DaoAuthenticationProvider uses DelegatingPasswordEncoder

This means that passwords will be encoded with BCrypt by default

Fixes: gh-2775

config/src/main/java/org/springframework/security/config/annotation/authentication/configurers/userdetails/AbstractDaoAuthenticationConfigurer.java

@@ -18,7 +18,6 @@ package org.springframework.security.config.annotation.authentication.configurer
 import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
 import org.springframework.security.config.annotation.ObjectPostProcessor;
 import org.springframework.security.config.annotation.SecurityBuilder;
-import org.springframework.security.config.annotation.SecurityConfigurer;
 import org.springframework.security.config.annotation.authentication.ProviderManagerBuilder;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.crypto.password.PasswordEncoder;

config/src/test/groovy/org/springframework/security/config/annotation/authentication/AuthenticationManagerBuilderTests.groovy

@@ -35,6 +35,7 @@ import org.springframework.security.config.annotation.configuration.ObjectPostPr
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.core.Authentication
+import org.springframework.security.core.userdetails.PasswordEncodedUser
 import org.springframework.security.core.userdetails.UserDetailsService
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 
@@ -90,10 +91,10 @@ class AuthenticationManagerBuilderTests extends BaseSpringSpec {
 		protected void configure(AuthenticationManagerBuilder auth) throws Exception {
 			auth
 				.inMemoryAuthentication()
-					.withUser("user").password("password").roles("USER").and()
+					.withUser(PasswordEncodedUser.user())
 					.and()
 				.inMemoryAuthentication()
-					.withUser("admin").password("password").roles("USER","ADMIN")
+					.withUser(PasswordEncodedUser.admin())
 		}
 	}
 

config/src/test/groovy/org/springframework/security/config/annotation/authentication/NamespaceAuthenticationManagerTests.groovy

@@ -25,6 +25,7 @@ import org.springframework.security.config.annotation.authentication.builders.Au
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.core.Authentication
+import org.springframework.security.core.userdetails.PasswordEncodedUser
 
 /**
  *
@@ -50,7 +51,7 @@ class NamespaceAuthenticationManagerTests extends BaseSpringSpec {
 		protected void configure(AuthenticationManagerBuilder auth) throws Exception {
 			auth
 				.inMemoryAuthentication()
-					.withUser("user").password("password").roles("USER")
+					.withUser(PasswordEncodedUser.user())
 		}
 
 		// Only necessary to have access to verify the AuthenticationManager
@@ -68,7 +69,7 @@ class NamespaceAuthenticationManagerTests extends BaseSpringSpec {
 			Authentication auth = authenticationManager.authenticate(new UsernamePasswordAuthenticationToken("user","password"))
 		then:
 			auth.credentials == "password"
-			auth.principal.password == "password"
+			auth.principal.password
 	}
 
 	@EnableWebSecurity
@@ -77,7 +78,7 @@ class NamespaceAuthenticationManagerTests extends BaseSpringSpec {
 			auth
 				.eraseCredentials(false)
 				.inMemoryAuthentication()
-					.withUser("user").password("password").roles("USER")
+					.withUser(PasswordEncodedUser.user())
 		}
 
 		// Only necessary to have access to verify the AuthenticationManager
@@ -95,7 +96,7 @@ class NamespaceAuthenticationManagerTests extends BaseSpringSpec {
 			Authentication auth = authenticationManager.authenticate(new UsernamePasswordAuthenticationToken("user","password"))
 		then:
 			auth.credentials == "password"
-			auth.principal.password == "password"
+			auth.principal.password
 	}
 
 	@EnableWebSecurity
@@ -105,7 +106,7 @@ class NamespaceAuthenticationManagerTests extends BaseSpringSpec {
 			auth
 				.eraseCredentials(false)
 				.inMemoryAuthentication()
-					.withUser("user").password("password").roles("USER")
+					.withUser(PasswordEncodedUser.user())
 		}
 	}
 }

config/src/test/groovy/org/springframework/security/config/annotation/authentication/NamespaceJdbcUserServiceTests.groovy

@@ -15,6 +15,8 @@
  */
 package org.springframework.security.config.annotation.authentication
 
+import org.springframework.security.core.userdetails.PasswordEncodedUser
+
 import javax.sql.DataSource
 
 import org.springframework.beans.factory.annotation.Autowired
@@ -89,9 +91,7 @@ class NamespaceJdbcUserServiceTests extends BaseSpringSpec {
 					// imports the default schema (will fail if already exists)
 					.withDefaultSchema()
 					// adds this user automatically (will fail if already exists)
-					.withUser("user")
+					.withUser(PasswordEncodedUser.user())
-						.password("password")
-						.roles("USER")
 		}
 
 		// Only necessary to have access to verify the AuthenticationManager

config/src/test/groovy/org/springframework/security/config/annotation/authentication/configuration/AuthenticationConfigurationTests.groovy

@@ -39,6 +39,7 @@ import org.springframework.security.config.annotation.web.configuration.WebSecur
 import org.springframework.security.core.AuthenticationException
 import org.springframework.security.core.authority.AuthorityUtils
 import org.springframework.security.core.context.SecurityContextHolder
+import org.springframework.security.core.userdetails.PasswordEncodedUser
 import org.springframework.security.core.userdetails.User
 import org.springframework.security.core.userdetails.UserDetailsService
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder
@@ -64,7 +65,7 @@ class AuthenticationConfigurationTests extends BaseSpringSpec {
 	static class GlobalMethodSecurityAutowiredConfig {
 		@Autowired
 		public void configureGlobal(AuthenticationManagerBuilder auth) {
-			auth.inMemoryAuthentication().withUser("user").password("password").roles("USER")
+			auth.inMemoryAuthentication().withUser(PasswordEncodedUser.user())
 		}
 	}
 
@@ -88,7 +89,7 @@ class AuthenticationConfigurationTests extends BaseSpringSpec {
 	static class WebSecurityConfig extends WebSecurityConfigurerAdapter {
 		@Autowired
 		public void configureGlobal(AuthenticationManagerBuilder auth) {
-			auth.inMemoryAuthentication().withUser("user").password("password").roles("USER")
+			auth.inMemoryAuthentication().withUser(PasswordEncodedUser.user())
 		}
 	}
 
