I showed you how to install and configure to use Spring Security in Spring MVC applications. With Spring Boot application, configuring Spring Security will be much simpler. We do not need to go through each step to configure the authentication and authorization of the application. Spring Boot helps us to reduce a lot of manipulations with the default configurations for Spring Security. How is it in detail? I will share with you some knowledge about Spring Security in Spring Boot application!
First, I will create a new Spring Boot application:
with Spring Web and Spring Security dependencies as follows:
Result:
Right now, you run the application and request to http://localhost:8080, you will see the default login page of Spring Security displayed as follows:
Obviously, Spring Boot already has the default configuration for Spring Security as soon as we add its dependency. The default username for you to log in is “user” and the password is generated and printed in the console log.
Enter username, password and then press the Sign In button, you will see the following results:
This is because we have not defined a request in our application yet. If I define the controller as follows:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
package com.huongdanjava.springboot.springsecurity; import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.RestController; @RestController public class HelloController { @GetMapping("") public String sayHello() { return "Hello"; } } |
then you will see the following result:
You can change this default username and password by configuring the following 2 properties in the application.properties file:
|
1 2 |
spring.security.user.name=khanh spring.security.user.password=123456 |
Run the application again, you will see that the default password will not be generated anymore and we can use the username and password that we have declared above to log in.
Spring Boot uses the SecurityAutoConfiguration class to assign a default configuration to Spring Security. If take a look at the code of this SecurityAutoConfiguration class:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 |
package org.springframework.boot.autoconfigure.security.servlet; import org.springframework.boot.autoconfigure.EnableAutoConfiguration; import org.springframework.boot.autoconfigure.condition.ConditionalOnClass; import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean; import org.springframework.boot.autoconfigure.security.SecurityDataConfiguration; import org.springframework.boot.autoconfigure.security.SecurityProperties; import org.springframework.boot.context.properties.EnableConfigurationProperties; import org.springframework.context.ApplicationEventPublisher; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.Import; import org.springframework.security.authentication.AuthenticationEventPublisher; import org.springframework.security.authentication.DefaultAuthenticationEventPublisher; /** * {@link EnableAutoConfiguration Auto-configuration} for Spring Security. * * @author Dave Syer * @author Andy Wilkinson * @author Madhura Bhave * @since 1.0.0 */ @Configuration(proxyBeanMethods = false) @ConditionalOnClass(DefaultAuthenticationEventPublisher.class) @EnableConfigurationProperties(SecurityProperties.class) @Import({ SpringBootWebSecurityConfiguration.class, WebSecurityEnablerConfiguration.class, SecurityDataConfiguration.class }) public class SecurityAutoConfiguration { @Bean @ConditionalOnMissingBean(AuthenticationEventPublisher.class) public DefaultAuthenticationEventPublisher authenticationEventPublisher(ApplicationEventPublisher publisher) { return new DefaultAuthenticationEventPublisher(publisher); } } |
you will see that there are 3 other configuration classes imported into this class:
The SpringBootWebSecurityConfiguration class defines the default Spring Security configuration for the authorization part as follows:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 |
package org.springframework.boot.autoconfigure.security.servlet; import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication; import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication.Type; import org.springframework.boot.autoconfigure.security.ConditionalOnDefaultWebSecurity; import org.springframework.boot.autoconfigure.security.SecurityProperties; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.core.annotation.Order; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.web.SecurityFilterChain; /** * The default configuration for web security. It relies on Spring Security's * content-negotiation strategy to determine what sort of authentication to use. If the * user specifies their own {@link WebSecurityConfigurerAdapter} or * {@link SecurityFilterChain} bean, this will back-off completely and the users should * specify all the bits that they want to configure as part of the custom security * configuration. * * @author Madhura Bhave */ @Configuration(proxyBeanMethods = false) @ConditionalOnDefaultWebSecurity @ConditionalOnWebApplication(type = Type.SERVLET) class SpringBootWebSecurityConfiguration { @Bean @Order(SecurityProperties.BASIC_AUTH_ORDER) SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception { http.authorizeRequests().anyRequest().authenticated().and().formLogin().and().httpBasic(); return http.build(); } } |
As you can see, by default Spring Security will block all requests, automatically generate a login form and use HTTP basic for authentication.
Class WebSecurityEnablerConfiguration automatically adds @EnableWebSecurity annotation if Spring Security is added to project dependencies.
Class SecurityDataConfiguration is automatically configured in relation to Spring Data.
As I told you in the tutorial about Configure Spring Security using WebSecurityConfigurerAdapter and AbstractSecurityWebApplicationInitializer, we can override the WebSecurityConfigurerAdapter class to change this configuration.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
package com.huongdanjava.springboot.springsecurity; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; @Configuration public class SpringSecurityConfiguration extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { super.configure(http); } } |
and of course, you can also override the configure(AuthenticationManagerBuilder auth) method to replace the authentication configuration!
