spring-boot/spring-boot-project/spring-boot-docs/src/docs/asciidoc/howto/security.adoc

[[howto.security]]
== Security
This section addresses questions about security when working with Spring Boot, including questions that arise from using Spring Security with Spring Boot.

For more about Spring Security, see the {spring-security}[Spring Security project page].


[[howto.security.switch-off-spring-boot-configuration]]
=== Switch off the Spring Boot Security Configuration
If you define a `@Configuration` with a `WebSecurityConfigurerAdapter` or a `SecurityFilterChain` bean in your application, it switches off the default webapp security settings in Spring Boot.


[[howto.security.change-user-details-service-and-add-user-accounts]]
=== Change the UserDetailsService and Add User Accounts
If you provide a `@Bean` of type `AuthenticationManager`, `AuthenticationProvider`, or `UserDetailsService`, the default `@Bean` for `InMemoryUserDetailsManager` is not created.
This means you have the full feature set of Spring Security available (such as {spring-security-docs}#servlet-authentication[various authentication options]).

The easiest way to add user accounts is to provide your own `UserDetailsService` bean.


[[howto.security.enable-https]]
=== Enable HTTPS When Running behind a Proxy Server
Ensuring that all your main endpoints are only available over HTTPS is an important chore for any application.
If you use Tomcat as a servlet container, then Spring Boot adds Tomcat's own `RemoteIpValve` automatically if it detects some environment settings, and you should be able to rely on the `HttpServletRequest` to report whether it is secure or not (even downstream of a proxy server that handles the real SSL termination).
The standard behavior is determined by the presence or absence of certain request headers (`x-forwarded-for` and `x-forwarded-proto`), whose names are conventional, so it should work with most front-end proxies.
You can switch on the valve by adding some entries to `application.properties`, as shown in the following example:

[source,yaml,indent=0,configprops,configblocks]
----
	server:
	  tomcat:
	    remoteip:
	      remote-ip-header: "x-forwarded-for"
	      protocol-header: "x-forwarded-proto"
----

(The presence of either of those properties switches on the valve.
Alternatively, you can add the `RemoteIpValve` by customizing the `TomcatServletWebServerFactory` using a `WebServerFactoryCustomizer` bean.)

To configure Spring Security to require a secure channel for all (or some) requests, consider adding your own `SecurityFilterChain` bean that adds the following `HttpSecurity` configuration:

[source,java,pending-extract=true,indent=0,subs="verbatim,quotes,attributes"]
----
	@Bean
	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
		// Customize the application security
		http.requiresChannel().anyRequest().requiresSecure();
		return http.build();
	}
----
Split up adoc files Closes gh-23254 2021-04-30 00:11:56 +08:00			`[[howto.security]]`
			`== Security`
			`This section addresses questions about security when working with Spring Boot, including questions that arise from using Spring Security with Spring Boot.`

			`For more about Spring Security, see the {spring-security}[Spring Security project page].`



			`[[howto.security.switch-off-spring-boot-configuration]]`
			`=== Switch off the Spring Boot Security Configuration`
			If you define a `@Configuration` with a `WebSecurityConfigurerAdapter` or a `SecurityFilterChain` bean in your application, it switches off the default webapp security settings in Spring Boot.



			`[[howto.security.change-user-details-service-and-add-user-accounts]]`
			`=== Change the UserDetailsService and Add User Accounts`
			If you provide a `@Bean` of type `AuthenticationManager`, `AuthenticationProvider`, or `UserDetailsService`, the default `@Bean` for `InMemoryUserDetailsManager` is not created.
			`This means you have the full feature set of Spring Security available (such as {spring-security-docs}#servlet-authentication[various authentication options]).`

			The easiest way to add user accounts is to provide your own `UserDetailsService` bean.



			`[[howto.security.enable-https]]`
			`=== Enable HTTPS When Running behind a Proxy Server`
			`Ensuring that all your main endpoints are only available over HTTPS is an important chore for any application.`
			If you use Tomcat as a servlet container, then Spring Boot adds Tomcat's own `RemoteIpValve` automatically if it detects some environment settings, and you should be able to rely on the `HttpServletRequest` to report whether it is secure or not (even downstream of a proxy server that handles the real SSL termination).
			The standard behavior is determined by the presence or absence of certain request headers (`x-forwarded-for` and `x-forwarded-proto`), whose names are conventional, so it should work with most front-end proxies.
			You can switch on the valve by adding some entries to `application.properties`, as shown in the following example:

			`[source,yaml,indent=0,configprops,configblocks]`
			`----`
			`server:`
			`tomcat:`
			`remoteip:`
			`remote-ip-header: "x-forwarded-for"`
			`protocol-header: "x-forwarded-proto"`
			`----`

			`(The presence of either of those properties switches on the valve.`
			Alternatively, you can add the `RemoteIpValve` by customizing the `TomcatServletWebServerFactory` using a `WebServerFactoryCustomizer` bean.)

			To configure Spring Security to require a secure channel for all (or some) requests, consider adding your own `SecurityFilterChain` bean that adds the following `HttpSecurity` configuration:

			`[source,java,pending-extract=true,indent=0,subs="verbatim,quotes,attributes"]`
			`----`
			`@Bean`
			`public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {`
			`// Customize the application security`
			`http.requiresChannel().anyRequest().requiresSecure();`
			`return http.build();`
			`}`
			`----`