If Spring Security is on the classpath, then web applications are secure by default with
‘basic’ authentication on all HTTP endpoints. To add method-level security to a web
application, you can also add @EnableGlobalMethodSecurity
with your desired settings.
Additional information can be found in the Spring
Security Reference.
The default AuthenticationManager
has a single user (the user name is ‘user’, and the
password is random and is printed at INFO level when the application starts), as shown in
the following example:
Using default security password: 78fa095d-3f4c-48b1-ad50-e24c31d5cf35
Note | |
---|---|
If you fine-tune your logging configuration, ensure that the
|
You can change the password by providing a security.user.password
. This and other
useful properties are externalized via
SecurityProperties
(properties with a prefix of "security").
The default security configuration is implemented in SecurityAutoConfiguration
and in
the classes imported from there (SpringBootWebSecurityConfiguration
for web security
and AuthenticationManagerConfiguration
for authentication configuration, which is also
relevant in non-web applications). To switch off the default web application security
configuration completely, you can add a bean with @EnableWebSecurity
(this does not
disable the authentication manager configuration or Actuator’s security). To customize
it, you normally use external properties and beans of type WebSecurityConfigurerAdapter
(for example, to add form-based login).
Note | |
---|---|
If you add |
To also switch off the authentication manager configuration, you can add a bean of type
AuthenticationManager
or configure the global AuthenticationManager
by autowiring an
AuthenticationManagerBuilder
into a method in one of your @Configuration
classes.
There are several secure applications in the Spring
Boot samples to get you started with common use cases.
The basic features you get by default in a web application are:
AuthenticationManager
bean with in-memory store and a single user (see
SecurityProperties.User
for the properties of the user)./css/**
, /js/**
,
/images/**
, /webjars/**
, and **/favicon.ico
).ApplicationEventPublisher
(successful and
unsuccessful authentication and access denied).All of the above can be switched on and off or modified by setting external properties
(security.*
). To override the access rules without changing any other auto-configured
features, add a @Bean
of type WebSecurityConfigurerAdapter
with
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
and configure it to meet your needs.
Note | |
---|---|
By default, a |
OAuth2 is a widely used authorization framework that is supported by Spring.
If you have spring-security-oauth2-client
on your classpath, you can take advantage of
some auto-configuration to make it easy to set up an OAuth2 Client. This configuration
makes use of the properties under OAuth2ClientProperties
.
You can register multiple OAuth2 clients and providers under the
spring.security.oauth2.client
prefix, as shown in the following example:
spring.security.oauth2.client.registration.my-client-1.client-id=abcd spring.security.oauth2.client.registration.my-client-1.client-secret=password spring.security.oauth2.client.registration.my-client-1.client-name=Client for user scope spring.security.oauth2.client.registration.my-client-1.provider=my-oauth-provider spring.security.oauth2.client.registration.my-client-1.scope=user spring.security.oauth2.client.registration.my-client-1.redirect-uri=http://my-redirect-uri.com spring.security.oauth2.client.registration.my-client-1.client-authentication-method=basic spring.security.oauth2.client.registration.my-client-1.authorization-grant-type=authorization_code spring.security.oauth2.client.registration.my-client-2.client-id=abcd spring.security.oauth2.client.registration.my-client-2.client-secret=password spring.security.oauth2.client.registration.my-client-2.client-name=Client for email scope spring.security.oauth2.client.registration.my-client-2.provider=my-oauth-provider spring.security.oauth2.client.registration.my-client-2.scope=email spring.security.oauth2.client.registration.my-client-2.redirect-uri=http://my-redirect-uri.com spring.security.oauth2.client.registration.my-client-2.client-authentication-method=basic spring.security.oauth2.client.registration.my-client-2.authorization-grant-type=authorization_code spring.security.oauth2.client.provider.my-oauth-provider.authorization-uri=http://my-auth-server/oauth/authorize spring.security.oauth2.client.provider.my-oauth-provider.token-uri=http://my-auth-server/oauth/token spring.security.oauth2.client.provider.my-oauth-provider.user-info-uri=http://my-auth-server/userinfo spring.security.oauth2.client.provider.my-oauth-provider.jwk-set-uri=http://my-auth-server/token_keys spring.security.oauth2.client.provider.my-oauth-provider.user-name-attribute=name
For common OAuth2 and OpenID providers such as Google, Github, Facebook, and Okta,
we provide a set of provider defaults (google
, github
, facebook
, and okta
respectively).
If you do not need to customize these providers, you can set the provider
attribute to
the one for which you need to infer defaults. Also if the ID of your client matches the
default supported provider, Spring Boot infers that as well.
In other words, the two configurations in the following example use the Google provider:
spring.security.oauth2.client.registration.my-client.client-id=abcd spring.security.oauth2.client.registration.my-client.client-secret=password spring.security.oauth2.client.registration.my-client.provider=google spring.security.oauth2.client.registration.google.client-id=abcd spring.security.oauth2.client.registration.google.client-secret=password
If the Actuator is also in use, you can see that:
AuditEvent
instances and published to the
AuditEventRepository
.ACTUATOR
role as well as the USER
role.The Actuator security features can be modified by using external properties
(management.security.*
). To override the application access rules but not the
actuator access rules, add a @Bean
of type WebSecurityConfigurerAdapter
and use
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
. Use
@Order(ManagementServerProperties.ACCESS_OVERRIDE_ORDER)
if you do want to override
the application access rules and the actuator access rules.