I created a spring security setup with a custom filter. It does not use a UserDetailsSevice, so I did not create one. The authentication works as intended, but I still get the auto-generated password in the logs. I solved this by declaring an emptyUserDetailsSevice, but I wonder, is spring security still trying to find a username in the requests and authenticate them using the UserDetailsSevice, or was the default password generated by the default UserDetailsSevice, but used by noone? Is there a proper way to disable these? Can I get rid of default password generation without declaring my own UserDetailsSevice?
Here is my conf:
@Configuration
@EnableWebSecurity
@RequiredArgsConstructor
public class SecurityConfig {
private final JwtAuthenticationFilter jwtAuthenticationFilter;
private final JwtAuthenticationEntryPoint unauthorizedHandler;
@Bean
public InMemoryUserDetailsManager userDetailsService(PasswordEncoder passwordEncoder) {
// We overwrite the default user detail service so it does not generate default user and password
return new InMemoryUserDetailsManager();
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder(10);
}
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http.csrf(AbstractHttpConfigurer::disable);
http.cors(AbstractHttpConfigurer::disable);
http.sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS));
http.exceptionHandling(exception -> exception
.authenticationEntryPoint(unauthorizedHandler));
http.addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
http.authorizeHttpRequests(authorize -> authorize
.requestMatchers(HttpMethod.OPTIONS).permitAll()
.requestMatchers("/api/auth/**").permitAll()
.requestMatchers("/error").permitAll()
.requestMatchers("/api/public/**").permitAll()
.anyRequest().authenticated());
return http.build();
}
}
We did that with:
@SpringBootApplication(exclude={UserDetailsServiceAutoConfiguration.class})