28. Security

If Spring Security is on the classpath, then web applications are secure by default with ‘basic’ authentication on all HTTP endpoints. To add method-level security to a web application, you can also add @EnableGlobalMethodSecurity with your desired settings. Additional information can be found in the Spring Security Reference.

The default AuthenticationManager has a single user (the user name is ‘user’, and the password is random and is printed at INFO level when the application starts), as shown in the following example:

Using default security password: 78fa095d-3f4c-48b1-ad50-e24c31d5cf35
[Note]Note

If you fine-tune your logging configuration, ensure that the org.springframework.boot.autoconfigure.security category is set to log INFO-level messages. Otherwise, the default password is not printed.

You can change the password by providing a security.user.password. This and other useful properties are externalized via SecurityProperties (properties with a prefix of "security").

The default security configuration is implemented in SecurityAutoConfiguration and in the classes imported from there (SpringBootWebSecurityConfiguration for web security and AuthenticationManagerConfiguration for authentication configuration, which is also relevant in non-web applications). To switch off the default web application security configuration completely, you can add a bean with @EnableWebSecurity (this does not disable the authentication manager configuration or Actuator’s security). To customize it, you normally use external properties and beans of type WebSecurityConfigurerAdapter (for example, to add form-based login).

[Note]Note

If you add @EnableWebSecurity and also disable Actuator security, you get the default form-based login for the entire application, unless you add a custom WebSecurityConfigurerAdapter.

To also switch off the authentication manager configuration, you can add a bean of type AuthenticationManager or configure the global AuthenticationManager by autowiring an AuthenticationManagerBuilder into a method in one of your @Configuration classes. There are several secure applications in the Spring Boot samples to get you started with common use cases.

The basic features you get by default in a web application are:

All of the above can be switched on and off or modified by setting external properties (security.*). To override the access rules without changing any other auto-configured features, add a @Bean of type WebSecurityConfigurerAdapter with @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) and configure it to meet your needs.

[Note]Note

By default, a WebSecurityConfigurerAdapter matches any path. If you do not want to completely override Spring Boot’s auto-configured access rules, your adapter must explicitly configure the paths that you do want to override.

28.1 OAuth2

OAuth2 is a widely used authorization framework that is supported by Spring.

28.1.1 Client

If you have spring-security-oauth2-client on your classpath, you can take advantage of some auto-configuration to make it easy to set up an OAuth2 Client. This configuration makes use of the properties under OAuth2ClientProperties.

You can register multiple OAuth2 clients and providers under the spring.security.oauth2.client prefix, as shown in the following example:

spring.security.oauth2.client.registration.my-client-1.client-id=abcd
spring.security.oauth2.client.registration.my-client-1.client-secret=password
spring.security.oauth2.client.registration.my-client-1.client-name=Client for user scope
spring.security.oauth2.client.registration.my-client-1.provider=my-oauth-provider
spring.security.oauth2.client.registration.my-client-1.scope=user
spring.security.oauth2.client.registration.my-client-1.redirect-uri=http://my-redirect-uri.com
spring.security.oauth2.client.registration.my-client-1.client-authentication-method=basic
spring.security.oauth2.client.registration.my-client-1.authorization-grant-type=authorization_code

spring.security.oauth2.client.registration.my-client-2.client-id=abcd
spring.security.oauth2.client.registration.my-client-2.client-secret=password
spring.security.oauth2.client.registration.my-client-2.client-name=Client for email scope
spring.security.oauth2.client.registration.my-client-2.provider=my-oauth-provider
spring.security.oauth2.client.registration.my-client-2.scope=email
spring.security.oauth2.client.registration.my-client-2.redirect-uri=http://my-redirect-uri.com
spring.security.oauth2.client.registration.my-client-2.client-authentication-method=basic
spring.security.oauth2.client.registration.my-client-2.authorization-grant-type=authorization_code

spring.security.oauth2.client.provider.my-oauth-provider.authorization-uri=http://my-auth-server/oauth/authorize
spring.security.oauth2.client.provider.my-oauth-provider.token-uri=http://my-auth-server/oauth/token
spring.security.oauth2.client.provider.my-oauth-provider.user-info-uri=http://my-auth-server/userinfo
spring.security.oauth2.client.provider.my-oauth-provider.jwk-set-uri=http://my-auth-server/token_keys
spring.security.oauth2.client.provider.my-oauth-provider.user-name-attribute=name

For common OAuth2 and OpenID providers such as Google, Github, Facebook, and Okta, we provide a set of provider defaults (google, github, facebook, and okta respectively).

If you do not need to customize these providers, you can set the provider attribute to the one for which you need to infer defaults. Also if the ID of your client matches the default supported provider, Spring Boot infers that as well.

In other words, the two configurations in the following example use the Google provider:

spring.security.oauth2.client.registration.my-client.client-id=abcd
spring.security.oauth2.client.registration.my-client.client-secret=password
spring.security.oauth2.client.registration.my-client.provider=google

spring.security.oauth2.client.registration.google.client-id=abcd
spring.security.oauth2.client.registration.google.client-secret=password

28.2 Actuator Security

If the Actuator is also in use, you can see that:

  • The management endpoints are secure even if the application endpoints are insecure.
  • Security events are transformed into AuditEvent instances and published to the AuditEventRepository.
  • The default user has the ACTUATOR role as well as the USER role.

The Actuator security features can be modified by using external properties (management.security.*). To override the application access rules but not the actuator access rules, add a @Bean of type WebSecurityConfigurerAdapter and use @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER). Use @Order(ManagementServerProperties.ACCESS_OVERRIDE_ORDER) if you do want to override the application access rules and the actuator access rules.