Remove Using default security password on Spring Boot

Question

I added one custom Security Config in my application on Spring Boot  but the message about  Using default security password  is still there in LOG file   Is there any to remove it  I do not need this default password  It seems Spring Boot is not recognizing my security policy    Configuration  EnableWebSecurity public class CustomSecurityConfig extends WebSecurityConfigurerAdapter        private final String uri     custom           Override     public void configure final HttpSecurity http  throws Exception           http csrf   disable            http headers   httpStrictTransportSecurity   disable            http sessionManagement   sessionCreationPolicy SessionCreationPolicy STATELESS               Authorize sub-folders permissions         http antMatcher uri  authorizeRequests   anyRequest   permitAll

User · Answer

If you are declaring your configs in a separate package, make sure you add component scan like this :

@SpringBootApplication
@ComponentScan("com.mycompany.MY_OTHER_PACKAGE.account.config")

    public class MyApplication {

        public static void main(String[] args) {
            SpringApplication.run(MyApplication.class, args);
        }



    }

You may also need to add @component annotation in the config class like so :

  @Component
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()

.....

Also clear browser cache and run spring boot app in incognito mode

User · Answer

To remove default user you need to configure authentication menager with no users for example    configuration class WebSecurityConfig extends WebSecurityConfigurerAdapter         Override     protected void configure AuthenticationManagerBuilder auth  throws Exception           auth inMemoryAuthentication              this will remove default password message and default user because in that case you are configuring InMemoryAuthentication and you will not specify any user in next steps

User · Answer

You only need to exclude UserDetailsServiceAutoConfiguration  spring    autoconfigure      exclude  org springframework boot autoconfigure security servlet UserDetailsServiceAutoConfiguration

User · Answer

If you are using Spring Boot version    2 0 try setting this bean in your configuration    Bean public SecurityWebFilterChain springSecurityFilterChain ServerHttpSecurity http        http authorizeExchange   anyExchange   permitAll        return http build        Reference  https   stackoverflow com a 47292134 1195507

User · Answer

In a Spring Boot 2 application you can either exclude the service configuration from autoconfiguration  spring autoconfigure exclude org springframework boot autoconfigure security servlet UserDetailsServiceAutoConfiguration  or if you just want to hide the message in the logs you can simply change the log level  logging level org springframework boot autoconfigure security WARN  Further information can be found here  https   docs spring io spring-boot docs 2 0 x reference html boot-features-security html

User · Answer

For Reactive Stack  Spring Webflux  Netty  you either need to exclude ReactiveUserDetailsServiceAutoConfiguration class   SpringBootApplication exclude    ReactiveUserDetailsServiceAutoConfiguration class     Or define ReactiveAuthenticationManager bean  there are different implementations  here is the JWT one example    Bean public ReactiveJwtDecoder jwtDecoder         return new NimbusReactiveJwtDecoder keySourceUrl      Bean public ReactiveAuthenticationManager authenticationManager         return new JwtReactiveAuthenticationManager jwtDecoder

User · Answer

I found out a solution about excluding SecurityAutoConfiguration class   Example    SpringBootApplication exclude    SecurityAutoConfiguration class    public class ReportApplication        public static void main String   args  throws Exception           SpringApplication run MyApplication class  args

User · Answer

When spring boot is used we should exclude the SecurityAutoConfiguration class both in application class and  where exactly you are configuring the security like below   Then only we can avoid the default security password   import org springframework boot SpringApplication  import org springframework boot autoconfigure SpringBootApplication  import org springframework boot autoconfigure security SecurityAutoConfiguration  import org springframework data jpa repository config EnableJpaRepositories  import org springframework security oauth2 config annotation web configuration EnableResourceServer    SpringBootApplication exclude    SecurityAutoConfiguration class     EnableJpaRepositories  EnableResourceServer public class Application        public static void main String   args            SpringApplication run Application class  args               import org springframework boot autoconfigure EnableAutoConfiguration  import org springframework context annotation Configuration  import org springframework security config annotation web builders HttpSecurity  import org springframework security config annotation web configuration EnableWebSecurity  import org springframework security config annotation web configuration WebSecurityConfigurerAdapter        Configuration      EnableWebSecurity      EnableAutoConfiguration exclude                  org springframework boot autoconfigure security SecurityAutoConfiguration class                 public class SecurityConfiguration extends WebSecurityConfigurerAdapter             Override         protected void configure HttpSecurity httpSecurity  throws Exception               httpSecurity authorizeRequests   anyRequest   authenticated                httpSecurity headers   cacheControl

