Make default username and password configurable

Closes gh-10963

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/AuthenticationManagerConfiguration.java

@@ -16,7 +16,7 @@
 
 package org.springframework.boot.autoconfigure.security;
 
-import java.util.UUID;
+import java.util.List;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -57,15 +57,19 @@ public class AuthenticationManagerConfiguration {
 			.getLog(AuthenticationManagerConfiguration.class);
 
 	@Bean
-	public InMemoryUserDetailsManager inMemoryUserDetailsManager(
+	public InMemoryUserDetailsManager inMemoryUserDetailsManager(SecurityProperties properties,
 			ObjectProvider<PasswordEncoder> passwordEncoder) throws Exception {
-		String password = UUID.randomUUID().toString();
-		logger.info(String.format("%n%nUsing default security password: %s%n", password));
+		SecurityProperties.User user = properties.getUser();
+		if (user.isPasswordGenerated()) {
+			logger.info(String.format("%n%nUsing generated security password: %s%n", user.getPassword()));
+		}
 		String encodedPassword = passwordEncoder
 				.getIfAvailable(PasswordEncoderFactories::createDelegatingPasswordEncoder)
-				.encode(password);
+				.encode(user.getPassword());
+		List<String> roles = user.getRoles();
 		return new InMemoryUserDetailsManager(
-				User.withUsername("user").password(encodedPassword).roles().build());
+				User.withUsername(user.getName()).password(encodedPassword)
+						.roles(roles.toArray(new String[roles.size()])).build());
 	}
 
 }

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SecurityProperties.java

@@ -16,20 +16,25 @@
 
 package org.springframework.boot.autoconfigure.security;
 
+import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.HashSet;
+import java.util.List;
 import java.util.Set;
+import java.util.UUID;
 
 import org.springframework.boot.context.properties.ConfigurationProperties;
 import org.springframework.boot.web.servlet.DispatcherType;
 import org.springframework.boot.web.servlet.FilterRegistrationBean;
 import org.springframework.core.Ordered;
+import org.springframework.util.StringUtils;
 
 /**
  * Configuration properties for Spring Security.
  *
  * @author Dave Syer
  * @author Andy Wilkinson
+ * @author Madhura Bhave
  */
 @ConfigurationProperties(prefix = "spring.security")
 public class SecurityProperties implements SecurityPrerequisite {
@@ -58,6 +63,12 @@ public class SecurityProperties implements SecurityPrerequisite {
 
 	private final Filter filter = new Filter();
 
+	private User user = new User();
+
+	public User getUser() {
+		return this.user;
+	}
+
 	public Filter getFilter() {
 		return this.filter;
 	}
@@ -93,4 +104,56 @@ public class SecurityProperties implements SecurityPrerequisite {
 
 	}
 
+	public static class User {
+
+		/**
+		 * Default user name.
+		 */
+		private String name = "user";
+
+		/**
+		 * Password for the default user name.
+		 */
+		private String password = UUID.randomUUID().toString();
+
+		/**
+		 * Granted roles for the default user name.
+		 */
+		private List<String> roles = new ArrayList<>();
+
+		private boolean passwordGenerated = true;
+
+		public String getName() {
+			return this.name;
+		}
+
+		public void setName(String name) {
+			this.name = name;
+		}
+
+		public String getPassword() {
+			return this.password;
+		}
+
+		public void setPassword(String password) {
+			if (!StringUtils.hasLength(password)) {
+				return;
+			}
+			this.passwordGenerated = false;
+			this.password = password;
+		}
+
+		public List<String> getRoles() {
+			return this.roles;
+		}
+
+		public void setRoles(List<String> roles) {
+			this.roles = new ArrayList<>(roles);
+		}
+
+		public boolean isPasswordGenerated() {
+			return this.passwordGenerated;
+		}
+	}
+
 }

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/reactive/ReactiveAuthenticationManagerConfiguration.java

@@ -16,7 +16,7 @@
 
 package org.springframework.boot.autoconfigure.security.reactive;
 
