Document Upgrading Password Encoding
Closes gh-17112 Signed-off-by: Mark Putsiata <m.putsiata@gmail.com>
This commit is contained in:
Mark Putsiata
parent
e30dc42d1e
commit
465e13ae3d
|
|
@ -689,3 +689,54 @@ class CompromisedPasswordAuthenticationFailureHandler : AuthenticationFailureHan
|
|||
}
|
||||
----
|
||||
======
|
||||
|
||||
[[authentication-upgrading-password-encoding]]
|
||||
== Upgrading Password Encoding
|
||||
|
||||
Spring Security can automatically upgrade existing password encodings without asking users to reset their passwords. It uses the `PasswordEncoder.upgradeEncoding(String)` method to determine whether a stored password should be re-encoded for improved security.
|
||||
|
||||
If `PasswordEncoder.upgradeEncoding(String)` indicates an update is needed and a `UserDetailsPasswordService` bean is available, the framework will rehash the password immediately after a successful login. The raw password submitted at login is passed to `PasswordEncoder` to produce a stronger encoding. The `UserDetailsPasswordService` saves the newly encoded password in the user store (e.g., database or LDAP) and returns the updated `UserDetails`.
|
||||
|
||||
To enable this behavior, simply define a `UserDetailsPasswordService` bean. You can always provide your own `UserDetailsPasswordService` implementation tailored to your persistent user store.
|
||||
|
||||
For example, if you are using a `UserDetailsManager`, you can write:
|
||||
|
||||
.Using UserDetailsPasswordService with UserDetailsManager
|
||||
[tabs]
|
||||
======
|
||||
Java::
|
||||
+
|
||||
[source,java,role="primary"]
|
||||
----
|
||||
@Bean
|
||||
UserDetailsPasswordService userDetailsPasswordService(UserDetailsManager userDetailsManager) {
|
||||
return (user, newPassword) -> {
|
||||
UserDetails updated = User.withUserDetails(user)
|
||||
.password(newPassword)
|
||||
.build();
|
||||
userDetailsManager.updateUser(updated);
|
||||
return updated;
|
||||
};
|
||||
}
|
||||
----
|
||||
|
||||
Kotlin::
|
||||
+
|
||||
[source,kotlin,role="secondary"]
|
||||
----
|
||||
@Bean
|
||||
open fun userDetailsPasswordService(userDetailsManager: UserDetailsManager): UserDetailsPasswordService {
|
||||
return UserDetailsPasswordService { user, newPassword ->
|
||||
val updated = User.withUserDetails(user)
|
||||
.password(newPassword)
|
||||
.build()
|
||||
userDetailsManager.updateUser(updated)
|
||||
updated
|
||||
}
|
||||
}
|
||||
----
|
||||
======
|
||||
|
||||
When using xref:servlet/authentication/passwords/jdbc.adoc#servlet-authentication-jdbc-bean[JdbcUserDetailsManager], you do not need to register a separate `UserDetailsPasswordService` bean, since `JdbcUserDetailsManager` already implements that interface. You simply enable the upgrade mechanism by calling `JdbcUserDetailsManager.setEnableUpdatePassword(true)`.
|
||||
|
||||
This approach lets you migrate from weaker hashes to stronger algorithms (like <<authentication-password-storage-bcrypt,bcrypt>>) without impacting your users. Passwords are re-encoded only after successful authentication, enabling a gradual, transparent migration for your application.
|
||||
|
|
|
|||
Loading…
Reference in New Issue