If Spring Security is on the classpath then web applications will be secure by default
(“basic” authentication on all endpoints) . To add method-level security to a web
application you can simply @EnableGlobalMethodSecurity with your desired settings.
Additional information can be found in the Spring
Security Reference.
The default AuthenticationManager has a single user (username “user” and password
random, printed at INFO level when the application starts up). You can change the
password by providing a security.user.password. This and other useful properties
are externalized via
SecurityProperties.
If you define a @Configuration with @EnableWebSecurity anywhere in your application
it will switch off the default webapp security settings in Spring Boot. To tweak the
defaults try setting properties in security.* (see
SecurityProperties
for details of available settings) and SECURITY section of
Common application properties.
If you provide a @Bean of type AuthenticationManager the default one will not be
created, so you have the full feature set of Spring Security available (e.g.
various authentication options).
Spring Security also provides a convenient AuthenticationManagerBuilder which can be
used to build an AuthenticationManager with common options. The recommended way to
use this in a webapp is to inject it into a void method in a
WebSecurityConfigurerAdapter, e.g.
@Configuration public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication() .withUser("barry").password("password").roles("USER"); // ... etc. } // ... other stuff for application security }
Ensuring that all your main endpoints are only available over HTTPS is an important
chore for any application. If you are using Tomcat as a servlet container, then
Spring Boot will add Tomcat’s own RemoteIpValve automatically if it detects some
environment settings, and you should be able to rely on the HttpServletRequest to
report whether it is secure or not (even downstream of the real SSL termination). The
standard behavior is determined by the presence or absence of certain request headers
(x-forwarded-for and x-forwarded-proto), whose names are conventional, so it should
work with most front end proxies. You can switch on the valve by adding some entries to
application.properties, e.g.
server.tomcat.remote_ip_header=x-forwarded-for server.tomcat.protocol_header=x-forwarded-proto
(The presence of either of those properties will switch on the valve. Or you can add the
RemoteIpValve yourself by adding a TomcatEmbeddedServletContainerFactory bean.)
Spring Security can also be configured to require a secure channel for all (or some
requests). To switch that on in a Spring Boot application you just need to set
security.require_https to true in application.properties.