Close

Spring Boot - Security getting started

[Updated: Jun 3, 2018, Created: Jun 2, 2018]

In Spring Boot, security gets enabled if the spring-security dependency is on the classpath. The easiest way to enable security in Spring Boot is to add spring-boot-starter-security dependency. By default Spring Boot adds a single user as name 'user' and a generated random password. The password can be found on the console during startup.

Example

pom.xml

<dependency>
   <groupId>org.springframework.boot</groupId>
   <artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
   <groupId>org.springframework.boot</groupId>
   <artifactId>spring-boot-starter-security</artifactId>
</dependency>

Example Controller

@RestController
public class TestController {

  @RequestMapping("/")
  public String handler() {
      Authentication auth = SecurityContextHolder.getContext()
                                                 .getAuthentication();
      System.out.println("user: "+ auth.getName());
      System.out.println("roles: "+ auth.getAuthorities());
      return "hello!";
  }
}

Running

To try examples, run spring-boot maven plugin (configured in pom.xml of example project below):

mvn spring-boot:run

Or run the main method class from IDE.

For me following password is printed on the console:

Using generated security password: f2d2cf83-16f3-43dd-b07a-b60c88d32c28

Access the application at http://localhost:8080/. The page will be redirected to the login page:

Entring user and the password and clicking on login:

Changing default User name and password

To replace default user name and password we need to use spring.security.user.name and spring.security.user.password properties in application.properties. For example:

src/main/resources/application.properties

 

To assign a role to the default user we can use spring.security.user.roles property. For example:

spring.security.user.roles=ADMIN

By default no role is specified.

Spring Boot default Security Configuration

The auto configuration classes can be found in org.springframework.boot.autoconfigure.security package. Following is a screenshot from Intellij:

The configuration class SpringBootWebSecurityConfiguration registers a bean extending WebSecurityConfigurerAdapter without modifying the default security configuration. Default configuration uses in-memory authentication. Every URL is required authentication in the application. Also Basic Authentication (instead of form based authentication) is used by default (see source code WebSecurityConfigurerAdapter#configure(HttpSecurity http)).

Also check out Spring Security tutorials.

Example Project

Dependencies and Technologies Used:

  • Spring Boot 2.0.2.RELEASE
    Corresponding Spring Version 5.0.6.RELEASE
  • spring-boot-starter-web : Starter for building web, including RESTful, applications using Spring MVC. Uses Tomcat as the default embedded container.
  • spring-boot-starter-security : Starter for using Spring Security.
    Uses org.springframework.security:spring-security-web version 5.0.5.RELEASE
  • JDK 1.8
  • Maven 3.3.9

Enabling Security in Spring Boot Select All Download
  • boot-security-getting-started
    • src
      • main
        • java
          • com
            • logicbig
              • example
        • resources
          • application.properties

    See Also