Spring Boot - Security getting started

[Updated: Jun 3, 2018, Created: Jun 2, 2018]

In Spring Boot, security gets enabled if the spring-security dependency is on the classpath. The easiest way to enable security in Spring Boot is to add spring-boot-starter-security dependency. By default Spring Boot adds a single user as name 'user' and a generated random password. The password can be found on the console during startup.




Example Controller

public class TestController {

  public String handler() {
      Authentication auth = SecurityContextHolder.getContext()
      System.out.println("user: "+ auth.getName());
      System.out.println("roles: "+ auth.getAuthorities());
      return "hello!";


To try examples, run spring-boot maven plugin (configured in pom.xml of example project below):

mvn spring-boot:run

Or run the main method class from IDE.

For me following password is printed on the console:

Using generated security password: f2d2cf83-16f3-43dd-b07a-b60c88d32c28

Access the application at http://localhost:8080/. The page will be redirected to the login page:

Entring user and the password and clicking on login:

Changing default User name and password

To replace default user name and password we need to use and properties in For example:



To assign a role to the default user we can use property. For example:

By default no role is specified.

Spring Boot default Security Configuration

The auto configuration classes can be found in package. Following is a screenshot from Intellij:

The configuration class SpringBootWebSecurityConfiguration registers a bean extending WebSecurityConfigurerAdapter without modifying the default security configuration. Default configuration uses in-memory authentication. Every URL is required authentication in the application. Also Basic Authentication (instead of form based authentication) is used by default (see source code WebSecurityConfigurerAdapter#configure(HttpSecurity http)).

Also check out Spring Security tutorials.

Example Project

Dependencies and Technologies Used:

  • Spring Boot 2.0.2.RELEASE
    Corresponding Spring Version 5.0.6.RELEASE
  • spring-boot-starter-web : Starter for building web, including RESTful, applications using Spring MVC. Uses Tomcat as the default embedded container.
  • spring-boot-starter-security : Starter for using Spring Security.
    Uses version 5.0.5.RELEASE
  • JDK 1.8
  • Maven 3.3.9

Enabling Security in Spring Boot Select All Download
  • boot-security-getting-started
    • src
      • main
        • java
          • com
            • logicbig
              • example
        • resources

See Also