-import java.util.UUID;
+import java.util.List;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -25,6 +25,7 @@ import org.springframework.beans.factory.ObjectProvider;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
+import org.springframework.boot.autoconfigure.security.SecurityProperties;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.authentication.ReactiveAuthenticationManager;
@@ -54,20 +55,24 @@ class ReactiveAuthenticationManagerConfiguration {
 			.getLog(ReactiveAuthenticationManagerConfiguration.class);
 
 	@Bean
-	public MapReactiveUserDetailsService reactiveUserDetailsService(
+	public MapReactiveUserDetailsService reactiveUserDetailsService(SecurityProperties properties,
 			ObjectProvider<PasswordEncoder> passwordEncoder) {
-		String password = UUID.randomUUID().toString();
-		logger.info(String.format("%n%nUsing default security password: %s%n", password));
-		UserDetails userDetails = getUserDetails(password, passwordEncoder);
+		SecurityProperties.User user = properties.getUser();
+		if (user.isPasswordGenerated()) {
+			logger.info(String.format("%n%nUsing default security password: %s%n", user.getPassword()));
+		}
+		UserDetails userDetails = getUserDetails(user, passwordEncoder);
 		return new MapReactiveUserDetailsService(userDetails);
 	}
 
-	private UserDetails getUserDetails(String password,
+	private UserDetails getUserDetails(SecurityProperties.User user,
 			ObjectProvider<PasswordEncoder> passwordEncoder) {
 		String encodedPassword = passwordEncoder
 				.getIfAvailable(PasswordEncoderFactories::createDelegatingPasswordEncoder)
-				.encode(password);
-		return User.withUsername("user").password(encodedPassword).roles().build();
+				.encode(user.getPassword());
+		List<String> roles = user.getRoles();
+		return User.withUsername(user.getName()).password(encodedPassword)
+				.roles(roles.toArray(new String[roles.size()])).build();
 	}
 
 }

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/reactive/ReactiveSecurityAutoConfiguration.java

@@ -18,6 +18,8 @@ package org.springframework.boot.autoconfigure.security.reactive;
 
 import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
+import org.springframework.boot.autoconfigure.security.SecurityProperties;
+import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Import;
 import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
@@ -35,6 +37,7 @@ import org.springframework.security.web.reactive.result.method.annotation.Authen
 @Configuration
 @ConditionalOnClass({ EnableWebFluxSecurity.class,
 		AuthenticationPrincipalArgumentResolver.class })
+@EnableConfigurationProperties(SecurityProperties.class)
 @Import({ WebFluxSecurityConfiguration.class,
 		ReactiveAuthenticationManagerConfiguration.class })
 public class ReactiveSecurityAutoConfiguration {

spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SecurityAutoConfigurationTests.java

@@ -150,7 +150,7 @@ public class SecurityAutoConfigurationTests {
 		this.context.refresh();
 		UserDetailsService manager = this.context.getBean(UserDetailsService.class);
 		assertThat(this.outputCapture.toString())
-				.contains("Using default security password:");
+				.contains("Using generated security password:");
 		assertThat(manager.loadUserByUsername("user")).isNotNull();
 	}
 
@@ -167,7 +167,7 @@ public class SecurityAutoConfigurationTests {
 		assertThat(manager).isEqualTo(this.context.getBean(
 				TestAuthenticationManagerConfiguration.class).authenticationManager);
 		assertThat(this.outputCapture.toString())
-				.doesNotContain("Using default security password: ");
+				.doesNotContain("Using generated security password: ");
 		TestingAuthenticationToken token = new TestingAuthenticationToken("foo", "bar");
 		assertThat(manager.authenticate(token)).isNotNull();
 	}

spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SecurityFilterAutoConfigurationEarlyInitializationTests.java

@@ -66,7 +66,7 @@ public class SecurityFilterAutoConfigurationEarlyInitializationTests {
 			context.refresh();
 			int port = context.getWebServer().getPort();
 			String password = this.outputCapture.toString()
-					.split("Using default security password: ")[1].split("\n")[0].trim();
+					.split("Using generated security password: ")[1].split("\n")[0].trim();
 			new TestRestTemplate("user", password)
 					.getForEntity("http://localhost:" + port, Object.class);
 			// If early initialization occurred a ConverterNotFoundException is thrown

spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SecurityPropertiesTests.java

