Recover username and password with spring security

0
votes

I am using spring security with my web application. I am in the phase of recovering username and password.

The Use Case:

When a user forgets their password, they can't login.
How to send request to spring through spring security?

The problem is that spring security doesn't let anything pass unless logged in and authenticated.

I am currently using the following in my config:

@Override
public void configure(WebSecurity web) throws Exception {
    web.ignoring().antMatchers("/loginrecover/**"); 
}

Which I think is totally outside security and is vulnerable.

Is there any other way to achieve this?

1
javaspringspring-mvcspring-security
I think there is no other way. Always will page where unauthorized users should have access to request password reset. - user1516873
When the user forgets his password he should be sent to a password-reset page where he enters his UID or email address and the answer to a secret question, whereupon he is emailed a link containing an expiring ticket which will log him in and take him to the password-reset page as though he was already logged in. Any system that allows anybody, even the user, to retrieve his own current password is irredeemably and utterly broken. - user207421
@EJP "Any system that allows . . ." so what do you think a workaround should be? - user3667171
@EJP That was an escape . . . I thought the second part of your comment was intending to underestimate/devalue the first part, my bad. But in any case I never intended to send a password to the user through mail/mobile phone or through any other means, I had in mind the same exact thing you just explained but I was afraid that anybody that knows the email and/or secret question can change the password and to have a full access . . . - user3667171
@EJP What I had in mind is by sending to the user an email with expiring url parameters, they could get an access to the app through programmatical login in the background as a save. - user3667171

1 Answers

0
votes

I will use: 

    @Override
    protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests().antMatchers("/loginrecover").permitAll()
...}

With permitAll you are not disabling the security filters. Spring Security related functionality will still be available.

With ignoring() you completely disable the Security filter chain for that request path. Spring Security features will not be available. This is java configuration for security "none". This should be just for static resources.

Yes, it is similar and you need an unauthorized web. But the correct way is just disable the access not also the filter.