Merge branch '2.7.x'

spring-projects · Mar 4, 2022 · c755e0d · c755e0d
2 parents 68a2f55 + f44e7d9
commit c755e0d
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 3 deletions.
diff --git a/...ingframework/boot/autoconfigure/security/servlet/UserDetailsServiceAutoConfiguration.java b/...ingframework/boot/autoconfigure/security/servlet/UserDetailsServiceAutoConfiguration.java
@@ -85,7 +85,11 @@ public InMemoryUserDetailsManager inMemoryUserDetailsManager(SecurityProperties
 	private String getOrDeducePassword(SecurityProperties.User user, PasswordEncoder encoder) {
 		String password = user.getPassword();
 		if (user.isPasswordGenerated()) {
-			logger.info(String.format("%n%nUsing generated security password: %s%n", user.getPassword()));
+			logger.warn(String.format(
+					"%n%nUsing generated security password: %s%n%nThis generated password is for development use only. "
+							+ "Your security configuration must be updated before running your application in "
+							+ "production.%n",
+					user.getPassword()));
 		}
 		if (encoder != null || PASSWORD_ALGORITHM_PATTERN.matcher(password).matches()) {
 			return password;

diff --git a/spring-boot-project/spring-boot-docs/src/docs/asciidoc/web/spring-security.adoc b/spring-boot-project/spring-boot-docs/src/docs/asciidoc/web/spring-security.adoc
@@ -6,14 +6,16 @@ To add method-level security to a web application, you can also add `@EnableGlob
 Additional information can be found in the {spring-security-docs}/servlet/authorization/method-security.html[Spring Security Reference Guide].
 
 The default `UserDetailsService` has a single user.
-The user name is `user`, and the password is random and is printed at INFO level when the application starts, as shown in the following example:
+The user name is `user`, and the password is random and is printed at WARN level when the application starts, as shown in the following example:
 
 [indent=0]
 ----
 	Using generated security password: 78fa095d-3f4c-48b1-ad50-e24c31d5cf35
+
+	This generated password is for development use only. Your security configuration must be updated before running your application in production.
 ----
 
-NOTE: If you fine-tune your logging configuration, ensure that the `org.springframework.boot.autoconfigure.security` category is set to log `INFO`-level messages.
+NOTE: If you fine-tune your logging configuration, ensure that the `org.springframework.boot.autoconfigure.security` category is set to log `WARN`-level messages.
 Otherwise, the default password is not printed.
 
 You can change the username and password by providing a `spring.security.user.name` and `spring.security.user.password`.