@@ -111,7 +112,7 @@ class AuthenticationConfigurationTests extends BaseSpringSpec {
 	static class WebMvcSecurityConfig extends WebSecurityConfigurerAdapter {
 		@Autowired
 		public void configureGlobal(AuthenticationManagerBuilder auth) {
-			auth.inMemoryAuthentication().withUser("user").password("password").roles("USER")
+			auth.inMemoryAuthentication().withUser(PasswordEncodedUser.user())
 		}
 	}
 
@@ -148,7 +149,7 @@ class AuthenticationConfigurationTests extends BaseSpringSpec {
 	@Configuration
 	static class GlobalAuthenticationConfiguererAdapterImpl extends GlobalAuthenticationConfigurerAdapter {
 		public void init(AuthenticationManagerBuilder auth) throws Exception {
-			auth.inMemoryAuthentication().withUser("user").password("password").roles("USER")
+			auth.inMemoryAuthentication().withUser(PasswordEncodedUser.user())
 		}
 	}
 
@@ -264,7 +265,7 @@ class AuthenticationConfigurationTests extends BaseSpringSpec {
 		public void init(AuthenticationManagerBuilder auth) throws Exception {
 			auth
 				.inMemoryAuthentication()
-					.withUser("user").password("password").roles("USER")
+					.withUser(PasswordEncodedUser.user())
 		}
 	}
 
@@ -282,7 +283,7 @@ class AuthenticationConfigurationTests extends BaseSpringSpec {
 				return;
 			}
 
-			User user = new User("boot","password", AuthorityUtils.createAuthorityList("ROLE_USER"))
+			User user = User.withUserDetails(PasswordEncodedUser.user()).username("boot").build()
 
 			List<User> users = Arrays.asList(user);
 			InMemoryUserDetailsManager inMemory = new InMemoryUserDetailsManager(users);
@@ -373,11 +374,11 @@ class AuthenticationConfigurationTests extends BaseSpringSpec {
 		when:
 		am.authenticate(new UsernamePasswordAuthenticationToken("user", "password"))
 		then:
-		1 * uds.loadUserByUsername("user") >> new User("user","password",AuthorityUtils.createAuthorityList("ROLE_USER"))
+		1 * uds.loadUserByUsername("user") >> PasswordEncodedUser.user()
 		when:
 		am.authenticate(new UsernamePasswordAuthenticationToken("user", "invalid"))
 		then:
-		1 * uds.loadUserByUsername("user") >> new User("user","password",AuthorityUtils.createAuthorityList("ROLE_USER"))
+		1 * uds.loadUserByUsername("user") >>  PasswordEncodedUser.user()
 		thrown(AuthenticationException.class)
 	}
 

config/src/test/groovy/org/springframework/security/config/annotation/web/SampleWebSecurityConfigurerAdapterTests.groovy

@@ -15,6 +15,8 @@
  */
 package org.springframework.security.config.annotation.web
 
+import org.springframework.security.core.userdetails.PasswordEncodedUser
+
 import javax.servlet.http.HttpServletResponse
 
 import org.springframework.beans.factory.annotation.Autowired
@@ -93,7 +95,7 @@ public class SampleWebSecurityConfigurerAdapterTests extends BaseSpringSpec {
 		protected void configure(AuthenticationManagerBuilder auth) {
 			auth
 				.inMemoryAuthentication()
-					.withUser("user").password("password").roles("USER");
+					.withUser(PasswordEncodedUser.user());
 		}
 	}
 
@@ -180,8 +182,8 @@ public class SampleWebSecurityConfigurerAdapterTests extends BaseSpringSpec {
 		protected void configure(AuthenticationManagerBuilder auth) {
 			auth
 				.inMemoryAuthentication()
-					.withUser("user").password("password").roles("USER").and()
+					.withUser(PasswordEncodedUser.user())
-					.withUser("admin").password("password").roles("USER", "ADMIN");
+					.withUser(PasswordEncodedUser.admin());
 		}
 	}
 
@@ -276,8 +278,8 @@ public class SampleWebSecurityConfigurerAdapterTests extends BaseSpringSpec {
 		protected void configure(AuthenticationManagerBuilder auth) {
 			auth
 				.inMemoryAuthentication()
-					.withUser("user").password("password").roles("USER").and()
+				.withUser(PasswordEncodedUser.user())
-					.withUser("admin").password("password").roles("USER", "ADMIN");
+				.withUser(PasswordEncodedUser.admin());
 		}
 
 		@Configuration

config/src/test/groovy/org/springframework/security/config/annotation/web/WebSecurityConfigurerAdapterTests.groovy

@@ -13,7 +13,9 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package org.springframework.security.config.annotation.web;
+package org.springframework.security.config.annotation.web
+
+import org.springframework.security.core.userdetails.PasswordEncodedUser;
 
 import static org.junit.Assert.*
 import static org.springframework.security.config.annotation.web.WebSecurityConfigurerAdapterTestsConfigs.*
@@ -94,7 +96,7 @@ class WebSecurityConfigurerAdapterTests extends BaseSpringSpec {
 		protected void configure(AuthenticationManagerBuilder auth) throws Exception {
 			auth
 				.inMemoryAuthentication()
-					.withUser("user").password("password").roles("USER")
+					.withUser(PasswordEncodedUser.user())
 		}
 
 		@Override
@@ -117,7 +119,7 @@ class WebSecurityConfigurerAdapterTests extends BaseSpringSpec {
 		protected void configure(AuthenticationManagerBuilder auth) throws Exception {
 			auth
 				.inMemoryAuthentication()
-					.withUser("user").password("password").roles("USER")
+					.withUser(PasswordEncodedUser.user())
 		}
 
 		@Override
@@ -153,7 +155,7 @@ class WebSecurityConfigurerAdapterTests extends BaseSpringSpec {
 		protected void configure(AuthenticationManagerBuilder auth) throws Exception {
 			auth
 				.inMemoryAuthentication()
-					.withUser("user").password("password").roles("USER")
+					.withUser("user").password("{noop}password").roles("USER")
 		}
 
 		@Override
@@ -234,7 +236,7 @@ class WebSecurityConfigurerAdapterTests extends BaseSpringSpec {
 		protected void configure(AuthenticationManagerBuilder auth) throws Exception {
 			auth
 				.inMemoryAuthentication()
-					.withUser("user").password("password").roles("USER")
+					.withUser(PasswordEncodedUser.user())
 		}
 	}
 

config/src/test/groovy/org/springframework/security/config/annotation/web/configuration/BaseWebConfig.groovy

