Spring Security - Basic auth

Hello,

I am trying to learn spring security and just created an API with basic auth. Is there any way to not hardcode the password within the app?

Thanks,
Raja

Hi Raja,
You can encode the password in a database. Here is an example : https://www.baeldung.com/spring-security-registration-password-encoding-bcrypt

Hi, Raja,
You may also find this tutorial helpful :https://www.kindsonthegenius.com/2019/07/14/spring-security-tutorial-storing-user-credential-in-mysql-database/

Himai Minh wrote:Hi Raja,
You can encode the password in a database. Here is an example : https://www.baeldung.com/spring-security-registration-password-encoding-bcrypt

Hello Himai,

If I don't have a DB, then is it just done by hardcoding like this?
   authenticationManagerBuilder        .inMemoryAuthentication()        .withUser("user")        .password("{noop}password")        .roles("USER");

Hi ,
You may want to add an encoder to encode the password:
import org.springframework.security.crypto.factory.PasswordEncoderFactories; import org.springframework.security.crypto.password.PasswordEncoder; @Override    protected void configure(AuthenticationManagerBuilder auth) throws Exception {        PasswordEncoder encoder = PasswordEncoderFactories.createDelegatingPasswordEncoder();        auth.inMemoryAuthentication()                .withUser("user")                .password(encoder.encode("myPassword"))                .roles("USER")

Himai Minh wrote:Hi ,
You may want to add an encoder to encode the password:
import org.springframework.security.crypto.factory.PasswordEncoderFactories; import org.springframework.security.crypto.password.PasswordEncoder; @Override    protected void configure(AuthenticationManagerBuilder auth) throws Exception {        PasswordEncoder encoder = PasswordEncoderFactories.createDelegatingPasswordEncoder();        auth.inMemoryAuthentication()                .withUser("user")                .password(encoder.encode("myPassword"))                .roles("USER")

Sure, thank you but the "myPassword" above will be the actual password in plain text, correct?

You can read users and their passwords from a property file. I don't know if there's already support for that, otherwise just read the file and call that .password method for each entry.

We can put username and password in a properties file and use @Value to inject them.
Here are examples:
https://www.baeldung.com/properties-with-spring
https://stackoverflow.com/questions/54477000/can-i-load-username-and-password-by-file-in-spring-boot-hibernate

When you're using Spring Security in web applications, I'm fairly sure that it can tie in with the JEE standard security framework (container-managed authentication and authorization).

When you use container security, both the mechanism for authentication and authorization (Realm) and the database used by the Realm are externally-configurable options built into the web application server, not the application. In a case like that, Spring Security would simply invoke the container security API when it could and handle the finer points itself.