@@ -16,13 +16,11 @@
 
 package org.springframework.boot.autoconfigure.security;
 
-import java.util.Collections;
-
+import org.junit.Before;
 import org.junit.Test;
 
 import org.springframework.boot.context.properties.bind.Bindable;
 import org.springframework.boot.context.properties.bind.Binder;
-import org.springframework.boot.context.properties.source.ConfigurationPropertySource;
 import org.springframework.boot.context.properties.source.MapConfigurationPropertySource;
 
 import static org.assertj.core.api.Assertions.assertThat;
@@ -31,23 +29,55 @@ import static org.assertj.core.api.Assertions.assertThat;
  * Tests for {@link SecurityProperties}.
  *
  * @author Dave Syer
+ * @author Madhura Bhave
  */
 public class SecurityPropertiesTests {
 
 	private SecurityProperties security = new SecurityProperties();
 
+	private Binder binder;
+
+	private MapConfigurationPropertySource source = new MapConfigurationPropertySource();
+
+	@Before
+	public void setUp() throws Exception {
+		this.binder = new Binder(this.source);
+	}
+
 	@Test
-	public void testBinding() {
-		bind("spring.security.filter.order", "55");
+	public void filterOrderShouldBind() {
+		this.source.put("spring.security.filter.order", "55");
+		this.binder.bind("spring.security", Bindable.ofInstance(this.security));
 		assertThat(this.security.getFilter().getOrder()).isEqualTo(55);
 	}
 
-	private void bind(String name, String value) {
-		bind(new MapConfigurationPropertySource(Collections.singletonMap(name, value)));
+	@Test
+	public void userWhenNotConfiguredShouldUseDefaultNameAndGeneratedPassword() throws Exception {
+		SecurityProperties.User user = this.security.getUser();
+		assertThat(user.getName()).isEqualTo("user");
+		assertThat(user.getPassword()).isNotNull();
+		assertThat(user.isPasswordGenerated()).isTrue();
+		assertThat(user.getRoles()).isEmpty();
 	}
 
-	private void bind(ConfigurationPropertySource source) {
-		new Binder(source).bind("spring.security", Bindable.ofInstance(this.security));
+	@Test
+	public void userShouldBindProperly() throws Exception {
+		this.source.put("spring.security.user.name", "foo");
+		this.source.put("spring.security.user.password", "password");
+		this.source.put("spring.security.user.roles", "ADMIN,USER");
+		this.binder.bind("spring.security", Bindable.ofInstance(this.security));
+		SecurityProperties.User user = this.security.getUser();
+		assertThat(user.getName()).isEqualTo("foo");
+		assertThat(user.getPassword()).isEqualTo("password");
+		assertThat(user.isPasswordGenerated()).isFalse();
+		assertThat(user.getRoles()).containsExactly("ADMIN", "USER");
+	}
+
+	@Test
+	public void passwordAutogeneratedIfEmpty() {
+		this.source.put("spring.security.user.password", "");
+		this.binder.bind("spring.security", Bindable.ofInstance(this.security));
+		assertThat(this.security.getUser().isPasswordGenerated()).isTrue();
 	}
 
 }

spring-boot-project/spring-boot-docs/src/main/asciidoc/spring-boot-features.adoc

@@ -2852,13 +2852,16 @@ the following example:
 
 [indent=0]
 ----
-	Using default security password: 78fa095d-3f4c-48b1-ad50-e24c31d5cf35
+	Using generated security password: 78fa095d-3f4c-48b1-ad50-e24c31d5cf35
 ----
 
 NOTE: If you fine-tune your logging configuration, ensure that the
 `org.springframework.boot.autoconfigure.security` category is set to log `INFO`-level
 messages. Otherwise, the default password is not printed.
 
