This section addresses questions about security when working with Spring Boot, including questions that arise from using Spring Security with Spring Boot.
For more about Spring Security, see the Spring Security project page.
If you define a @Configuration
with a WebSecurityConfigurerAdapter
in your application, it switches off the default webapp security settings in Spring Boot.
If you provide a @Bean
of type AuthenticationManager
, AuthenticationProvider
, or UserDetailsService
, the default @Bean
for InMemoryUserDetailsManager
is not created.
This means you have the full feature set of Spring Security available (such as various authentication options).
The easiest way to add user accounts is to provide your own UserDetailsService
bean.
Ensuring that all your main endpoints are only available over HTTPS is an important chore for any application.
If you use Tomcat as a servlet container, then Spring Boot adds Tomcat’s own RemoteIpValve
automatically if it detects some environment settings, and you should be able to rely on the HttpServletRequest
to report whether it is secure or not (even downstream of a proxy server that handles the real SSL termination).
The standard behavior is determined by the presence or absence of certain request headers (x-forwarded-for
and x-forwarded-proto
), whose names are conventional, so it should work with most front-end proxies.
You can switch on the valve by adding some entries to application.properties
, as shown in the following example:
server.tomcat.remote-ip-header=x-forwarded-for server.tomcat.protocol-header=x-forwarded-proto
(The presence of either of those properties switches on the valve.
Alternatively, you can add the RemoteIpValve
by adding a TomcatServletWebServerFactory
bean.)
To configure Spring Security to require a secure channel for all (or some) requests, consider adding your own WebSecurityConfigurerAdapter
that adds the following HttpSecurity
configuration:
@Configuration public class SslWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { // Customize the application security http.requiresChannel().anyRequest().requiresSecure(); } }