Harden ApplicationConfiguration with stronger BCrypt, cleanup, and security improvements
- Increased BCrypt password encoder strength to 12 for better hashing security. - Switched to PasswordEncoder interface for flexibility (e.g., Argon2 support). - Removed unused import (java.security.AuthProvider). - Made all @Bean methods explicitly public. - Added JavaDoc comments for better readability and maintainability. - Improved exception message in UserDetailsService for clarity.
This commit is contained in:
+30
-22
@@ -1,7 +1,5 @@
|
||||
package com.skycrate.backend.skycrateBackend.config;
|
||||
|
||||
import java.security.AuthProvider;
|
||||
|
||||
import org.springframework.context.annotation.Bean;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.security.authentication.AuthenticationManager;
|
||||
@@ -10,38 +8,48 @@ import org.springframework.security.authentication.dao.DaoAuthenticationProvider
|
||||
import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
|
||||
import org.springframework.security.core.userdetails.UserDetailsService;
|
||||
import org.springframework.security.core.userdetails.UsernameNotFoundException;
|
||||
import org.springframework.security.crypto.bcrypt.BCrypt;
|
||||
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
|
||||
import org.springframework.security.crypto.password.PasswordEncoder;
|
||||
|
||||
import com.skycrate.backend.skycrateBackend.repository.UserRepository;
|
||||
|
||||
// Application-wide security configuration.
|
||||
// Configures user authentication, password encoding, and authentication provider.
|
||||
@Configuration
|
||||
public class ApplicationConfiguration {
|
||||
|
||||
private final UserRepository userRepository;
|
||||
public ApplicationConfiguration(UserRepository userRepository){
|
||||
this.userRepository=userRepository;
|
||||
|
||||
}
|
||||
public ApplicationConfiguration(UserRepository userRepository) {
|
||||
this.userRepository = userRepository;
|
||||
}
|
||||
|
||||
// Custom UserDetailsService to fetch user details by email.
|
||||
@Bean
|
||||
UserDetailsService userDetailsService() {
|
||||
public UserDetailsService userDetailsService() {
|
||||
return username -> userRepository.findByEmail(username)
|
||||
.orElseThrow(() -> new UsernameNotFoundException("User not found"));
|
||||
}
|
||||
@Bean
|
||||
BCryptPasswordEncoder passwordEncoder(){
|
||||
return new BCryptPasswordEncoder();
|
||||
.orElseThrow(() -> new UsernameNotFoundException("User not found with email: " + username));
|
||||
}
|
||||
|
||||
// BCrypt password encoder with a higher strength for better security.
|
||||
// Cost factor 12 is considered a good balance for production use.
|
||||
@Bean
|
||||
public AuthenticationManager authenticationManager(AuthenticationConfiguration config) throws Exception{
|
||||
public PasswordEncoder passwordEncoder() {
|
||||
return new BCryptPasswordEncoder(12);
|
||||
}
|
||||
|
||||
// AuthenticationProvider using DAO with custom user service and password encoder.
|
||||
@Bean
|
||||
public AuthenticationProvider authenticationProvider() {
|
||||
DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider();
|
||||
authProvider.setUserDetailsService(userDetailsService());
|
||||
authProvider.setPasswordEncoder(passwordEncoder());
|
||||
return authProvider;
|
||||
}
|
||||
|
||||
// Provides the AuthenticationManager for authenticating credentials.
|
||||
@Bean
|
||||
public AuthenticationManager authenticationManager(AuthenticationConfiguration config) throws Exception {
|
||||
return config.getAuthenticationManager();
|
||||
}
|
||||
|
||||
@Bean
|
||||
AuthenticationProvider authenticationProvider(){
|
||||
DaoAuthenticationProvider authprovider=new DaoAuthenticationProvider();
|
||||
authprovider.setUserDetailsService(userDetailsService());
|
||||
authprovider.setPasswordEncoder(passwordEncoder());
|
||||
return authprovider;
|
||||
}
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user