If Spring Security is on the classpath then web applications will be secure by default
with “basic” authentication on all HTTP endpoints. To add method-level security to a web
application you can also add @EnableGlobalMethodSecurity
with your desired settings.
Additional information can be found in the Spring
Security Reference.
The default AuthenticationManager
has a single user (“user” username and random
password, printed at INFO level when the application starts up)
Using default security password: 78fa095d-3f4c-48b1-ad50-e24c31d5cf35
You can change the password by providing a security.user.password
. This and other
useful properties are externalized via
SecurityProperties
(properties prefix "security").
The default security configuration is implemented in SecurityAutoConfiguration
and in
the classes imported from there (SpringBootWebSecurityConfiguration
for web security
and AuthenticationManagerConfiguration
for authentication configuration which is also
relevant in non-web applications). To switch off the Boot default configuration
completely in a web application you can add a bean with @EnableWebSecurity
. To customize
it you normally use external properties and beans of type WebConfigurerAdapter
(e.g. to
add form-based login). There are several secure applications in the
Spring Boot samples to get you started with common
use cases.
The basic features you get out of the box in a web application are:
AuthenticationManager
bean with in-memory store and a single user (see
SecurityProperties.User
for the properties of the user).
/css/**
, /js/**
,
/images/**
and **/favicon.ico
).
ApplicationEventPublisher
(successful and
unsuccessful authentication and access denied).
All of the above can be switched on and off or modified using external properties
(security.*
). To override the access rules without changing any other autoconfigured
features add a @Bean
of type WebConfigurerAdapter
with
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
.
If the Actuator is also in use, you will find:
AuditEvents
and published to the AuditService
.
The Actuator security features can be modified using external properties
(management.security.*
). To override the application access rules
add a @Bean
of type WebConfigurerAdapter
and use
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
if you don’t want to override
the actuator access rules, or @Order(ManagementServerProperties.ACCESS_OVERRIDE_ORDER)
if you do want to override the actuator access rules.