From 1872af056ec059db2316db40ef19e2c1801af208 Mon Sep 17 00:00:00 2001 From: Andy Wilkinson Date: Fri, 4 Mar 2022 17:38:19 +0000 Subject: [PATCH] Make it clearer that the generated password is not for production use Closes gh-30061 --- .../servlet/UserDetailsServiceAutoConfiguration.java | 8 ++++++-- .../src/docs/asciidoc/features/security.adoc | 6 ++++-- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/servlet/UserDetailsServiceAutoConfiguration.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/servlet/UserDetailsServiceAutoConfiguration.java index e601bc494834..683da7f82780 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/servlet/UserDetailsServiceAutoConfiguration.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/servlet/UserDetailsServiceAutoConfiguration.java @@ -1,5 +1,5 @@ /* - * Copyright 2012-2021 the original author or authors. + * Copyright 2012-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -82,7 +82,11 @@ public InMemoryUserDetailsManager inMemoryUserDetailsManager(SecurityProperties private String getOrDeducePassword(SecurityProperties.User user, PasswordEncoder encoder) { String password = user.getPassword(); if (user.isPasswordGenerated()) { - logger.info(String.format("%n%nUsing generated security password: %s%n", user.getPassword())); + logger.warn(String.format( + "%n%nUsing generated security password: %s%n%nThis generated password is for development use only. " + + "Your security configuration must be updated before running your application in " + + "production.%n", + user.getPassword())); } if (encoder != null || PASSWORD_ALGORITHM_PATTERN.matcher(password).matches()) { return password; diff --git a/spring-boot-project/spring-boot-docs/src/docs/asciidoc/features/security.adoc b/spring-boot-project/spring-boot-docs/src/docs/asciidoc/features/security.adoc index f7d372e261dc..668b345754a7 100644 --- a/spring-boot-project/spring-boot-docs/src/docs/asciidoc/features/security.adoc +++ b/spring-boot-project/spring-boot-docs/src/docs/asciidoc/features/security.adoc @@ -6,14 +6,16 @@ To add method-level security to a web application, you can also add `@EnableGlob Additional information can be found in the {spring-security-docs}#jc-method[Spring Security Reference Guide]. The default `UserDetailsService` has a single user. -The user name is `user`, and the password is random and is printed at INFO level when the application starts, as shown in the following example: +The user name is `user`, and the password is random and is printed at WARN level when the application starts, as shown in the following example: [indent=0] ---- Using generated security password: 78fa095d-3f4c-48b1-ad50-e24c31d5cf35 + + This generated password is for development use only. Your security configuration must be updated before running your application in production. ---- -NOTE: If you fine-tune your logging configuration, ensure that the `org.springframework.boot.autoconfigure.security` category is set to log `INFO`-level messages. +NOTE: If you fine-tune your logging configuration, ensure that the `org.springframework.boot.autoconfigure.security` category is set to log `WARN`-level messages. Otherwise, the default password is not printed. You can change the username and password by providing a `spring.security.user.name` and `spring.security.user.password`.