Skip to main content

Spring Security 5 Updates

I've got a bit of time between projects, so I've decided to brush up on Spring Security, as it has been a while since I've tried to follow updates.

The first thing I noticed is that when playing around, Spring 5 really doesn't want you to deal with plain text passwords.  This is completely understandable; plain text passwords are BAD and cause bad things to happen in the real world.  Unfortunately, if I'm just trying to play around with the security framework, this can make things a bit clunky.  I've learned there are two ways to work around

1. Do simple inMemoryAuthentication after explicitly calling User.withDefaultPasswordEncoder() to allow plain text passwords while just playing around.


2. Roll a simple/custom UserDetailsService for configure() to use that knows the password doesn't get encryption by prefixing "{noop}" to the password text. (Thanks to ever helpful mkyong for this.)



Labels:

Comments

Post a Comment

Popular posts from this blog

ANSI-92 SQL Syntax - aka "JOIN" me in software progress!

 I've run into several projects lately that don't use and/or refuse to use the JOIN keyword/syntax.  I've had conversations in these projects to help people understand that, but I wonder why this is not more common across SQL database projects.  This standard is not new, and it more easily defines the join section vs the WHERE/filter section, so it has good benefits.  So far, the only reason I have heard to not use it is "we just don't tend to do that here."  This makes me sad. I hope to continue evangelizing small changes like this in my projects, be it JOIN, use of functional programming, listening to IDE feedback (great static analysis checking... available before you ever even push!), etc.  There are so many small things that help make software easier for everyone, I think.
Post a Comment
Read more

Spring Security - Authority vs Role

I have spent a lot of time recently trying to understand the difference between Authority and Role in Spring Security.  This is a brief review of what I found. When creating a UserDetailsService or overriding configure(AuthenticationManagerBuilder auth) in the security config class that extends WebSecurityConfigurerAdapter, I basically get complete control over what I populate inside of the UserDetails that is used/returned.  This is important because the UserDetails interface really only cares about how to return one thing: Collection<? extends GrantedAuthority> getAuthorities(); A GrantedAuthority just seems like a glorified String wrapper that names some thing.  The question is... what is that thing? This is where the subtle difference between Authority and Role comes into play. I think that Role is an older thought/construct that automatically gets plugged into Authority if we just create a user with a Role.  But completely forget about the code a...
Post a Comment
Read more

Generating JKS Keystore for SSL/TLS

I have done this and forgotten how to do this too many times... so here are some quick references for myself.  https://stackoverflow.com/questions/11952274/how-can-i-create-keystore-from-an-existing-certificate-abc-crt-and-abc-key-fil or... this: openssl pkcs12 -export -in <CRT_FILE>.crt -inkey <KEY_FILE>.key -out <OUTPUT_P12_FILE>.p12   keytool -importkeystore -srckeystore <OUTPUT_P12_FILE_FROM_ABOVE>.p12 -srcstoretype PKCS12 -destkeystore <KEYSTORE_FILE_NAME>.jks -deststoretype JKS
Post a Comment
Read more