@@ -17,6 +17,7 @@ package org.springframework.security.config.annotation.web.configuration;
 
 import org.springframework.context.annotation.Configuration
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder
+import org.springframework.security.core.userdetails.PasswordEncodedUser
 
 /**
  *
@@ -34,7 +35,7 @@ public abstract class BaseWebConfig extends WebSecurityConfigurerAdapter {
 	protected void configure(AuthenticationManagerBuilder auth) throws Exception {
 		auth
 			.inMemoryAuthentication()
-				.withUser("user").password("password").roles("USER").and()
+				.withUser(PasswordEncodedUser.user())
-				.withUser("admin").password("password").roles("USER", "ADMIN");
+				.withUser(PasswordEncodedUser.admin());
 	}
 }

config/src/test/groovy/org/springframework/security/config/annotation/web/configuration/EnableWebSecurityTests.groovy

@@ -20,6 +20,7 @@ import org.springframework.security.authentication.TestingAuthenticationToken
 import org.springframework.security.core.annotation.AuthenticationPrincipal
 import org.springframework.security.core.context.SecurityContext
 import org.springframework.security.core.context.SecurityContextImpl
+import org.springframework.security.core.userdetails.PasswordEncodedUser
 import org.springframework.security.core.userdetails.User
 import org.springframework.security.web.context.HttpSessionSecurityContextRepository
 import org.springframework.test.context.web.WebAppConfiguration
@@ -65,7 +66,7 @@ class EnableWebSecurityTests extends BaseSpringSpec {
 		protected void configure(AuthenticationManagerBuilder auth) throws Exception {
 			auth
 				.inMemoryAuthentication()
-					.withUser("user").password("password").roles("USER");
+					.withUser(PasswordEncodedUser.user());
 		}
 
 		@Bean

config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/CsrfConfigurerTests.groovy

@@ -15,6 +15,8 @@
  */
 package org.springframework.security.config.annotation.web.configurers
 
+import org.springframework.security.core.userdetails.PasswordEncodedUser
+
 import javax.servlet.http.HttpServletResponse
 
 import spock.lang.Unroll
@@ -136,7 +138,7 @@ class CsrfConfigurerTests extends BaseSpringSpec {
 		protected void configure(AuthenticationManagerBuilder auth) throws Exception {
 			auth
 				.inMemoryAuthentication()
-					.withUser("user").password("password").roles("USER")
+					.withUser(PasswordEncodedUser.user());
 		}
 	}
 
@@ -258,7 +260,7 @@ class CsrfConfigurerTests extends BaseSpringSpec {
 		protected void configure(AuthenticationManagerBuilder auth) throws Exception {
 			auth
 				.inMemoryAuthentication()
-					.withUser("user").password("password").roles("USER")
+					.withUser(PasswordEncodedUser.user());
 		}
 	}
 
@@ -448,7 +450,7 @@ class CsrfConfigurerTests extends BaseSpringSpec {
 		protected void configure(AuthenticationManagerBuilder auth) throws Exception {
 			auth
 				.inMemoryAuthentication()
-					.withUser("user").password("password").roles("USER")
+					.withUser(PasswordEncodedUser.user());
 		}
 	}
 
@@ -488,7 +490,7 @@ class CsrfConfigurerTests extends BaseSpringSpec {
 		protected void configure(AuthenticationManagerBuilder auth) throws Exception {
 			auth
 				.inMemoryAuthentication()
-					.withUser("user").password("password").roles("USER")
+					.withUser(PasswordEncodedUser.user());
 		}
 	}
 

config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/RememberMeConfigurerTests.groovy

@@ -15,6 +15,8 @@
  */
 package org.springframework.security.config.annotation.web.configurers
 
+import org.springframework.security.core.userdetails.PasswordEncodedUser
+
 import javax.servlet.http.Cookie
 
 import org.springframework.beans.factory.BeanCreationException
@@ -75,7 +77,7 @@ public class RememberMeConfigurerTests extends BaseSpringSpec {
 
 		@Override
 		protected void configure(AuthenticationManagerBuilder auth) throws Exception {
-			User user = new User("user", "password", AuthorityUtils.createAuthorityList("ROLE_USER"))
+			User user = PasswordEncodedUser.user();
 			DaoAuthenticationProvider provider = new DaoAuthenticationProvider()
 			provider.userDetailsService = new InMemoryUserDetailsManager([user])
 			auth
@@ -215,7 +217,7 @@ public class RememberMeConfigurerTests extends BaseSpringSpec {
 		public void configureGlobal(AuthenticationManagerBuilder auth) {
 			auth
 				.inMemoryAuthentication()
-					.withUser("user").password("password").roles("USER");
+					.withUser(PasswordEncodedUser.user());
 		}
 	}
 
@@ -236,7 +238,7 @@ public class RememberMeConfigurerTests extends BaseSpringSpec {
 		public void configureGlobal(AuthenticationManagerBuilder auth) {
 			auth
 				.inMemoryAuthentication()
-					.withUser("user").password("password").roles("USER");
+					.withUser(PasswordEncodedUser.user());
 		}
 	}
 
@@ -262,7 +264,7 @@ public class RememberMeConfigurerTests extends BaseSpringSpec {
 		public void configureGlobal(AuthenticationManagerBuilder auth) {
 			auth
 				.inMemoryAuthentication()
-					.withUser("user").password("password").roles("USER");
+					.withUser(PasswordEncodedUser.user());
 		}
 
 	}

config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/RequestCacheConfigurerTests.groovy

@@ -15,6 +15,8 @@
  */
 package org.springframework.security.config.annotation.web.configurers
 
+import org.springframework.security.core.userdetails.PasswordEncodedUser
+
 import javax.servlet.http.HttpServletResponse
 
 import org.springframework.context.annotation.Configuration
@@ -178,7 +180,7 @@ class RequestCacheConfigurerTests extends BaseSpringSpec {
 		protected void configure(AuthenticationManagerBuilder auth) throws Exception {
 			auth
 				.inMemoryAuthentication()
-					.withUser("user").password("password").roles("USER")
+					.withUser(PasswordEncodedUser.user());
 		}
 	}
 }

config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerTests.groovy

@@ -15,6 +15,8 @@
  */
 package org.springframework.security.config.annotation.web.configurers
 
