In Spring Boot, security gets enabled if the spring-security dependency is on the classpath. The easiest way to enable security in Spring Boot is to add spring-boot-starter-security dependency. By default Spring Boot adds a single user as name 'user' and a generated random password. The password can be found on the console during startup.
Example
pom.xml<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
Example Controller
@RestController
public class TestController {
@RequestMapping("/")
public String handler() {
Authentication auth = SecurityContextHolder.getContext()
.getAuthentication();
System.out.println("user: "+ auth.getName());
System.out.println("roles: "+ auth.getAuthorities());
return "hello!";
}
}
Running
To try examples, run spring-boot maven plugin (configured in pom.xml of example project below):
mvn spring-boot:run Or run the main method class from IDE.
For me following password is printed on the console:
Using generated security password: f2d2cf83-16f3-43dd-b07a-b60c88d32c28
Access the application at http://localhost:8080/. The page will be redirected to the login page:
Entring user and the password and clicking on login:
Changing default User name and password
To replace default user name and password we need to use spring.security.user.name and spring.security.user.password properties in application.properties. For example:
src/main/resources/application.properties
To assign a role to the default user we can use spring.security.user.roles property. For example:
spring.security.user.roles=ADMIN
By default no role is specified.
Spring Boot default Security Configuration
The auto configuration classes can be found in org.springframework.boot.autoconfigure.security package. Following is a screenshot from Intellij:
The configuration class SpringBootWebSecurityConfiguration registers a bean extending WebSecurityConfigurerAdapter without modifying the default security configuration. Default configuration uses in-memory authentication. Every URL is required authentication in the application. Also Basic Authentication (instead of form based authentication) is used by default (see source code WebSecurityConfigurerAdapter#configure(HttpSecurity http) ).
Also check out Spring Security tutorials.
Example ProjectDependencies and Technologies Used: - Spring Boot 2.0.2.RELEASE
Corresponding Spring Version 5.0.6.RELEASE - spring-boot-starter-web : Starter for building web, including RESTful, applications using Spring
MVC. Uses Tomcat as the default embedded container.
- spring-boot-starter-security : Starter for using Spring Security.
Uses org.springframework.security:spring-security-web version 5.0.5.RELEASE - JDK 1.8
- Maven 3.3.9
|