.class 
        })
    public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(HttpSecurity httpSecurity) throws Exception {
            httpSecurity.authorizeRequests().anyRequest().authenticated();
            httpSecurity.headers().cacheControl();
        }
    }
    0 讨论(0)
  • 离开以前
    2020-12-04 12:41

    If you have enabled actuator feature (spring-boot-starter-actuator), additional exclude should be added in application.yml:

    spring:
  autoconfigure:
    exclude: org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration,org.springframework.boot.actuate.autoconfigure.security.servlet.ManagementWebSecurityAutoConfiguration

    Tested in Spring Boot version 2.3.4.RELEASE.

    0 讨论(0)
 看不清?
提交回复
热议问题