Spring Security - Updating Your Password

Spring Security provides a secure way to update user passwords in a Spring Boot application. The password update feature allows authenticated users to change their existing password safely by verifying the current password before storing the new password in encrypted format. This improves application security and protects user accounts from unauthorized access.

• Ensures only authenticated users can change passwords.
• Verifies the current password before updating.
• Uses BCryptPasswordEncoder to encrypt passwords.

Working of Update Password in Spring Security

• User Authentication: The user first logs into the application using valid credentials.
• Open Update Password Page: The user navigates to the update password page from the home page.
• Enter Password Details: The user enters current password, new password, and confirm password.
• Validate Passwords: The application checks: Current password is correct and New password and confirm password match
• Encode New Password: Spring Security encrypts the new password using BCryptPasswordEncoder.
• Update Database: The encoded password is saved into the database.
• Display Response: The application displays either success or error messages based on the result.

Implementation to Update Password in Spring Security

Step 1: Create a Spring Boot Project

Create a new Spring Boot Project using IntelliJ Idea on creating the project, choose the below options for the Project.

• Project Name: security-update-password
• Language: Java
• Type: Maven
• Packaging: Jar

Refer the below image for better understanding of creating new Spring Boot Project.

Step 2: Add the Dependencies

Add the following dependencies into the project.

After project creation done, the folder structure will look like below image:

Step 3: Configure the Application Properties

Open the application.properties file and add the MySQL database configuration properties of the project.

spring.application.name=security-update-password
# MySQL database configuration
spring.datasource.url=jdbc:mysql://localhost:3306/securityUser
spring.datasource.username=root
spring.datasource.password= spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver
# Hibernate properties
spring.jpa.hibernate.ddl-auto=update
spring.jpa.show-sql=true
spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.MySQL8Dialect
spring.main.allow-bean-definition-overriding=true
spring.main.allow-circular-references=true

Step 4: Create User Entity Class

Create User.java inside the model package.

• Define fields like id, username, password, and enabled.
• Use JPA annotations such as @Entity and @Id.

Step 5: Create UserRepository Interface

Create UserRepository.java inside the repository package.

• Extend JpaRepository.
• Add method findByUsername() to fetch user details from the database.

Step 6: Create UserService Class

Create UserService.java inside the service package.

• Verify current password using PasswordEncoder.
• Encode new password before saving.

This UserService class provides methods to handle user-related operations:

• updatePassword: Updates the user's password after verifying the current password.
• existsByUsername: Checks if a user with a given username exists in the repository.
• saveUser: Saves a user entity to the repository.

Step 7: Configure Spring Security

Create SecurityConfig.java inside the config package.

• Configure login and logout functionality.
• Permit access to register and update-password endpoints.

This SecurityConfig class configures Spring Security for a web application:

• It permits access to /register and /update-password endpoints without authentication.
• Defines a form-based login page at /login with a redirect to /home upon successful login.
• Uses BCryptPasswordEncoder for password hashing and authentication security.

Step 8: Create HomeController

Create HomeController.java inside the controller package.

• Map /home endpoint.
• Return home page after successful login.

This HomeController class defines a Spring MVC controller:

• Annotates the class with @Controller for Spring to recognize it as a controller component.
• Provides a home() method mapped to /home that returns the string "home", indicating the view name to render.
• Directs requests to /home to display the corresponding view template, typically resolving to home.html.

Step 9: Create UserController

Create UserController.java inside the controller package.

• Handle user registration.
• Save encoded passwords into the database.
• Check if username already exists.

• Dependency Injection: The controller injects UserService and PasswordEncoder beans to manage user registration and password encoding.
• Registration Handling: It defines methods for handling GET and POST requests to "/register", facilitating user registration with error handling for existing usernames.
• View Navigation: Renders "register" for user input and redirects to "login" upon successful registration, utilizing Spring MVC's Model for message handling.

Step 10: Create PasswordController

Create PasswordController.java inside the controller package.

• Display update password form.
• Validate current and new passwords.

Step 11: Main Class

Go to src > main > java > com.gfg.securityupdatepassword > SecurityUpdatePasswordApplication

Step 12: Create HTML Pages

Create Thymeleaf HTML pages:

• register.html
• login.html
• home.html
• update-password.html

This HTML template is for a registration form using Thymeleaf with Bootstrap styling. It includes fields for username and password, styled with Bootstrap classes. Error and success messages are displayed conditionally. The form submits to "/register", and links are provided for login. The page uses Bootstrap for styling and includes necessary JavaScript dependencies for Bootstrap components.

Create the Login HTML Page

This HTML template is for a login form using Thymeleaf with Bootstrap styling. It includes fields for username and password, styled with Bootstrap classes. The form submits to "/login", and there's a link to register for new users. The page uses Bootstrap for styling and includes necessary JavaScript dependencies for Bootstrap components.

Create the Home HTML Page

This HTML template creates a simple home page for authenticated users, styled with Bootstrap. It displays a greeting and provides buttons to update the password and logout. The buttons link to "/update-password" and "/logout" respectively. The page uses Bootstrap for styling and includes necessary JavaScript dependencies for Bootstrap components.

Create the update-password HTML Page

This HTML template provides a form for updating the user's password, styled with Bootstrap. It includes fields for current password, new password, and confirm new password. The form submits to "/update-password" using Thymeleaf for server-side rendering. Error and success messages are displayed dynamically based on Thymeleaf model attributes. The page uses Bootstrap for styling and includes necessary JavaScript dependencies for Bootstrap components.

Step 13: Run the application

Now, run the application and it will start at port 8080 on Tomcat server.

Step 14: Testing the Application

1. Register page:

http://localhost:8080/register

Output:

2. Login page:

http://localhost:8080/login

Output:

3. Home Page:

http://localhost:8080/home

Output:

4. Update Password page:

http://localhost:8080/update-password

Output: