Don't log p/w when AuthenticationManagerBuilder configured

Fixes gh-12872

Author: mbhave

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/servlet/UserDetailsServiceAutoConfiguration.java

@@ -30,6 +30,7 @@
 import org.springframework.boot.autoconfigure.security.SecurityProperties;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Lazy;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.config.annotation.ObjectPostProcessor;
@@ -67,6 +68,7 @@ public class UserDetailsServiceAutoConfiguration {
 
 	@Bean
 	@ConditionalOnMissingBean(type = "org.springframework.security.oauth2.client.registration.ClientRegistrationRepository")
+	@Lazy
 	public InMemoryUserDetailsManager inMemoryUserDetailsManager(
 			SecurityProperties properties,
 			ObjectProvider<PasswordEncoder> passwordEncoder) {

spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/servlet/UserDetailsServiceAutoConfigurationTests.java

@@ -34,7 +34,9 @@
 import org.springframework.security.authentication.ProviderManager;
 import org.springframework.security.authentication.TestingAuthenticationProvider;
 import org.springframework.security.authentication.TestingAuthenticationToken;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.crypto.password.PasswordEncoder;
@@ -149,6 +151,14 @@ public void userDetailsServiceWhenClientRegistrationRepositoryBeanPresent() {
 						.doesNotHaveBean(InMemoryUserDetailsManager.class)));
 	}
 
+	@Test
+	public void generatedPasswordShouldNotBePrintedIfAuthenticationManagerBuilderIsUsed() {
+		this.contextRunner
+				.withUserConfiguration(TestConfigWithAuthenticationManagerBuilder.class)
+				.run(((context) -> assertThat(this.outputCapture.toString())
+						.doesNotContain("Using generated security password: ")));
+	}
+
 	private void testPasswordEncoding(Class<?> configClass, String providedPassword,
 			String expectedPassword) {
 		this.contextRunner.withUserConfiguration(configClass)
@@ -227,4 +237,23 @@ public ClientRegistrationRepository clientRegistrationRepository() {
 
 	}
 
+	@Configuration
+	@Import(TestSecurityConfiguration.class)
+	protected static class TestConfigWithAuthenticationManagerBuilder {
+
+		@Bean
+		public WebSecurityConfigurerAdapter webSecurityConfigurerAdapter() {
+			return new WebSecurityConfigurerAdapter() {
+				@Override
+				protected void configure(AuthenticationManagerBuilder auth)
+						throws Exception {
+					auth.inMemoryAuthentication().withUser("hero").password("{noop}hero")
+							.roles("HERO", "USER").and().withUser("user")
+							.password("{noop}user").roles("USER");
+				}
+			};
+		}
+
+	}
+
 }