+import org.springframework.security.core.userdetails.PasswordEncodedUser
+
 import javax.servlet.http.HttpServletResponse
 
 import org.springframework.mock.web.MockFilterChain
@@ -144,7 +146,7 @@ class SessionManagementConfigurerTests extends BaseSpringSpec {
 		protected void configure(AuthenticationManagerBuilder auth) {
 			auth
 				.inMemoryAuthentication()
-					.withUser("user").password("password").roles("USER")
+					.withUser(PasswordEncodedUser.user())
 		}
 	}
 
@@ -200,7 +202,7 @@ class SessionManagementConfigurerTests extends BaseSpringSpec {
 		protected void configure(AuthenticationManagerBuilder auth) {
 			auth
 				.inMemoryAuthentication()
-					.withUser("user").password("password").roles("USER")
+					.withUser(PasswordEncodedUser.user())
 		}
 	}
 

config/src/test/java/org/springframework/security/config/ConfigTestUtils.java

@@ -19,10 +19,10 @@ public abstract class ConfigTestUtils {
 	public static final String AUTH_PROVIDER_XML = "<authentication-manager alias='authManager'>"
 			+ "    <authentication-provider>"
 			+ "        <user-service id='us'>"
-			+ "            <user name='bob' password='bobspassword' authorities='ROLE_A,ROLE_B' />"
+			+ "            <user name='bob' password='{noop}bobspassword' authorities='ROLE_A,ROLE_B' />"
-			+ "            <user name='bill' password='billspassword' authorities='ROLE_A,ROLE_B,AUTH_OTHER' />"
+			+ "            <user name='bill' password='{noop}billspassword' authorities='ROLE_A,ROLE_B,AUTH_OTHER' />"
-			+ "            <user name='admin' password='password' authorities='ROLE_ADMIN,ROLE_USER' />"
+			+ "            <user name='admin' password='{noop}password' authorities='ROLE_ADMIN,ROLE_USER' />"
-			+ "            <user name='user' password='password' authorities='ROLE_USER' />"
+			+ "            <user name='user' password='{noop}password' authorities='ROLE_USER' />"
 			+ "        </user-service>"
 			+ "    </authentication-provider>"
 			+ "</authentication-manager>";

config/src/test/java/org/springframework/security/config/DataSourcePopulator.java

@@ -46,13 +46,13 @@ public class DataSourcePopulator implements InitializingBean {
 		 * is disabled) Encoded password for bill is "wombat" Encoded password for bob is
 		 * "wombat" Encoded password for jane is "wombat"
 		 */
-		template.execute("INSERT INTO USERS VALUES('rod','koala',TRUE);");
+		template.execute("INSERT INTO USERS VALUES('rod','{noop}koala',TRUE);");
-		template.execute("INSERT INTO USERS VALUES('dianne','65d15fe9156f9c4bbffd98085992a44e',TRUE);");
+		template.execute("INSERT INTO USERS VALUES('dianne','{MD5}65d15fe9156f9c4bbffd98085992a44e',TRUE);");
-		template.execute("INSERT INTO USERS VALUES('scott','2b58af6dddbd072ed27ffc86725d7d3a',TRUE);");
+		template.execute("INSERT INTO USERS VALUES('scott','{MD5}2b58af6dddbd072ed27ffc86725d7d3a',TRUE);");
-		template.execute("INSERT INTO USERS VALUES('peter','22b5c9accc6e1ba628cedc63a72d57f8',FALSE);");
+		template.execute("INSERT INTO USERS VALUES('peter','{MD5}22b5c9accc6e1ba628cedc63a72d57f8',FALSE);");
-		template.execute("INSERT INTO USERS VALUES('bill','2b58af6dddbd072ed27ffc86725d7d3a',TRUE);");
+		template.execute("INSERT INTO USERS VALUES('bill','{MD5}2b58af6dddbd072ed27ffc86725d7d3a',TRUE);");
-		template.execute("INSERT INTO USERS VALUES('bob','2b58af6dddbd072ed27ffc86725d7d3a',TRUE);");
+		template.execute("INSERT INTO USERS VALUES('bob','{MD5}2b58af6dddbd072ed27ffc86725d7d3a',TRUE);");
-		template.execute("INSERT INTO USERS VALUES('jane','2b58af6dddbd072ed27ffc86725d7d3a',TRUE);");
+		template.execute("INSERT INTO USERS VALUES('jane','{MD5}2b58af6dddbd072ed27ffc86725d7d3a',TRUE);");
 		template.execute("INSERT INTO AUTHORITIES VALUES('rod','ROLE_USER');");
 		template.execute("INSERT INTO AUTHORITIES VALUES('rod','ROLE_SUPERVISOR');");
 		template.execute("INSERT INTO AUTHORITIES VALUES('dianne','ROLE_USER');");

config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerServlet31Tests.java

@@ -45,6 +45,7 @@ import org.springframework.security.config.annotation.web.configuration.EnableWe
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextImpl;
+import org.springframework.security.core.userdetails.PasswordEncodedUser;
 import org.springframework.security.web.context.HttpRequestResponseHolder;
 import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
 import org.springframework.security.web.csrf.CsrfToken;
@@ -126,7 +127,7 @@ public class SessionManagementConfigurerServlet31Tests {
 		protected void configure(AuthenticationManagerBuilder auth) throws Exception {
 			auth
 				.inMemoryAuthentication()
-					.withUser("user").password("password").roles("USER");
+					.withUser(PasswordEncodedUser.user());
 		}
 		// @formatter:on
 	}

config/src/test/java/org/springframework/security/config/authentication/AuthenticationConfigurationGh3935Tests.java

@@ -32,6 +32,7 @@ import org.springframework.security.config.annotation.web.configuration.EnableWe
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.authority.AuthorityUtils;
+import org.springframework.security.core.userdetails.PasswordEncodedUser;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.web.FilterChainProxy;
@@ -66,9 +67,7 @@ public class AuthenticationConfigurationGh3935Tests {
 	public void delegateUsesExisitingAuthentication() {
 		String username = "user";
 		String password = "password";
-		User user = new User(username, password,
+		when(this.uds.loadUserByUsername(username)).thenReturn(PasswordEncodedUser.user());
-				AuthorityUtils.createAuthorityList("ROLE_USER"));
-		when(this.uds.loadUserByUsername(username)).thenReturn(user);
 
 		AuthenticationManager authenticationManager = this.adapter.authenticationManager;
 		assertThat(authenticationManager).isNotNull();
@@ -77,7 +76,7 @@ public class AuthenticationConfigurationGh3935Tests {
 				new UsernamePasswordAuthenticationToken(username, password));
 
 		verify(this.uds).loadUserByUsername(username);
-		assertThat(auth.getPrincipal()).isEqualTo(user);
+		assertThat(auth.getPrincipal()).isEqualTo(PasswordEncodedUser.user());
 	}
 
 	@EnableWebSecurity

config/src/test/java/org/springframework/security/config/authentication/AuthenticationManagerBeanDefinitionParserTests.java

@@ -39,7 +39,7 @@ public class AuthenticationManagerBeanDefinitionParserTests {
 	private static final String CONTEXT = "<authentication-manager id='am'>"
 			+ "    <authentication-provider>"
 			+ "        <user-service>"
-			+ "            <user name='bob' password='bobspassword' authorities='ROLE_A,ROLE_B' />"
+			+ "            <user name='bob' password='{noop}bobspassword' authorities='ROLE_A,ROLE_B' />"
 			+ "        </user-service>" + "    </authentication-provider>"
 			+ "</authentication-manager>";
 	private AbstractXmlApplicationContext appContext;

config/src/test/java/org/springframework/security/config/authentication/AuthenticationProviderBeanDefinitionParserTests.java

@@ -51,7 +51,7 @@ public class AuthenticationProviderBeanDefinitionParserTests {
 	public void worksWithEmbeddedUserService() {
 		setContext(" <authentication-provider>"
 				+ "        <user-service>"
-				+ "            <user name='bob' password='bobspassword' authorities='ROLE_A' />"
+				+ "            <user name='bob' password='{noop}bobspassword' authorities='ROLE_A' />"
 				+ "        </user-service>" + "    </authentication-provider>");
 		getProvider().authenticate(bob);
 	}
@@ -63,7 +63,7 @@ public class AuthenticationProviderBeanDefinitionParserTests {
 						+ "        <authentication-provider user-service-ref='myUserService' />"
 						+ "    </authentication-manager>"
 						+ "    <user-service id='myUserService'>"
-						+ "       <user name='bob' password='bobspassword' authorities='ROLE_A' />"
+						+ "       <user name='bob' password='{noop}bobspassword' authorities='ROLE_A' />"
 						+ "    </user-service>");
 		getProvider().authenticate(bob);
 	}

config/src/test/java/org/springframework/security/config/http/SessionManagementConfigServlet31Tests.java

@@ -56,7 +56,7 @@ import org.springframework.util.ReflectionUtils;
 public class SessionManagementConfigServlet31Tests {
 	private static final String XML_AUTHENTICATION_MANAGER = "<authentication-manager>"
 			+ "  <authentication-provider>" + "    <user-service>"
-			+ "      <user name='user' password='password' authorities='ROLE_USER' />"
+			+ "      <user name='user' password='{noop}password' authorities='ROLE_USER' />"
 			+ "    </user-service>" + "  </authentication-provider>"
 			+ "</authentication-manager>";
 

config/src/test/resources/CustomJdbcUserServiceSampleConfig.sql

@@ -5,7 +5,7 @@ create table groups (id bigint generated by default as identity(start with 0) pr
 create table group_authorities (group_id bigint not null,authority varchar(50) not null,constraint fk_group_authorities_group foreign key(group_id) references groups(id));
 create table group_members (id bigint generated by default as identity(start with 0) primary key,username varchar(50) not null,group_id bigint not null,constraint fk_group_members_group foreign key(group_id) references groups(id));
 
-insert into users values('user','password');
+insert into users values('user','{noop}password');
 insert into roles values('user','USER');
 
 insert into groups values(1,'OPERATIONS');

config/src/test/resources/org/springframework/security/config/users.properties

@@ -1,2 +1,2 @@
-joe=joespassword,ROLE_A
+joe={noop}joespassword,ROLE_A
-bob=bobspassword,ROLE_A,ROLE_B
+bob={noop}bobspassword,ROLE_A,ROLE_B

config/src/test/resources/users.properties

@@ -16,4 +16,4 @@
 #  */
 #
 
-user=password,ROLE_USER
+user={noop}password,ROLE_USER

core/src/main/java/org/springframework/security/authentication/dao/DaoAuthenticationProvider.java

@@ -24,7 +24,7 @@ import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
-import org.springframework.security.crypto.password.NoOpPasswordEncoder;
+import org.springframework.security.crypto.factory.PasswordEncoderFactories;
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.util.Assert;
 
@@ -63,7 +63,7 @@ public class DaoAuthenticationProvider extends AbstractUserDetailsAuthentication
 	private UserDetailsService userDetailsService;
 
 	public DaoAuthenticationProvider() {
-		setPasswordEncoder(NoOpPasswordEncoder.getInstance());
+		setPasswordEncoder(PasswordEncoderFactories.createDelegatingPasswordEncoder());
 	}
 
 	// ~ Methods

core/src/test/java/org/springframework/security/authentication/dao/DaoAuthenticationProviderTests.java

@@ -50,6 +50,7 @@ import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.springframework.security.core.userdetails.cache.EhCacheBasedUserCache;
 import org.springframework.security.core.userdetails.cache.NullUserCache;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.password.NoOpPasswordEncoder;
 import org.springframework.security.crypto.password.PasswordEncoder;
 
 /**
@@ -70,7 +71,7 @@ public class DaoAuthenticationProviderTests {
 		UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(
 				"rod", "KOala");
 
-		DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
+		DaoAuthenticationProvider provider = createProvider();
 		provider.setUserDetailsService(new MockAuthenticationDaoUserrod());
 		provider.setUserCache(new MockUserCache());
 
@@ -86,7 +87,7 @@ public class DaoAuthenticationProviderTests {
 	@Test
 	public void testReceivedBadCredentialsWhenCredentialsNotProvided() {
 		// Test related to SEC-434
-		DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
+		DaoAuthenticationProvider provider = createProvider();
 		provider.setUserDetailsService(new MockAuthenticationDaoUserrod());
 		provider.setUserCache(new MockUserCache());
 
@@ -106,7 +107,7 @@ public class DaoAuthenticationProviderTests {
 		UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(
 				"peter", "opal");
 
