Earlier, we had to override configure method from WebSecurityConfigurerAdapter

@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    auth.userDetailsService(userService)
            .passwordEncoder(NoOpPasswordEncoder.getInstance());
}

But now in my case after I initialized an empty Spring Boot project with Spring Security I've noticed that it is enough to just only make a class which implements UserDetailsService and mark it as @Service and define PasswordEncoder bean to start default Spring Security login page and it will work fine. I don't even have any configuration files for Spring Security.

CodePudding user response：

I've noticed that it is enough to just only make a class which implements UserDetailsService and mark it as @Service and define PasswordEncoder bean to start default Spring Security login page and it will work fine.

That's a correct observation. Spring Security has moved to Component-based configuration since it's more flexible. In the absence of WebSecurityConfigurerAdapter, configure() methods are not useful anymore.

All you need is to register implementations of both UserDetailsService and PasswordEncoder as Beans in the Context. Either by defining methods annotated with @Bean or defining them as separate classes annotated using stereotype annotations (it's unlikely that you would use the latter option for PasswordEncoder, but it's doable).

When these Beans would be discovered at the application start-up, they would replace the default ones shipped by Spring Security. And AuthenticationProvider responsible for HTTP Basic authentication flow would use UserDetailsService and PasswordEncoder you've specified.