search

spring-guides / gs-securing-web

Securing a Web Application :: Learn how to protect your web application with Spring Security.
http://spring.io/guides/gs/securing-web/
Apache License 2.0
364 stars 447 forks source link

Usage of deprecated method withDefaultPasswordEncoder() #75

Closed s-kali closed 6 months ago

s-kali commented 8 months ago

image

Related method is deprecated which used at WebSecurityConfig.java

@Bean
public UserDetailsService userDetailsService() {
    UserDetails user =
         User.withDefaultPasswordEncoder()
            .username("user")
            .password("password")
            .roles("USER")
            .build();

    return new InMemoryUserDetailsManager(user);
}
robertmcnees commented 6 months ago

Hi @s-kali. You are correct that this method is [deprecated in spring security](https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/core/userdetails/User.html#withDefaultPasswordEncoder()).

Looking at the text in the current api doc, you'll see the deprecation is more about grabbing the user's attention that this is not a production ready method. (Emphasis is mine in the quote below)

Deprecated. Using this method is not considered safe for production, but is acceptable for demos and getting started. For production purposes, ensure the password is encoded externally. See the method Javadoc for additional details. There are no plans to remove this support. It is deprecated to indicate that this is considered insecure for production purposes.

I think the code is OK as is given what is in the api doc. But perhaps something in the readme like a caution admonition would be appropriate.

s-kali commented 6 months ago

Hi @robertmcnees, you're right. Considering the deprecation description is a good idea, which I hadn't considered earlier. Thank you for your comment.