Using generated security password Spring Boot Security

The log “Using generated security password:” appears in the startup of the spring boot application. This log is due to default security configuration. This can be disabled, removed or customized using configurations.

If the spring boot security dependency is added to pom.xml, the security authentication of the spring boot application is enabled by default. It shows with a generated password as below

2020-01-30 17:48:49.753  INFO 73579 --- [           main] o.s.s.concurrent.ThreadPoolTaskExecutor  : Initializing ExecutorService 'applicationTaskExecutor'
2020-01-30 17:48:49.898  INFO 73579 --- [           main] .s.s.UserDetailsServiceAutoConfiguration : 

Using generated security password: c581c5eb-8905-4461-9c70-ebb09e3a6950

2020-01-30 17:48:49.960  INFO 73579 --- [           main] o.s.s.web.DefaultSecurityFilterChain     : Creating filter chain: any request, [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@4912d525, org.springframework.security.web.context.SecurityContextPersistenceFilter@7f02251, org.springframework.security.web.header.HeaderWriterFilter@6d4a65c6, org.springframework.security.web.csrf.CsrfFilter@426e505c, org.springframework.security.web.authentication.logout.LogoutFilter@25d3cfc8, org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@4a55a6e8, org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter@383790cf, org.springframework.security.web.authentication.ui.DefaultLogoutPageGeneratingFilter@2bfbffb2, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@7aad3f7d, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@4d8126f, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@3a4ba480, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@765df79d, org.springframework.security.web.session.SessionManagementFilter@4c98a6d5, org.springframework.security.web.access.ExceptionTranslationFilter@6f952d6c, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@af78c87]
2020-01-30 17:48:50.021  INFO 73579 --- [           main] o.s.b.w.embedded.tomcat.TomcatWebServer  : Tomcat started on port(s): 8080 (http) with context path ''


Root Cause

The log “Using generated security password: c581c5eb-8905-4461-9c70-ebb09e3a6950” appears at startup due to security feature is enabled in your spring boot application. The spring boot security dependency “spring-boot-starter-security” is added in the pom.xml file and default security configurations are not configured or customized in the application.



How to reproduce this issue

In the spring boot application pom.xml file, add the spring boot security dependency, and restart the spring boot application. You can see the log message in the console at startup.

		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-security</artifactId>
		</dependency>


Solution

what is default username and password for spring boot security?

As specified in Spring Boot Reference documentation in the Security section, The default username is “user” and default password is generated password displayed in the console log at startup

The default AuthenticationManager has a single user (‘user’ username and random password, printed at INFO level when the application starts up)

Using default security password: 78fa095d-3f4c-48b1-ad50-e24c31d5cf35
username : user
password : <security password shown in console log>

How to change default username and password for spring boot security?

The default username and password can be changed using configurations in the application.properties file. There are two pre-defined properties available to change the username and password. If these two configurations are configured, the default password generated will not be displayed at startup.

spring.security.user.name = username
spring.security.user.password = password

How to disable default username and password for spring boot security?

There are two ways to disable the spring boot security from showing the login page. The first method is using application.properties. The pre-defined property allows to exclude the SecurityAutoConfiguration class from the auto configure. The example below shows the configuration in application.properties file

spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration

The second method is excluding the SecurityAutoConfiguration class in the spring boot application main class. The example below shows how to exclude SecurityAutoConfiguration class in the main class.

package com.yawintutor;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration;

@SpringBootApplication(exclude = { SecurityAutoConfiguration.class })
public class SpringBootSecuritySimpleApplication {
	public static void main(String[] args) {
		SpringApplication.run(SpringBootSecuritySimpleApplication.class, args);
	}
}

How to customize the default username and password for spring boot security?

The default behavior of username and password can be customized by extending WebSecurityConfigurerAdapter class. The step by step procedure to configure spring boot security is explained in another post.

package com.yawintutor;

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
public class SpringBootSecurityConfiguration extends WebSecurityConfigurerAdapter {

	@Override
	public void configure(AuthenticationManagerBuilder auth) throws Exception {
		auth.inMemoryAuthentication()
			.withUser("user").password("{noop}password").roles("USER");
	}
}

please follow the below step by step configuration




Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *