Make it clearer that the generated password is not for production use

Closes gh-30061
spring-projects · Mar 4, 2022 · 1872af0 · 1872af0
1 parent 2b98fce
commit 1872af0
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 4 deletions.
diff --git a/...ingframework/boot/autoconfigure/security/servlet/UserDetailsServiceAutoConfiguration.java b/...ingframework/boot/autoconfigure/security/servlet/UserDetailsServiceAutoConfiguration.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2021 the original author or authors.
+ * Copyright 2012-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -82,7 +82,11 @@ public InMemoryUserDetailsManager inMemoryUserDetailsManager(SecurityProperties
 	private String getOrDeducePassword(SecurityProperties.User user, PasswordEncoder encoder) {
 		String password = user.getPassword();
 		if (user.isPasswordGenerated()) {
-			logger.info(String.format("%n%nUsing generated security password: %s%n", user.getPassword()));
+			logger.warn(String.format(
+					"%n%nUsing generated security password: %s%n%nThis generated password is for development use only. "
+							+ "Your security configuration must be updated before running your application in "
+							+ "production.%n",
+					user.getPassword()));
 		}
 		if (encoder != null || PASSWORD_ALGORITHM_PATTERN.matcher(password).matches()) {
 			return password;

diff --git a/spring-boot-project/spring-boot-docs/src/docs/asciidoc/features/security.adoc b/spring-boot-project/spring-boot-docs/src/docs/asciidoc/features/security.adoc
@@ -6,14 +6,16 @@ To add method-level security to a web application, you can also add `@EnableGlob
 Additional information can be found in the {spring-security-docs}#jc-method[Spring Security Reference Guide].
 
 The default `UserDetailsService` has a single user.
-The user name is `user`, and the password is random and is printed at INFO level when the application starts, as shown in the following example:
+The user name is `user`, and the password is random and is printed at WARN level when the application starts, as shown in the following example:
 
 [indent=0]
 ----
 	Using generated security password: 78fa095d-3f4c-48b1-ad50-e24c31d5cf35
+
+	This generated password is for development use only. Your security configuration must be updated before running your application in production.
 ----
 
-NOTE: If you fine-tune your logging configuration, ensure that the `org.springframework.boot.autoconfigure.security` category is set to log `INFO`-level messages.
+NOTE: If you fine-tune your logging configuration, ensure that the `org.springframework.boot.autoconfigure.security` category is set to log `WARN`-level messages.
 Otherwise, the default password is not printed.
 
 You can change the username and password by providing a `spring.security.user.name` and `spring.security.user.password`.