If Spring Security is on the classpath, then web applications are secure by default.
Spring Boot relies on Spring Security’s content-negotiation strategy to determine whether
to use httpBasic
or formLogin. To add method-level security to a web application, you can also add
@EnableGlobalMethodSecurity with your desired settings. Additional information can be
found in the Spring Security Reference.
The default AuthenticationManager has a single user (the user name is ‘user’, and the
password is random and is printed at INFO level when the application starts), as shown in
the following example:
Using default security password: 78fa095d-3f4c-48b1-ad50-e24c31d5cf35
![[Note]](images/note.png) | Note |
|---|---|
If you fine-tune your logging configuration, ensure that the
|
The default security configuration is implemented in SecurityAutoConfiguration and in
the classes imported from there (SpringBootWebSecurityConfiguration for web security
and AuthenticationManagerConfiguration for authentication configuration, which is also
relevant in non-web applications). To switch off the default web application security
configuration completely, you can add a bean of type WebSecurityConfigurerAdapter (this
does not disable the authentication manager configuration or Actuator’s security).
To also switch off the authentication manager configuration, you can add a bean of type
UserDetailsService, AuthenticationProvider or AuthenticationManager.
There are several secure applications in the Spring
Boot samples to get you started with common use cases.
The basic features you get by default in a web application are:
- A
UserDetailsServicebean with in-memory store and a single user with a generated password. - Form-based login or HTTP Basic security (depending on Content-Type) for the entire application (including actuator endpoints if actuator is on the classpath).
Access rules can be overriden by adding a custom WebSecurityConfigurerAdapter. Spring
Boot provides convenience methods that can be used to override access rules for actuator
endpoints and static resources. EndpointRequest can be used to create a RequestMatcher
that is based on the management.endpoints.web.base-path property.
StaticResourceRequest can be used to create a RequestMatcher for static resources in
commonly used locations.
OAuth2 is a widely used authorization framework that is supported by Spring.
If you have spring-security-oauth2-client on your classpath, you can take advantage of
some auto-configuration to make it easy to set up an OAuth2 Client. This configuration
makes use of the properties under OAuth2ClientProperties.
You can register multiple OAuth2 clients and providers under the
spring.security.oauth2.client prefix, as shown in the following example:
spring.security.oauth2.client.registration.my-client-1.client-id=abcd spring.security.oauth2.client.registration.my-client-1.client-secret=password spring.security.oauth2.client.registration.my-client-1.client-name=Client for user scope spring.security.oauth2.client.registration.my-client-1.provider=my-oauth-provider spring.security.oauth2.client.registration.my-client-1.scope=user spring.security.oauth2.client.registration.my-client-1.redirect-uri-template=http://my-redirect-uri.com spring.security.oauth2.client.registration.my-client-1.client-authentication-method=basic spring.security.oauth2.client.registration.my-client-1.authorization-grant-type=authorization_code spring.security.oauth2.client.registration.my-client-2.client-id=abcd spring.security.oauth2.client.registration.my-client-2.client-secret=password spring.security.oauth2.client.registration.my-client-2.client-name=Client for email scope spring.security.oauth2.client.registration.my-client-2.provider=my-oauth-provider spring.security.oauth2.client.registration.my-client-2.scope=email spring.security.oauth2.client.registration.my-client-2.redirect-uri-template=http://my-redirect-uri.com spring.security.oauth2.client.registration.my-client-2.client-authentication-method=basic spring.security.oauth2.client.registration.my-client-2.authorization-grant-type=authorization_code spring.security.oauth2.client.provider.my-oauth-provider.authorization-uri=http://my-auth-server/oauth/authorize spring.security.oauth2.client.provider.my-oauth-provider.token-uri=http://my-auth-server/oauth/token spring.security.oauth2.client.provider.my-oauth-provider.user-info-uri=http://my-auth-server/userinfo spring.security.oauth2.client.provider.my-oauth-provider.jwk-set-uri=http://my-auth-server/token_keys spring.security.oauth2.client.provider.my-oauth-provider.user-name-attribute=name
By default, Spring Security’s OAuth2LoginAuthenticationFilter will only process URLs matching
/login/oauth2/code/*. If you want to customize the redirect-uri-template to use a different pattern,
you will need to provide configuration to process that custom pattern. For example, you can add your own
WebSecurityConfigurerAdapter that looks like this:
public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .anyRequest().authenticated() .and() .oauth2Login() .redirectionEndpoint() .baseUri("/custom-callback"); } }
For common OAuth2 and OpenID providers such as Google, Github, Facebook, and Okta,
we provide a set of provider defaults (google, github, facebook, and okta
respectively).
If you do not need to customize these providers, you can set the provider attribute to
the one for which you need to infer defaults. Also if the ID of your client matches the
default supported provider, Spring Boot infers that as well.
In other words, the two configurations in the following example use the Google provider:
spring.security.oauth2.client.registration.my-client.client-id=abcd spring.security.oauth2.client.registration.my-client.client-secret=password spring.security.oauth2.client.registration.my-client.provider=google spring.security.oauth2.client.registration.google.client-id=abcd spring.security.oauth2.client.registration.google.client-secret=password
If the Actuator is also in use, you can see that:
- The management endpoints are secure even if the application endpoints are insecure.
- Security events are transformed into
AuditEventinstances and published to theAuditEventRepository. - The default user has the
ACTUATORrole as well as theUSERrole.
The Actuator security features can be modified by using external properties
(management.security.*). To override the application access rules but not the
actuator access rules, add a @Bean of type WebSecurityConfigurerAdapter and use
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER). Use
@Order(ManagementServerProperties.ACCESS_OVERRIDE_ORDER) if you do want to override
the application access rules and the actuator access rules.