List of usage examples for org.springframework.security.crypto.factory PasswordEncoderFactories createDelegatingPasswordEncoder
@SuppressWarnings("deprecation") public static PasswordEncoder createDelegatingPasswordEncoder()
From source file:org.springframework.security.core.userdetails.User.java
/** * <p>//from w w w . j ava2 s.c o m * <b>WARNING:</b> This method is considered unsafe for production and is only intended * for sample applications. * </p> * <p> * Creates a user and automatically encodes the provided password using * {@code PasswordEncoderFactories.createDelegatingPasswordEncoder()}. For example: * </p> * * <pre> * <code> * UserDetails user = User.withDefaultPasswordEncoder() * .username("user") * .password("password") * .roles("USER") * .build(); * // outputs {bcrypt}$2a$10$dXJ3SW6G7P50lGmMkkmwe.20cQQubK3.HZWzG3YB1tlRy.fqvM/BG * System.out.println(user.getPassword()); * </code> * </pre> * * This is not safe for production (it is intended for getting started experience) * because the password "password" is compiled into the source code and then is * included in memory at the time of creation. This means there are still ways to * recover the plain text password making it unsafe. It does provide a slight * improvement to using plain text passwords since the UserDetails password is * securely hashed. This means if the UserDetails password is accidentally exposed, * the password is securely stored. * * In a production setting, it is recommended to hash the password ahead of time. * For example: * * <pre> * <code> * PasswordEncoder encoder = PasswordEncoderFactories.createDelegatingPasswordEncoder(); * // outputs {bcrypt}$2a$10$dXJ3SW6G7P50lGmMkkmwe.20cQQubK3.HZWzG3YB1tlRy.fqvM/BG * // remember the password that is printed out and use in the next step * System.out.println(encoder.encode("password")); * </code> * </pre> * * <pre> * <code> * UserDetails user = User.withUsername("user") * .password("{bcrypt}$2a$10$dXJ3SW6G7P50lGmMkkmwe.20cQQubK3.HZWzG3YB1tlRy.fqvM/BG") * .roles("USER") * .build(); * </code> * </pre> * * @return a UserBuilder that automatically encodes the password with the default * PasswordEncoder * @deprecated Using this method is not considered safe for production, but is * acceptable for demos and getting started. For production purposes, ensure the * password is encoded externally. See the method Javadoc for additional details. * There are no plans to remove this support. It is deprecated to indicate * that this is considered insecure for production purposes. */ @Deprecated public static UserBuilder withDefaultPasswordEncoder() { logger.warn( "User.withDefaultPasswordEncoder() is considered unsafe for production and is only intended for sample applications."); PasswordEncoder encoder = PasswordEncoderFactories.createDelegatingPasswordEncoder(); return builder().passwordEncoder(encoder::encode); }