root
/
spring-boot
mirror of https://github.com/spring-projects/spring-boot.git
1
0
Fork 0
Code Issues Actions 4 Packages Projects Releases Wiki Activity

Clarify effect of @EnableWebSecurity when Actuator's being used 

Closes gh-6490
This commit is contained in:
Andy Wilkinson 2016-07-27 16:16:19 +01:00
parent bf8ae27a47
commit 2469f0ba28
2 changed files with 6 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
spring-boot-docs/src/main/asciidoc/howto.adoc
View File

@ -2134,8 +2134,9 @@ will be available under `/system`.
[[howto-switch-off-spring-boot-security-configuration]]
=== Switch off the Spring Boot security configuration
If you define a `@Configuration` with `@EnableWebSecurity` anywhere in your application
it will switch off the default webapp security settings in Spring Boot. To tweak the
defaults try setting properties in `+security.*+` (see
it will switch off the default webapp security settings in Spring Boot (but leave the
Actuator's security enabled). To tweak the defaults try setting properties in
`+security.*+` (see
{sc-spring-boot-autoconfigure}/security/SecurityProperties.{sc-ext}[`SecurityProperties`]
for details of available settings) and `SECURITY` section of
<<common-application-properties-security,Common application properties>>.

6
spring-boot-docs/src/main/asciidoc/spring-boot-features.adoc
View File

@ -2290,9 +2290,9 @@ properties are externalized via
The default security configuration is implemented in `SecurityAutoConfiguration` and in
the classes imported from there (`SpringBootWebSecurityConfiguration` for web security
and `AuthenticationManagerConfiguration` for authentication configuration which is also
relevant in non-web applications). To switch off the default web security configuration
completely you can add a bean with `@EnableWebSecurity` (this does not disable the
authentication manager configuration). To customize
relevant in non-web applications). To switch off the default web application security
configuration completely you can add a bean with `@EnableWebSecurity` (this does not
disable the authentication manager configuration or Actuator's security). To customize
it you normally use external properties and beans of type `WebSecurityConfigurerAdapter`
(e.g. to add form-based login). To also switch off the authentication manager configuration
you can add a bean of type `AuthenticationManager`, or else configure the