Giters

spring-guides / gs-securing-web

Securing a Web Application :: Learn how to protect your web application with Spring Security.

Home Page:http://spring.io/guides/gs/securing-web/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Usage of deprecated method withDefaultPasswordEncoder()

s-kali opened this issue · comments

commented

image

Related method is deprecated which used at WebSecurityConfig.java

@Bean
public UserDetailsService userDetailsService() {
	UserDetails user =
		 User.withDefaultPasswordEncoder()
			.username("user")
			.password("password")
			.roles("USER")
			.build();

	return new InMemoryUserDetailsManager(user);
}
commented

Hi @s-kali. You are correct that this method is deprecated in spring security.

Looking at the text in the current api doc, you'll see the deprecation is more about grabbing the user's attention that this is not a production ready method. (Emphasis is mine in the quote below)

Deprecated.
Using this method is not considered safe for production, but is acceptable for demos and getting started. For production purposes, ensure the password is encoded externally. See the method Javadoc for additional details. There are no plans to remove this support. It is deprecated to indicate that this is considered insecure for production purposes.

I think the code is OK as is given what is in the api doc. But perhaps something in the readme like a caution admonition would be appropriate.

commented

Hi @robertmcnees, you're right. Considering the deprecation description is a good idea, which I hadn't considered earlier. Thank you for your comment.