Using Spring Security in Spring Boot

I showed you how to install and configure to use Spring Security in Spring MVC applications. With Spring Boot application, configuring Spring Security will be much simpler. We do not need to go through each step to configure the authentication and authorization of the application. Spring Boot helps us to reduce a lot of manipulations with the default configurations for Spring Security. How is it in detail? I will share with you some knowledge about Spring Security in Spring Boot application!

First, I will create a new Spring Boot application:

Using Spring Security in Spring Boot

with Spring Web and Spring Security dependencies as follows:

Using Spring Security in Spring Boot

Result:

Using Spring Security in Spring Boot

Right now, you run the application and request to http://localhost:8080, you will see the default login page of Spring Security displayed as follows:

Using Spring Security in Spring Boot

Obviously, Spring Boot already has the default configuration for Spring Security as soon as we add its dependency. The default username for you to log in is “user” and the password is generated and printed in the console log.

Using Spring Security in Spring Boot

Enter username, password and then press the Sign In button, you will see the following results:

Using Spring Security in Spring Boot

This is because we have not defined a request in our application yet. If I define the controller as follows:

then you will see the following result:

Using Spring Security in Spring Boot

You can change this default username and password by configuring the following 2 properties in the application.properties file:

Run the application again, you will see that the default password will not be generated anymore and we can use the username and password that we have declared above to log in.

Spring Boot uses the SecurityAutoConfiguration class to assign a default configuration to Spring Security. If take a look at the code of this SecurityAutoConfiguration class:

you will see that there are 3 other configuration classes imported into this class:
The SpringBootWebSecurityConfiguration class defines the default Spring Security configuration for the authorization part as follows:

As you can see, by default Spring Security will block all requests, automatically generate a login form and use HTTP basic for authentication.

Class WebSecurityEnablerConfiguration automatically adds @EnableWebSecurity annotation if Spring Security is added to project dependencies.

Class SecurityDataConfiguration is automatically configured in relation to Spring Data.

As I told you in the tutorial about Configure Spring Security using WebSecurityConfigurerAdapter and AbstractSecurityWebApplicationInitializer, we can override the WebSecurityConfigurerAdapter class to change this configuration.

and of course, you can also override the configure(AuthenticationManagerBuilder auth) method to replace the authentication configuration!

Add Comment