If Spring Security is on the classpath then web applications will be secure by default
(“basic” authentication on all endpoints) . To add method-level security to a web
application you can simply @EnableGlobalMethodSecurity with your desired settings.
The default AuthenticationManager has a single user (username “user” and password
random, printed at INFO level when the application starts up). You can change the
password by providing a security.user.password. This and other useful properties
are externalized via http://github.com/spring-projects/spring-boot/tree/v1.0.0.RC5/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SecurityPropertiesjava[SecurityProperties.
If you define a @Configuration with @EnableWebSecurity anywhere in your application
it will switch off the default webapp security settings in Spring Boot. To tweak the
defaults try setting properties in security.* (see
SecurityProperties
for details of available settings).
If you provide a @Bean of type AuthenticationManager the default one will not be
created, so you have the full feature set of Spring Security available (e.g.
various authentication options).
Spring Security also provides a convenient AuthenticationManagerBuilder which can be
used to build an AuthenticationManager with common options. The recommended way to
use this in a webapp is to inject it into a void method in a
WebSecurityConfigurerAdapter, e.g.
@Configuration @Order(0) public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Autowired protected void init(AuthenticationManagerBuilder builder) { builder.inMemoryAuthentication().withUser("barry"); // ... etc. } // ... other stuff for application security }
The configuration class that does this should declare an @Order so that it is used
before the default one in Spring Boot (which has very low precedence).
Ensuring that all your main endpoints are only available over HTTPS is an important
chore for any application. If you are using Tomcat as a servlet container, then
Spring Boot will add Tomcat’s own RemoteIpValve automatically if it detects some
environment settings, and you should be able to rely on the HttpServletRequest to
report whether it is secure or not (even downstream of the real SSL termination). The
standard behavior is determined by the presence or absence of certain request headers
(x-forwarded-for and x-forwarded-proto), whose names are conventional, so it should
work with most front end proxies. You can switch on the valve by adding some entries to
application.properties, e.g.
server.tomcat.remote_ip_header=x-forwarded-for server.tomcat.protocol_header=x-forwarded-proto
(The presence of either of those properties will switch on the valve. Or you can add the
RemoteIpValve yourself by adding a TomcatEmbeddedServletContainerFactory bean.)
Spring Security can also be configured to require a secure channel for all (or some
requests). To switch that on in a Spring Boot application you just need to set
security.require_https to true in application.properties.