+You can change the username and password by providing a `spring.security.user.name` and
+`spring.security.user.password`.
+
 The default security configuration is implemented in `SecurityAutoConfiguration` and in
 the classes imported from there (`SpringBootWebSecurityConfiguration` for web security
 and `AuthenticationManagerConfiguration` for authentication configuration, which is also
@@ -2874,7 +2877,7 @@ Boot samples] to get you started with common use cases.
 The basic features you get by default in a web application are:
 
 * A `UserDetailsService` bean with in-memory store and a single user with a generated
-  password.
+  password (see `SecurityProperties.User` for the properties of the user).
 * Form-based login or HTTP Basic security (depending on Content-Type) for the entire
   application (including actuator endpoints if actuator is on the classpath).
 

spring-boot-project/spring-boot-test-autoconfigure/src/test/java/org/springframework/boot/test/autoconfigure/security/SecurityTestApplication.java

@@ -18,10 +18,7 @@ package org.springframework.boot.test.autoconfigure.security;
 
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 import org.springframework.boot.test.autoconfigure.web.servlet.MockMvcSecurityAutoConfiguration;
-import org.springframework.context.annotation.Bean;
 import org.springframework.security.access.annotation.Secured;
-import org.springframework.security.core.userdetails.User;
-import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
 
@@ -33,12 +30,6 @@ import org.springframework.web.bind.annotation.RestController;
 @SpringBootApplication
 public class SecurityTestApplication {
 
-	@Bean
-	public InMemoryUserDetailsManager inMemoryUserDetailsManager() {
-		return new InMemoryUserDetailsManager(User.withDefaultPasswordEncoder()
-				.username("user").password("secret").roles("USER").build());
-	}
-
 	@RestController
 	static class MyController {
 

spring-boot-project/spring-boot-test-autoconfigure/src/test/resources/application.properties

+spring.security.user.name=user
+spring.security.user.password=secret
+spring.security.user.roles=USER

spring-boot-samples/spring-boot-sample-actuator-log4j2/src/main/java/sample/actuator/log4j2/SampleActuatorLog4J2Application.java

@@ -18,19 +18,10 @@ package sample.actuator.log4j2;
 
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
-import org.springframework.context.annotation.Bean;
-import org.springframework.security.core.userdetails.User;
-import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 
 @SpringBootApplication
 public class SampleActuatorLog4J2Application {
 
-	@Bean
-	public InMemoryUserDetailsManager inMemoryUserDetailsManager() {
-		return new InMemoryUserDetailsManager(User.withDefaultPasswordEncoder()
-				.username("user").password("password").roles("USER").build());
-	}
-
 	public static void main(String[] args) throws Exception {
 		SpringApplication.run(SampleActuatorLog4J2Application.class, args);
 	}

spring-boot-samples/spring-boot-sample-actuator-log4j2/src/main/resources/application.properties

+spring.security.user.name=user
+spring.security.user.password=password
 management.endpoint.shutdown.enabled=true
 management.endpoints.web.expose=*

spring-boot-samples/spring-boot-sample-actuator-ui/src/main/java/sample/actuator/ui/SampleActuatorUiApplication.java

@@ -21,9 +21,6 @@ import java.util.Map;
 
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
-import org.springframework.context.annotation.Bean;
-import org.springframework.security.core.userdetails.User;
-import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -32,12 +29,6 @@ import org.springframework.web.bind.annotation.RequestMapping;
 @Controller
 public class SampleActuatorUiApplication {
 
-	@Bean
-	public InMemoryUserDetailsManager inMemoryUserDetailsManager() {
-		return new InMemoryUserDetailsManager(User.withDefaultPasswordEncoder()
-				.username("user").password("password").roles("USER").build());
-	}
-
 	@GetMapping("/")
 	public String home(Map<String, Object> model) {
 		model.put("message", "Hello World");

spring-boot-samples/spring-boot-sample-actuator-ui/src/main/resources/application.properties

+spring.security.user.name=user
+spring.security.user.password=password
 management.health.diskspace.enabled=false
 management.endpoints.web.expose=*
 management.jolokia.enabled=true

spring-boot-samples/spring-boot-sample-actuator/src/main/java/sample/actuator/SampleActuatorApplication.java

@@ -22,8 +22,6 @@ import org.springframework.boot.actuate.health.HealthIndicator;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.context.annotation.Bean;
-import org.springframework.security.core.userdetails.User;
-import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 
 @SpringBootApplication
 @EnableConfigurationProperties(ServiceProperties.class)
@@ -33,12 +31,6 @@ public class SampleActuatorApplication {
 		SpringApplication.run(SampleActuatorApplication.class, args);
 	}
 
-	@Bean
-	public InMemoryUserDetailsManager inMemoryUserDetailsManager() {
-		return new InMemoryUserDetailsManager(User.withDefaultPasswordEncoder()
-				.username("user").password("password").roles("USER").build());
-	}
-
 	@Bean
 	public HealthIndicator helloHealthIndicator() {
 		return new HealthIndicator() {

spring-boot-samples/spring-boot-sample-actuator/src/main/resources/application.properties

 service.name=Phil
 
+spring.security.user.name=user
+spring.security.user.password=password
+
 # logging.file=/tmp/logs/app.log
 # logging.level.org.springframework.security=DEBUG
 management.server.address=127.0.0.1

spring-boot-samples/spring-boot-sample-secure-webflux/src/main/java/sample/secure/webflux/SampleSecureWebFluxApplication.java

@@ -19,9 +19,6 @@ package sample.secure.webflux;
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 import org.springframework.context.annotation.Bean;
-import org.springframework.security.core.userdetails.MapReactiveUserDetailsService;
-import org.springframework.security.core.userdetails.ReactiveUserDetailsService;
-import org.springframework.security.core.userdetails.User;
 import org.springframework.web.reactive.function.server.RouterFunction;
 import org.springframework.web.reactive.function.server.ServerResponse;
 
@@ -40,10 +37,4 @@ public class SampleSecureWebFluxApplication {
 		return route(POST("/echo"), echoHandler::echo);
 	}
 
-	@Bean
-	public ReactiveUserDetailsService userDetailsService() {
-		return new MapReactiveUserDetailsService(User.withDefaultPasswordEncoder()
-				.username("foo").password("password").roles("USER").build());
-	}
-
 }

spring-boot-samples/spring-boot-sample-secure-webflux/src/main/resources/application.properties

+spring.security.user.name=user
+spring.security.user.password=password
\ No newline at end of file

spring-boot-samples/spring-boot-sample-secure-webflux/src/test/java/sample/secure/webflux/SampleSecureWebFluxApplicationTests.java

@@ -56,7 +56,7 @@ public class SampleSecureWebFluxApplicationTests {
 	public void userDefinedMappingsAccessibleOnLogin() {
 		this.webClient.get().uri("/").accept(MediaType.APPLICATION_JSON)
 				.header("Authorization", "basic " + getBasicAuth()).exchange()
-				.expectBody(String.class).isEqualTo("Hello foo");
+				.expectBody(String.class).isEqualTo("Hello user");
 	}
 
 	@Test
@@ -67,7 +67,7 @@ public class SampleSecureWebFluxApplicationTests {
 	}
 
 	private String getBasicAuth() {
-		return new String(Base64.getEncoder().encode(("foo:password").getBytes()));
+		return new String(Base64.getEncoder().encode(("user:password").getBytes()));
 	}
 
 }

spring-boot-samples/spring-boot-sample-secure/src/main/java/sample/secure/SampleSecureApplication.java

@@ -20,14 +20,11 @@ import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.CommandLineRunner;
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
-import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.ComponentScan;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
 import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.core.context.SecurityContextHolder;
-import org.springframework.security.core.userdetails.User;
-import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 
 @EnableAutoConfiguration
 @ComponentScan
@@ -37,12 +34,6 @@ public class SampleSecureApplication implements CommandLineRunner {
 	@Autowired
 	private SampleService service;
 