-		DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
+		DaoAuthenticationProvider provider = createProvider();
 		provider.setUserDetailsService(
 				new MockAuthenticationDaoUserPeterAccountExpired());
 		provider.setUserCache(new MockUserCache());
@@ -125,7 +126,7 @@ public class DaoAuthenticationProviderTests {
 		UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(
 				"peter", "opal");
 
-		DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
+		DaoAuthenticationProvider provider = createProvider();
 		provider.setUserDetailsService(new MockAuthenticationDaoUserPeterAccountLocked());
 		provider.setUserCache(new MockUserCache());
 
@@ -143,7 +144,7 @@ public class DaoAuthenticationProviderTests {
 		UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(
 				"peter", "opal");
 
-		DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
+		DaoAuthenticationProvider provider = createProvider();
 		provider.setUserDetailsService(
 				new MockAuthenticationDaoUserPeterCredentialsExpired());
 		provider.setUserCache(new MockUserCache());
@@ -174,7 +175,7 @@ public class DaoAuthenticationProviderTests {
 		UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(
 				"peter", "opal");
 
-		DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
+		DaoAuthenticationProvider provider = createProvider();
 		provider.setUserDetailsService(new MockAuthenticationDaoUserPeter());
 		provider.setUserCache(new MockUserCache());
 
@@ -192,7 +193,7 @@ public class DaoAuthenticationProviderTests {
 		UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(
 				"rod", "koala");
 
-		DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
+		DaoAuthenticationProvider provider = createProvider();
 		provider.setUserDetailsService(new MockAuthenticationDaoSimulateBackendError());
 		provider.setUserCache(new MockUserCache());
 
@@ -209,7 +210,7 @@ public class DaoAuthenticationProviderTests {
 		UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(
 				null, "koala");
 
-		DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
+		DaoAuthenticationProvider provider = createProvider();
 		provider.setUserDetailsService(new MockAuthenticationDaoUserrod());
 		provider.setUserCache(new MockUserCache());
 
@@ -227,7 +228,7 @@ public class DaoAuthenticationProviderTests {
 		UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(
 				"rod", "INVALID_PASSWORD");
 
-		DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
+		DaoAuthenticationProvider provider = createProvider();
 		provider.setUserDetailsService(new MockAuthenticationDaoUserrod());
 		provider.setUserCache(new MockUserCache());
 
@@ -245,7 +246,7 @@ public class DaoAuthenticationProviderTests {
 		UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(
 				"INVALID_USER", "koala");
 
-		DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
+		DaoAuthenticationProvider provider = createProvider();
 		provider.setHideUserNotFoundExceptions(false); // we want
 														// UsernameNotFoundExceptions
 		provider.setUserDetailsService(new MockAuthenticationDaoUserrod());
@@ -265,7 +266,7 @@ public class DaoAuthenticationProviderTests {
 		UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(
 				"INVALID_USER", "koala");
 
-		DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
+		DaoAuthenticationProvider provider = createProvider();
 		assertThat(provider.isHideUserNotFoundExceptions()).isTrue();
 		provider.setUserDetailsService(new MockAuthenticationDaoUserrod());
 		provider.setUserCache(new MockUserCache());
@@ -284,7 +285,7 @@ public class DaoAuthenticationProviderTests {
 		UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(
 				"RoD", "koala");
 
-		DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
+		DaoAuthenticationProvider provider = createProvider();
 		provider.setUserDetailsService(new MockAuthenticationDaoUserrod());
 		provider.setUserCache(new MockUserCache());
 
@@ -303,7 +304,7 @@ public class DaoAuthenticationProviderTests {
 				"rod", "koala");
 		token.setDetails("192.168.0.1");
 
-		DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
+		DaoAuthenticationProvider provider = createProvider();
 		provider.setUserDetailsService(new MockAuthenticationDaoUserrod());
 		provider.setUserCache(new MockUserCache());
 
@@ -327,7 +328,7 @@ public class DaoAuthenticationProviderTests {
 		UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(
 				"rod", "koala");
 
-		DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
+		DaoAuthenticationProvider provider = createProvider();
 		provider.setUserDetailsService(new MockAuthenticationDaoUserrod());
 		provider.setUserCache(new MockUserCache());
 
@@ -352,7 +353,7 @@ public class DaoAuthenticationProviderTests {
 		UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(
 				"rod", "koala");
 
-		DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
+		DaoAuthenticationProvider provider = createProvider();
 		provider.setUserDetailsService(new MockAuthenticationDaoUserrod());
 		provider.setUserCache(new MockUserCache());
 		provider.setForcePrincipalAsString(true);
@@ -373,7 +374,7 @@ public class DaoAuthenticationProviderTests {
 		UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(
 				"rod", "koala");
 
-		DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
+		DaoAuthenticationProvider provider = createProvider();
 		provider.setUserDetailsService(new MockAuthenticationDaoReturnsNull());
 
 		try {
@@ -410,7 +411,7 @@ public class DaoAuthenticationProviderTests {
 
 		MockAuthenticationDaoUserrod authenticationDao = new MockAuthenticationDaoUserrod();
 		MockUserCache cache = new MockUserCache();
-		DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
+		DaoAuthenticationProvider provider = createProvider();
 		provider.setUserDetailsService(authenticationDao);
 		provider.setUserCache(cache);
 
@@ -448,7 +449,7 @@ public class DaoAuthenticationProviderTests {
 
 	@Test
 	public void testStartupFailsIfNoUserCacheSet() throws Exception {
-		DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
+		DaoAuthenticationProvider provider = createProvider();
 		provider.setUserDetailsService(new MockAuthenticationDaoUserrod());
 		assertThat(provider.getUserCache().getClass()).isEqualTo(NullUserCache.class);
 		provider.setUserCache(null);
@@ -464,7 +465,7 @@ public class DaoAuthenticationProviderTests {
 
 	@Test
 	public void testStartupSuccess() throws Exception {
-		DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
+		DaoAuthenticationProvider provider = createProvider();
 		UserDetailsService userDetailsService = new MockAuthenticationDaoUserrod();
 		provider.setUserDetailsService(userDetailsService);
 		provider.setUserCache(new MockUserCache());
@@ -475,7 +476,7 @@ public class DaoAuthenticationProviderTests {
 
