Skip to content

Add Password Advice Support #17118

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Add Password Advice Support #17118

wants to merge 2 commits into from

Conversation

jzheaux
Copy link
Contributor

@jzheaux jzheaux commented May 15, 2025

This commit adds configuration options to .passwordManagement to allow for additional password management flows:

  1. Show a default change password page and enforce configured password rules
  2. Enforce configured password rules at login time; either request or require that the user change their password accordingly
  3. Allow admin to force password changes

You can activate by publishing a UserDetailsPasswordManager bean and using the PasswordManagement DSL:

@Bean 
UserDetailsService users() {
    // ...
    return new InMemoryUserDetailsManager(...);
}

...
@Bean 
SecurityFilterChain securityFilters(HttpSecurity http) throws Exception {
    http
        // ...
        .passwordManagement(Customizer.withDefaults());

    return http.build();
}

Since these flows require a UserDetailsPasswordManager bean, and because .passwordManagement is a pre-existing DSL, they remain inactive until that bean is provided.

Some things to try:

  • ChangePasswordAdvisor - the PR contains several sample implementations of this interface. They can be composed in DelegatingChangePasswordAdvisor to form a custom set of password requirements. By default, two advisors are active; the compromised password advisor and the password advice advisor checking for any existing advice
  • ChangePasswordAdvice.Action - the existing advisors can be configured to have a different action, for example changing the failure action to Action.MUST_CHANGE instead of Action.SHOULD_CHANGE
  • UserDetailsPasswordManager contains any advice tied to a user. By default, .passwordManagement only checks at login time and when a password changes. However, you can write a ChangePasswordAdviceRepository implementation that checks the UserDetailsPasswordManager on each request so that the user is advised mid-session if changes are needed.

@jzheaux jzheaux marked this pull request as draft May 15, 2025 16:28
@jzheaux
Split ChangePasswordAdvisor Methods
babcae7 
There are now two interfaces, ChangeExistingPasswordAdvisor and
ChangeUpdatingPasswordAdvisor. I have a sense that more information
may be wanted down the road for ChangeUpdatingPasswordAdvisor;
so this would allow them to evolve independently.
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@jzheaux