-	@Bean
-	public InMemoryUserDetailsManager inMemoryUserDetailsManager() {
-		return new InMemoryUserDetailsManager(User.withDefaultPasswordEncoder()
-				.username("user").password("password").roles("USER").build());
-	}
-
 	@Override
 	public void run(String... args) throws Exception {
 		SecurityContextHolder.getContext()

spring-boot-samples/spring-boot-sample-secure/src/main/resources/application.properties

-# debug: true
\ No newline at end of file
+# debug: true
+spring.security.user.name=user
+spring.security.user.password=password
+spring.security.user.roles=USER
\ No newline at end of file

spring-boot-samples/spring-boot-sample-servlet/src/main/java/sample/servlet/SampleServletApplication.java

@@ -30,19 +30,11 @@ import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
 import org.springframework.boot.builder.SpringApplicationBuilder;
 import org.springframework.boot.web.servlet.support.SpringBootServletInitializer;
 import org.springframework.context.annotation.Bean;
-import org.springframework.security.core.userdetails.User;
-import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 
 @SpringBootConfiguration
 @EnableAutoConfiguration
 public class SampleServletApplication extends SpringBootServletInitializer {
 
-	@Bean
-	public InMemoryUserDetailsManager inMemoryUserDetailsManager() {
-		return new InMemoryUserDetailsManager(User.withDefaultPasswordEncoder()
-				.username("user").password("password").roles("USER").build());
-	}
-
 	@SuppressWarnings("serial")
 	@Bean
 	public Servlet dispatcherServlet() {

spring-boot-samples/spring-boot-sample-servlet/src/main/resources/application.properties

+spring.security.user.name=user
+spring.security.user.password=password
\ No newline at end of file

spring-boot-samples/spring-boot-sample-session-webflux/src/main/java/sample/session/SampleSessionWebFluxApplication.java

@@ -20,9 +20,6 @@ import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 import org.springframework.context.annotation.Bean;
 import org.springframework.security.config.web.server.ServerHttpSecurity;
-import org.springframework.security.core.userdetails.MapReactiveUserDetailsService;
-import org.springframework.security.core.userdetails.ReactiveUserDetailsService;
-import org.springframework.security.core.userdetails.User;
 import org.springframework.security.web.server.SecurityWebFilterChain;
 import org.springframework.security.web.server.context.WebSessionServerSecurityContextRepository;
 
@@ -33,12 +30,6 @@ public class SampleSessionWebFluxApplication {
 		SpringApplication.run(SampleSessionWebFluxApplication.class);
 	}
 
-	@Bean
-	public ReactiveUserDetailsService userDetailsRepository() {
-		return new MapReactiveUserDetailsService(User.withDefaultPasswordEncoder()
-				.username("user").password("password").roles("USER").build());
-	}
-
 	@Bean
 	public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
 		// @formatter:off

spring-boot-samples/spring-boot-sample-session-webflux/src/main/resources/application.properties

+spring.security.user.name=user
+spring.security.user.password=password
\ No newline at end of file

spring-boot-samples/spring-boot-sample-session/src/main/java/sample/session/SampleSessionApplication.java

@@ -18,9 +18,6 @@ package sample.session;
 
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
-import org.springframework.context.annotation.Bean;
-import org.springframework.security.core.userdetails.User;
-import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 
 @SpringBootApplication
 public class SampleSessionApplication {
@@ -29,10 +26,4 @@ public class SampleSessionApplication {
 		SpringApplication.run(SampleSessionApplication.class);
 	}
 
-	@Bean
-	public InMemoryUserDetailsManager inMemoryUserDetailsManager() {
-		return new InMemoryUserDetailsManager(User.withDefaultPasswordEncoder()
-				.username("user").password("password").roles("USER").build());
-	}
-
 }

spring-boot-samples/spring-boot-sample-session/src/main/resources/application.properties

+spring.security.user.name=user
+spring.security.user.password=password
 management.endpoints.web.expose=*

spring-boot-samples/spring-boot-sample-web-secure-custom/src/main/java/sample/web/secure/custom/SampleWebSecureCustomApplication.java