 	@Test
 	public void testSupports() {
-		DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
+		DaoAuthenticationProvider provider = createProvider();
 		assertThat(provider.supports(UsernamePasswordAuthenticationToken.class)).isTrue();
 		assertThat(!provider.supports(TestingAuthenticationToken.class)).isTrue();
 	}
@@ -527,7 +528,7 @@ public class DaoAuthenticationProviderTests {
 	public void testUserNotFoundDefaultEncoder() {
 		UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(
 				"missing", null);
-		DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
+		DaoAuthenticationProvider provider = createProvider();
 		provider.setHideUserNotFoundExceptions(false);
 		provider.setUserDetailsService(new MockAuthenticationDaoUserrod());
 		try {
@@ -713,4 +714,10 @@ public class DaoAuthenticationProviderTests {
 			}
 		}
 	}
+
+	private DaoAuthenticationProvider createProvider() {
+		DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
+		provider.setPasswordEncoder(NoOpPasswordEncoder.getInstance());
+		return provider;
+	}
 }

itest/context/src/integration-test/resources/python-method-access-app-context.xml

@@ -26,7 +26,7 @@
 	<authentication-manager>
 		<authentication-provider>
 			<user-service>
-				<user name="bob" password="bobspassword" authorities="ROLE_A,ROLE_B"/>
+				<user name="bob" password="{noop}bobspassword" authorities="ROLE_A,ROLE_B"/>
 			</user-service>
 		</authentication-provider>
 	</authentication-manager>

itest/context/src/integration-test/resources/sec-936-app-context.xml

@@ -10,7 +10,7 @@
 	<security:authentication-manager alias="authenticationManager">
 		<security:authentication-provider>
 			<security:user-service>
-				<security:user name="bob" password="bobspassword" authorities="ROLE_A,ROLE_B"/>
+				<security:user name="bob" password="{noop}bobspassword" authorities="ROLE_A,ROLE_B"/>
 			</security:user-service>
 		</security:authentication-provider>
 	</security:authentication-manager>

itest/web/src/integration-test/resources/spring/in-memory-provider.xml

@@ -9,11 +9,11 @@
 	<authentication-manager alias="authenticationManager">
 		<authentication-provider>
 			<user-service>
-			  <user name="miles" password="milespassword" authorities="ROLE_USER,ROLE_JAZZ,ROLE_TRUMPETER"/>
+			  <user name="miles" password="{noop}milespassword" authorities="ROLE_USER,ROLE_JAZZ,ROLE_TRUMPETER"/>
-			  <user name="johnc" password="johncspassword" authorities="ROLE_USER,ROLE_JAZZ,ROLE_SAXOPHONIST"/>
+			  <user name="johnc" password="{noop}johncspassword" authorities="ROLE_USER,ROLE_JAZZ,ROLE_SAXOPHONIST"/>
-			  <user name="jimi" password="jimispassword" authorities="ROLE_USER,ROLE_ROCK,ROLE_GUITARIST"/>
+			  <user name="jimi" password="{noop}jimispassword" authorities="ROLE_USER,ROLE_ROCK,ROLE_GUITARIST"/>
-			  <user name="bessie" password="bessiespassword" authorities="ROLE_USER,ROLE_JAZZ,ROLE_SINGER"/>
+			  <user name="bessie" password="{noop}bessiespassword" authorities="ROLE_USER,ROLE_JAZZ,ROLE_SINGER"/>
-			  <user name="theescapist&lt;&gt;&amp;." password="theescapistspassword" authorities="ROLE_USER"/>
+			  <user name="theescapist&lt;&gt;&amp;." password="{noop}theescapistspassword" authorities="ROLE_USER"/>
 			</user-service>
 		</authentication-provider>
 	</authentication-manager>

samples/boot/helloworld/src/main/java/org/springframework/security/samples/config/SecurityConfig.java

@@ -20,6 +20,7 @@ import org.springframework.security.config.annotation.authentication.builders.Au
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.core.userdetails.User;
 
 /**
  * @author Joe Grandja
@@ -44,7 +45,7 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
 	public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
 		auth
 			.inMemoryAuthentication()
-				.withUser("user").password("password").roles("USER");
+				.withUser(User.withDefaultPasswordEncoder().username("user").password("password").roles("USER"));
 	}
 	// @formatter:on
 }

samples/javaconfig/form/src/main/java/org/springframework/security/samples/config/SecurityConfig.java

@@ -20,6 +20,7 @@ import org.springframework.security.config.annotation.authentication.builders.Au
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.core.userdetails.User;
 
 @EnableWebSecurity
 public class SecurityConfig extends WebSecurityConfigurerAdapter {
@@ -47,7 +48,7 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
 			AuthenticationManagerBuilder auth) throws Exception {
 		auth
 			.inMemoryAuthentication()
-				.withUser("user").password("password").roles("USER");
+				.withUser(User.withDefaultPasswordEncoder().username("user").password("password").roles("USER"));
 	}
 	// @formatter:on
 }

samples/javaconfig/hellomvc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java

@@ -18,6 +18,7 @@ package org.springframework.security.samples.config;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.core.userdetails.User;
 
 @EnableWebSecurity
 public class SecurityConfig {
@@ -28,7 +29,7 @@ public class SecurityConfig {
 			AuthenticationManagerBuilder auth) throws Exception {
 		auth
 			.inMemoryAuthentication()
-				.withUser("user").password("password").roles("USER");
+				.withUser(User.withDefaultPasswordEncoder().username("user").password("password").roles("USER"));
 	}
 	// @formatter:on
 }

samples/javaconfig/helloworld/src/main/java/org/springframework/security/samples/config/SecurityConfig.java

@@ -18,6 +18,7 @@ package org.springframework.security.samples.config;
 import org.springframework.context.annotation.Bean;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 
@@ -27,9 +28,8 @@ public class SecurityConfig {
 	// @formatter:off
 	@Bean
 	public UserDetailsService userDetailsService() throws Exception {
-		InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
+		UserDetails user = User.withDefaultPasswordEncoder().username("user").password("password").roles("USER").build();
-		manager.createUser(User.withUsername("user").password("password").roles("USER").build());
+		return new InMemoryUserDetailsManager(user);
-		return manager;
 	}
 	// @formatter:on
 }

samples/javaconfig/inmemory/src/main/java/org/springframework/security/samples/config/SecurityConfig.java

@@ -15,21 +15,23 @@
  */
 package org.springframework.security.samples.config;
 
-import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Bean;
-import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 
 @EnableWebSecurity
 public class SecurityConfig {
 