User · Answer

It didn t work for me when I excluded SecurityAutoConfiguration using  SpringBootApplication annotation  but did work when I excluded it in  EnableAutoConfiguration    EnableAutoConfiguration exclude     SecurityAutoConfiguration class

User · Answer

Adding following in application properties worked for me   security basic enabled false   Remember to restart the application and check in the console

User · Answer

Look up  http   docs spring io spring-boot docs current reference html boot-features-security html  From AuthenticationManagerConfiguration java looking at code  I see below  Also the in-memory configuration is a fallback if no authentication manager is provided as per Javadoc  Your earlier attempt of Injecting the Authentication Manager would work because you will no longer be using the In-memory authentication and this class will be out of picture    Override     public void configure AuthenticationManagerBuilder auth  throws Exception           if  auth isConfigured                  return                    User user   this securityProperties getUser            if  user isDefaultPassword                  logger info   n nUsing default security password      user getPassword                           n                      Set lt String gt  roles   new LinkedHashSet lt String gt  user getRole             withUser user getName    password user getPassword    roles                  roles toArray new String roles size               setField auth   defaultUserDetailsService   getUserDetailsService             super configure auth           If you use inmemory authentication which is default  customize your logger configuration for org springframework boot autoconfigure security AuthenticationManagerConfiguration and remove this message

User · Answer

Although it works  the current solution is a little overkill as noted in some comments  So here is an alternative that works for me  using the latest Spring Boot  1 4 3    The default security password is configured inside Spring Boot s AuthenticationManagerConfiguration class  This class has a conditional annotation to prevent from loading if a AuthenticationManager Bean is already defined   The folllowing code works to prevent execution of the code inside AuthenticationManagerConfiguration because we define our current  AuthenticationManager as a bean    Configuration  EnableWebSecurity public class MyCustomSecurityConfig extends WebSecurityConfigurerAdapter           Override protected void configure AuthenticationManagerBuilder authManager  throws Exception          This is the code you usually have to configure your authentication manager         This configuration will be used by authenticationManagerBean   below      Bean public AuthenticationManager authenticationManagerBean   throws Exception          ALTHOUGH THIS SEEMS LIKE USELESS CODE         IT S REQUIRED TO PREVENT SPRING BOOT AUTO-CONFIGURATION     return super authenticationManagerBean

User · Answer

If you have enabled actuator feature  spring-boot-starter-actuator   additional exclude should be added in application yml  spring    autoconfigure      exclude  org springframework boot autoconfigure security servlet SecurityAutoConfiguration org springframework boot actuate autoconfigure security servlet ManagementWebSecurityAutoConfiguration  Tested in Spring Boot version 2 3 4 RELEASE

User · Answer

I came across the same problem and adding this line to my application properties solved the issue   spring autoconfigure exclude org springframework boot autoconfigure security servlet UserDetailsServiceAutoConfiguration   It s one of the Spring s Automatic stuffs which you exclude it like excluding other stuffs such as actuators  I recommend looking at this link

User · Answer

It is also possible to just turn off logging for that specific class in properties     logging level org springframework boot autoconfigure security AuthenticationManagerConfiguration WARN

User · Answer

On spring boot 2 with webflux you need to define a ReactiveAuthenticationManager

User · Answer

Using Spring Boot 2 0 4 I came across the same issue   Excluding SecurityAutoConfiguration class did destroy my application   Now I m using  SpringBootApplication exclude   UserDetailsServiceAutoConfiguration class    Works fine with  EnableResourceServer and JWT

User · Answer

Just use the rows below   spring security user name XXX spring security user password XXX   to set the default security user name and password at your application properties  name might differ  within the context of the Spring Application   To avoid default configuration  as a part of autoconfiguration of the SpringBoot  at all - use the approach mentioned in Answers earlier    SpringBootApplication exclude    SecurityAutoConfiguration class      or   EnableAutoConfiguration exclude     SecurityAutoConfiguration class

User · Answer

Check documentation for org springframework boot autoconfigure security servlet UserDetailsServiceAutoConfiguration there are conditions when autoconfig will be halt   In my case I forgot to define my custom AuthenticationProvider as bean    Configuration public class SecurityConfig extends WebSecurityConfigurerAdapter         Override     protected void configure AuthenticationManagerBuilder auth  throws Exception           auth authenticationProvider getAuthenticationProvider                 Bean     AuthenticationProvider getAuthenticationProvider             return new CustomAuthenticationProvider adminService  onlyCorporateEmail

[java] Remove "Using default security password" on Spring Boot

Examples related to java

Examples related to spring

Examples related to spring-boot

Examples related to spring-security