@@ -21,12 +21,9 @@ import java.util.Map;
 
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 import org.springframework.boot.builder.SpringApplicationBuilder;
-import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
-import org.springframework.security.core.userdetails.User;
-import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -69,12 +66,6 @@ public class SampleWebSecureCustomApplication implements WebMvcConfigurer {
 					.failureUrl("/login?error").permitAll().and().logout().permitAll();
 		}
 
-		@Bean
-		public InMemoryUserDetailsManager InMemoryUserDetailsManager() {
-			return new InMemoryUserDetailsManager(User.withDefaultPasswordEncoder()
-					.username("user").password("user").roles("USER").build());
-		}
-
 	}
 
 }

spring-boot-samples/spring-boot-sample-web-secure-custom/src/main/resources/application.properties

 spring.thymeleaf.cache: false
-logging.level.org.springframework.security: INFO
\ No newline at end of file
+logging.level.org.springframework.security: INFO
+
+spring.security.user.name=user
+spring.security.user.password=password
\ No newline at end of file

spring-boot-samples/spring-boot-sample-web-secure-custom/src/test/java/sample/web/secure/custom/SampleWebSecureCustomApplicationTests.java

@@ -83,7 +83,7 @@ public class SampleWebSecureCustomApplicationTests {
 		headers.setContentType(MediaType.APPLICATION_FORM_URLENCODED);
 		MultiValueMap<String, String> form = new LinkedMultiValueMap<>();
 		form.set("username", "user");
-		form.set("password", "user");
+		form.set("password", "password");
 		ResponseEntity<String> entity = this.restTemplate.exchange("/login",
 				HttpMethod.POST, new HttpEntity<>(form, headers), String.class);
 		assertThat(entity.getStatusCode()).isEqualTo(HttpStatus.FOUND);

spring-boot-samples/spring-boot-sample-web-secure/src/main/java/sample/web/secure/SampleWebSecureApplication.java

@@ -22,12 +22,9 @@ import java.util.Map;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 import org.springframework.boot.autoconfigure.security.StaticResourceRequest;
 import org.springframework.boot.builder.SpringApplicationBuilder;
-import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
-import org.springframework.security.core.userdetails.User;
-import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -76,15 +73,6 @@ public class SampleWebSecureApplication implements WebMvcConfigurer {
 			// @formatter:on
 		}
 
-		@Bean
-		public InMemoryUserDetailsManager InMemoryUserDetailsManager() {
-			return new InMemoryUserDetailsManager(
-					User.withDefaultPasswordEncoder().username("admin").password("admin")
-							.roles("ADMIN", "USER").build(),
-					User.withDefaultPasswordEncoder().username("user").password("user")
-							.roles("USER").build());
-		}
-
 	}
 
 }

spring-boot-samples/spring-boot-sample-web-secure/src/main/resources/application.properties

 spring.thymeleaf.cache: false
 # demo only:
 logging.level.org.springframework.security: INFO
-logging.level.org.springframework.boot.actuate.audit.listener.AuditListener: DEBUG
\ No newline at end of file
+logging.level.org.springframework.boot.actuate.audit.listener.AuditListener: DEBUG
+
+spring.security.user.name=user
+spring.security.user.password=password
\ No newline at end of file

spring-boot-samples/spring-boot-sample-web-secure/src/test/java/sample/web/secure/SampleSecureApplicationTests.java

@@ -83,7 +83,7 @@ public class SampleSecureApplicationTests {
 		headers.setContentType(MediaType.APPLICATION_FORM_URLENCODED);
 		MultiValueMap<String, String> form = new LinkedMultiValueMap<>();
 		form.set("username", "user");
-		form.set("password", "user");
+		form.set("password", "password");
 		ResponseEntity<String> entity = this.restTemplate.exchange("/login",
 				HttpMethod.POST, new HttpEntity<>(form, headers), String.class);
 		assertThat(entity.getStatusCode()).isEqualTo(HttpStatus.FOUND);