If Spring Security is on the classpath then web applications will be secure by default
with ‘basic’ authentication on all HTTP endpoints. To add method-level security to a web
application you can also add
@EnableGlobalMethodSecurity with your desired settings.
Additional information can be found in the Spring
AuthenticationManager has a single user (‘user’ username and random
password, printed at INFO level when the application starts up)
Using default security password: 78fa095d-3f4c-48b1-ad50-e24c31d5cf35
If you fine-tune your logging configuration, ensure that the
You can change the password by providing a
security.user.password. This and other useful
properties are externalized via
(properties prefix "security").
The default security configuration is implemented in
SecurityAutoConfiguration and in
the classes imported from there (
SpringBootWebSecurityConfiguration for web security
AuthenticationManagerConfiguration for authentication configuration which is also
relevant in non-web applications). To switch off the default web application security
configuration completely you can add a bean with
@EnableWebSecurity (this does not
disable the authentication manager configuration or Actuator’s security).
To customize it you normally use external properties and beans of type
WebSecurityConfigurerAdapter (e.g. to add form-based login).
If you add
To also switch off the authentication manager configuration
you can add a bean of type
AuthenticationManager, or else configure the
AuthenticationManager by autowiring an
a method in one of your
@Configuration classes. There are several secure applications in
the Spring Boot samples to get you started with common
The basic features you get out of the box in a web application are:
AuthenticationManagerbean with in-memory store and a single user (see
SecurityProperties.Userfor the properties of the user).
ApplicationEventPublisher(successful and unsuccessful authentication and access denied).
All of the above can be switched on and off or modified using external properties
security.*). To override the access rules without changing any other auto-configured
features add a
@Bean of type
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) and configure it to meet your needs.
By default, a
If you have
spring-security-oauth2-client on your classpath you can take advantage of
some auto-configuration to make it easy to set up an OAuth2 Client. This configuration
makes use of the properties under
You can register multiple OAuth2 clients and providers under the
spring.security.oauth2.client prefix. For example:
spring: security: oauth2: client: registration: my-client-1: client-id: abcd client-secret: password client-name: Client for user scope provider: my-oauth-provider scope: user redirect-uri: http://my-redirect-uri.com authentication-method: basic authorization-grant-type: authorization_code my-client2: client-id: abcd client-secret: password client-name: Client for email scope provider: my-oauth-provider scope: email redirect-uri: http://my-redirect-uri.com authentication-method: basic authorization-grant-type: authorization_code provider: my-oauth-provider: authorization-uri: http://my-auth-server/oauth/authorize token-uri: http://my-auth-server/oauth/token user-info-uri: http://my-auth-server/userinfo jwk-set-uri: http://my-auth-server/token_keys user-name-attribute: name
For common OAuth2 and OpenID providers such as Google, Github, Facebook and Okta,
we provide a set of provider defaults. If you don’t need to customize these providers, you
do not need to provide the
If the Actuator is also in use, you will find:
AuditEventinstances and published to the
ACTUATORrole as well as the
The Actuator security features can be modified using external properties
management.security.*). To override the application access rules
@Bean of type
WebSecurityConfigurerAdapter and use
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) if you don’t want to override
the actuator access rules, or
if you do want to override the actuator access rules.