 	// @formatter:off
-	@Autowired
+	@Bean
-	public void configureGlobal(
+	public UserDetailsService userDetailsService() throws Exception {
-			AuthenticationManagerBuilder auth) throws Exception {
+		User.UserBuilder builder = User.withDefaultPasswordEncoder();
-		auth
+		UserDetails user = builder.username("user").password("password").roles("USER").build();
-			.inMemoryAuthentication()
+		UserDetails admin = builder.username("admin").password("password").roles("USER", "ADMIN").build();
-				.withUser("user").password("password").roles("USER").and()
+		return new InMemoryUserDetailsManager(user, admin);
-				.withUser("admin").password("password").roles("USER","ADMIN");
 	}
 		// @formatter:on
 }

samples/javaconfig/jdbc/src/main/java/org/springframework/security/samples/config/SecurityConfig.java

@@ -20,6 +20,7 @@ import javax.sql.DataSource;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.core.userdetails.User;
 
 @EnableWebSecurity
 public class SecurityConfig {
@@ -33,7 +34,7 @@ public class SecurityConfig {
 			.jdbcAuthentication()
 				.dataSource(dataSource)
 				.withDefaultSchema()
-				.withUser("user").password("password").roles("USER");
+				.withUser(User.withDefaultPasswordEncoder().username("user").password("password").roles("USER"));
 	}
 	// @formatter:on
 }

samples/xml/helloworld/src/main/webapp/WEB-INF/spring/security.xml

@@ -6,6 +6,6 @@
 	<http />
 
 	<user-service>
-		<user name="user" password="password" authorities="ROLE_USER" />
+		<user name="user" password="{noop}password" authorities="ROLE_USER" />
 	</user-service>
 </b:beans>

test/src/test/java/org/springframework/security/test/web/servlet/response/SecurityMockMvcResultMatchersTests.java

@@ -20,9 +20,14 @@ import org.junit.Test;
 import org.junit.runner.RunWith;
 
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Bean;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.test.context.ContextConfiguration;
 import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
 import org.springframework.test.context.web.WebAppConfiguration;
@@ -81,11 +86,10 @@ public class SecurityMockMvcResultMatchersTests {
 	static class Config extends WebSecurityConfigurerAdapter {
 
 		// @formatter:off
-		@Autowired
+		@Bean
-		public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
+		public UserDetailsService userDetailsService() {
-			auth
+			UserDetails user = User.withDefaultPasswordEncoder().username("user").password("password").roles("USER", "SELLER").build();
-				.inMemoryAuthentication()
+			return new InMemoryUserDetailsManager(user);
-					.withUser("user").roles("USER","SELLER").password("password");
 		}
 		// @formatter:on
 

test/src/test/java/org/springframework/security/test/web/servlet/response/SecurityMockWithAuthoritiesMvcResultMatchersTests.java

@@ -27,10 +27,15 @@ import org.junit.Test;
 import org.junit.runner.RunWith;
 
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Bean;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.test.context.ContextConfiguration;
 import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
 import org.springframework.test.context.web.WebAppConfiguration;
@@ -77,11 +82,10 @@ public class SecurityMockWithAuthoritiesMvcResultMatchersTests {
 	static class Config extends WebSecurityConfigurerAdapter {
 
 		// @formatter:off
-		@Autowired
+		@Bean
-		public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
+		public UserDetailsService userDetailsService() {
-			auth
+			UserDetails user = User.withDefaultPasswordEncoder().username("user").password("password").roles("ADMIN", "SELLER").build();
-				.inMemoryAuthentication()
+			return new InMemoryUserDetailsManager(user);
-					.withUser("user").authorities("ROLE_ADMIN", "ROLE_SELLER").password("password");
 		}
 		// @formatter:on
 

test/src/test/java/org/springframework/security/test/web/servlet/showcase/login/AuthenticationTests.java

@@ -26,9 +26,14 @@ import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Bean;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.test.context.ContextConfiguration;
 import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
 import org.springframework.test.context.web.WebAppConfiguration;
@@ -83,11 +88,10 @@ public class AuthenticationTests {
 	@EnableWebMvc
 	static class Config extends WebSecurityConfigurerAdapter {
 		// @formatter:off
-		@Autowired
+		@Bean
-		public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
+		public UserDetailsService userDetailsService() {
-			auth
+			UserDetails user = User.withDefaultPasswordEncoder().username("user").password("password").roles("USER").build();
-				.inMemoryAuthentication()
+			return new InMemoryUserDetailsManager(user);
-					.withUser("user").password("password").roles("USER");
 		}
 		// @formatter:on
 	}

test/src/test/java/org/springframework/security/test/web/servlet/showcase/login/CustomConfigAuthenticationTests.java

@@ -31,6 +31,10 @@ import org.springframework.security.config.annotation.authentication.builders.Au
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
 import org.springframework.security.web.context.SecurityContextRepository;
 import org.springframework.test.context.ContextConfiguration;
@@ -106,11 +110,10 @@ public class CustomConfigAuthenticationTests {
 		// @formatter:on
 
 		// @formatter:off
-		@Autowired
+		@Bean
-		public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
+		public UserDetailsService userDetailsService() {
-			auth
+			UserDetails user = User.withDefaultPasswordEncoder().username("user").password("password").roles("USER").build();
-				.inMemoryAuthentication()
+			return new InMemoryUserDetailsManager(user);
-					.withUser("user").password("password").roles("USER");
 		}
 		// @formatter:on
 

test/src/test/java/org/springframework/security/test/web/servlet/showcase/login/CustomLoginRequestBuilderAuthenticationTests.java

@@ -23,10 +23,14 @@ import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.context.annotation.Bean;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestBuilders;
 import org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestBuilders.FormLoginRequestBuilder;
 import org.springframework.test.context.ContextConfiguration;
@@ -92,11 +96,10 @@ public class CustomLoginRequestBuilderAuthenticationTests {
 		// @formatter:on
 
 		// @formatter:off
-		@Autowired
+		@Bean
-		public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
+		public UserDetailsService userDetailsService() {
-			auth
+			UserDetails user = User.withDefaultPasswordEncoder().username("user").password("password").roles("USER").build();
-				.inMemoryAuthentication()
+			return new InMemoryUserDetailsManager(user);
-					.withUser("user").password("password").roles("USER");
 		}
 		// @formatter:on
 	}