org.springframework.boot.autoconfigure.security

Class SpringBootWebSecurityConfiguration

java.lang.Object

org.springframework.boot.autoconfigure.security.SpringBootWebSecurityConfiguration

@Configuration
 @EnableConfigurationProperties
 @ConditionalOnClass(value={org.springframework.security.config.annotation.web.configuration.EnableWebSecurity.class,org.springframework.security.web.AuthenticationEntryPoint.class})
 @ConditionalOnMissingBean(value=org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration.class)
 @ConditionalOnWebApplication
 @EnableWebSecurity
public class SpringBootWebSecurityConfiguration
extends Object

Configuration for security of a web application or service. By default everything is secured with HTTP Basic authentication except the explicitly ignored paths (defaults to /css/**, /js/**, /images/**, /**/favicon.ico ). Many aspects of the behavior can be controller with SecurityProperties via externalized application properties (or via an bean definition of that type to set the defaults). The user details for authentication are just placeholders (username=user, password=password) but can easily be customized by providing a an AuthenticationManager. Also provides audit logging of authentication events.

Some common simple customizations:

• Switch off security completely and permanently: remove Spring Security from the classpath or exclude SecurityAutoConfiguration.
• Switch off security temporarily (e.g. for a dev environment): set security.basic.enabled=false
• Customize the user details: autowire an AuthenticationManagerBuilder into a method in one of your configuration classes or equivalently add a bean of type AuthenticationManager
• Add form login for user facing resources: add a WebSecurityConfigurerAdapter and use HttpSecurity.formLogin()

Author:

Dave Syer, Andy Wilkinson

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
protected static class	SpringBootWebSecurityConfiguration.ApplicationNoWebSecurityConfigurerAdapter
protected static class	SpringBootWebSecurityConfiguration.ApplicationWebSecurityConfigurerAdapter

Constructor Summary

Constructors

Constructor and Description
SpringBootWebSecurityConfiguration()

Method Summary

Modifier and Type	Method and Description
static void	configureHeaders(HeadersConfigurer<?> configurer, SecurityProperties.Headers headers)
IgnoredRequestCustomizer	defaultIgnoredRequestsCustomizer(ServerProperties server, SecurityProperties security, ObjectProvider<ErrorController> errorController)
org.springframework.boot.autoconfigure.security.SpringBootWebSecurityConfiguration.IgnoredPathsWebSecurityConfigurerAdapter	ignoredPathsWebSecurityConfigurerAdapter(List<IgnoredRequestCustomizer> customizers)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

SpringBootWebSecurityConfiguration

public SpringBootWebSecurityConfiguration()

Method Detail

ignoredPathsWebSecurityConfigurerAdapter

@Bean
 @ConditionalOnMissingBean(value=org.springframework.boot.autoconfigure.security.SpringBootWebSecurityConfiguration.IgnoredPathsWebSecurityConfigurerAdapter.class)
public org.springframework.boot.autoconfigure.security.SpringBootWebSecurityConfiguration.IgnoredPathsWebSecurityConfigurerAdapter ignoredPathsWebSecurityConfigurerAdapter(List<IgnoredRequestCustomizer> customizers)

defaultIgnoredRequestsCustomizer

@Bean
public IgnoredRequestCustomizer defaultIgnoredRequestsCustomizer(ServerProperties server,
                                                                       SecurityProperties security,
                                                                       ObjectProvider<ErrorController> errorController)

configureHeaders

public static void configureHeaders(HeadersConfigurer<?> configurer,
                                    SecurityProperties.Headers headers)
                             throws Exception

Throws:

Exception