Spring Boot - Security getting started

[Last Updated: Jun 3, 2018]

In Spring Boot, security gets enabled if the spring-security dependency is on the classpath. The easiest way to enable security in Spring Boot is to add spring-boot-starter-security dependency. By default Spring Boot adds a single user as name 'user' and a generated random password. The password can be found on the console during startup.

Example

pom.xml

<dependency>
   <groupId>org.springframework.boot</groupId>
   <artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
   <groupId>org.springframework.boot</groupId>
   <artifactId>spring-boot-starter-security</artifactId>
</dependency>

Example Controller

@RestController
public class TestController {

  @RequestMapping("/")
  public String handler() {
      Authentication auth = SecurityContextHolder.getContext()
                                                 .getAuthentication();
      System.out.println("user: "+ auth.getName());
      System.out.println("roles: "+ auth.getAuthorities());
      return "hello!";
  }
}

Running

To try examples, run spring-boot maven plugin (configured in pom.xml of example project below):

mvn spring-boot:run

Or run the main method class from IDE.

For me following password is printed on the console:

Using generated security password: f2d2cf83-16f3-43dd-b07a-b60c88d32c28

Access the application at http://localhost:8080/. The page will be redirected to the login page:

Entring user and the password and clicking on login:

Changing default User name and password

To replace default user name and password we need to use spring.security.user.name and spring.security.user.password properties in application.properties. For example:

src/main/resources/application.properties

To assign a role to the default user we can use spring.security.user.roles property. For example:

spring.security.user.roles=ADMIN

By default no role is specified.

Spring Boot default Security Configuration

The auto configuration classes can be found in org.springframework.boot.autoconfigure.security package. Following is a screenshot from Intellij:

The configuration class SpringBootWebSecurityConfiguration registers a bean extending WebSecurityConfigurerAdapter without modifying the default security configuration. Default configuration uses in-memory authentication. Every URL is required authentication in the application. Also Basic Authentication (instead of form based authentication) is used by default (see source code WebSecurityConfigurerAdapter#configure(HttpSecurity http)).

Also check out Spring Security tutorials.

Example Project

Dependencies and Technologies Used:

Spring Boot 2.0.2.RELEASE
Corresponding Spring Version 5.0.6.RELEASE
spring-boot-starter-web : Starter for building web, including RESTful, applications using Spring MVC. Uses Tomcat as the default embedded container.
spring-boot-starter-security : Starter for using Spring Security.
Uses org.springframework.security:spring-security-web version 5.0.5.RELEASE
JDK 1.8
Maven 3.3.9

Enabling Security in Spring Boot

Select All

Download

boot-security-getting-started
- src
  - main
    - java
      - com
        logicbig
        example
        
        SpringBootSecurityExampleMain.java
        
        TestController.java
    - resources
      - application.properties
- pom.xml