If you define a @Configuration
with @EnableWebSecurity
anywhere in your application
it will switch off the default webapp security settings in Spring Boot. To tweak the
defaults try setting properties in security.*
(see
SecurityProperties
for details of available settings) and SECURITY
section of
Common application properties.
If you provide a @Bean
of type AuthenticationManager
the default one will not be
created, so you have the full feature set of Spring Security available (e.g.
various authentication options).
Spring Security also provides a convenient AuthenticationManagerBuilder
which can be
used to build an AuthenticationManager
with common options. The recommended way to
use this in a webapp is to inject it into a callback method in a
WebSecurityConfigurerAdapter
, e.g.
@Configuration @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Override public void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication() .withUser("barry").password("password").roles("USER"); // ... etc. } // ... other stuff for application security }
You will get the best results if you put this in a nested class, or a standalone class
(i.e. not mixed in with a lot of other @Beans
that might be allowed to influence the
order of instantiation). The secure web sample
is a useful template to follow.
If you experience instantiation issues (e.g. using JDBC or JPA for the user detail store)
it might be worth extracting the AuthenticationManagerBuilder
callback into a
GlobalAuthenticationConfigurerAdapter
(in the init()
method so it happens before the
authentication manager is needed elsewhere), e.g.
@Configuration public class AuthenticationManagerConfiguration extends GlobalAuthenticationConfigurerAdapter { @Override public void init(AuthenticationManagerBuilder auth) { auth.inMemoryAuthentication() // ... etc. } }
Ensuring that all your main endpoints are only available over HTTPS is an important
chore for any application. If you are using Tomcat as a servlet container, then
Spring Boot will add Tomcat’s own RemoteIpValve
automatically if it detects some
environment settings, and you should be able to rely on the HttpServletRequest
to
report whether it is secure or not (even downstream of a proxy server that handles the
real SSL termination). The standard behavior is determined by the presence or absence of
certain request headers (x-forwarded-for
and x-forwarded-proto
), whose names are
conventional, so it should work with most front end proxies. You can switch on the valve
by adding some entries to application.properties
, e.g.
server.tomcat.remote_ip_header=x-forwarded-for server.tomcat.protocol_header=x-forwarded-proto
(The presence of either of those properties will switch on the valve. Or you can add the
RemoteIpValve
yourself by adding a TomcatEmbeddedServletContainerFactory
bean.)
Spring Security can also be configured to require a secure channel for all (or some
requests). To switch that on in a Spring Boot application you just need to set
security.require_ssl
to true
in application.properties
.