From a330cb9b8a80fb40c3fb352cd8a78d37b562ebb9 Mon Sep 17 00:00:00 2001 From: Stephane Nicoll Date: Mon, 5 May 2014 11:12:27 +0200 Subject: [PATCH] Improve remote shell security documentation Previous to this commit, the remote shell security configuration described that a default password will be generated with no extra configuration. Actually, when Spring Security is configured for the application, the remote shell reuses that configuration by default. It turns out that the default log message is confusing as it was referring to "application endpoints". Updated that log to a more generic log message and updated doc accordingly. Fixes gh-779 --- .../AuthenticationManagerConfiguration.java | 2 +- .../main/asciidoc/production-ready-features.adoc | 8 +++++--- .../src/main/asciidoc/spring-boot-features.adoc | 13 ++++++++++--- 3 files changed, 16 insertions(+), 7 deletions(-) diff --git a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/AuthenticationManagerConfiguration.java b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/AuthenticationManagerConfiguration.java index 862af6ec5b6..ce13fdd677a 100644 --- a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/AuthenticationManagerConfiguration.java +++ b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/AuthenticationManagerConfiguration.java @@ -128,7 +128,7 @@ public class AuthenticationManagerConfiguration extends User user = AuthenticationManagerConfiguration.this.security.getUser(); if (user.isDefaultPassword()) { - logger.info("\n\nUsing default password for application endpoints: " + logger.info("\n\nUsing default security password: " + user.getPassword() + "\n\n"); } diff --git a/spring-boot-docs/src/main/asciidoc/production-ready-features.adoc b/spring-boot-docs/src/main/asciidoc/production-ready-features.adoc index 7aa57663f5c..d29a8ccf306 100644 --- a/spring-boot-docs/src/main/asciidoc/production-ready-features.adoc +++ b/spring-boot-docs/src/main/asciidoc/production-ready-features.adoc @@ -256,9 +256,9 @@ protected. By default ``basic'' authentication will be used with the username `u and a generated password (which is printed on the console when the application starts). TIP: Generated passwords are logged as the application starts. Search for ``Using default -password for application endpoints''. +security password''. -You can use Spring properties to change the username and passsword and to change the +You can use Spring properties to change the username and password and to change the security role required to access the endpoints. For example, you might set the following in your `application.properties`: @@ -453,7 +453,9 @@ on `org.crsh:crsh.shell.telnet`. === Connecting to the remote shell By default the remote shell will listen for connections on port `2000`. The default user is `user` and the default password will be randomly generated and displayed in the log -output, you should see a message like this: +output. If your application is using Spring Security, the shell will use +<> by default. If not, a simple +authentication will be applied and you should see a message like this: [indent=0] ---- diff --git a/spring-boot-docs/src/main/asciidoc/spring-boot-features.adoc b/spring-boot-docs/src/main/asciidoc/spring-boot-features.adoc index d030ba92f7c..8e51ea5522b 100644 --- a/spring-boot-docs/src/main/asciidoc/spring-boot-features.adoc +++ b/spring-boot-docs/src/main/asciidoc/spring-boot-features.adoc @@ -1089,9 +1089,16 @@ Additional information can be found in the {spring-security-reference}#jc-method Security Reference]. The default `AuthenticationManager` has a single user (``user'' username and random -password, printed at INFO level when the application starts up). You can change the -password by providing a `security.user.password`. This and other useful properties are -externalized via {sc-spring-boot-autoconfigure}/security/SecurityProperties.{sc-ext}[`SecurityProperties`] +password, printed at INFO level when the application starts up) + +[indent=0] +---- + Using default security password: 78fa095d-3f4c-48b1-ad50-e24c31d5cf35 +---- + +You can change the password by providing a `security.user.password`. This and other +useful properties are externalized via +{sc-spring-boot-autoconfigure}/security/SecurityProperties.{sc-ext}[`SecurityProperties`] (properties prefix "security"). The default security configuration is implemented in `SecurityAutoConfiguration` and in