diff --git a/spring-boot-project/spring-boot-docs/src/main/asciidoc/spring-boot-features.adoc b/spring-boot-project/spring-boot-docs/src/main/asciidoc/spring-boot-features.adoc index d4ed48060e6..4e849521282 100644 --- a/spring-boot-project/spring-boot-docs/src/main/asciidoc/spring-boot-features.adoc +++ b/spring-boot-project/spring-boot-docs/src/main/asciidoc/spring-boot-features.adoc @@ -2848,10 +2848,10 @@ that you can see how to set things up. [[boot-features-security]] == Security -If Spring Security is on the classpath, then web applications are secure by default with -'`basic`' authentication on all HTTP endpoints. To add method-level security to a web -application, you can also add `@EnableGlobalMethodSecurity` with your desired settings. -Additional information can be found in the {spring-security-reference}#jc-method[Spring +If Spring Security is on the classpath, then web applications are secure by default. Spring Boot +relies on Spring Security’s content-negotiation strategy to determine whether to use `httpBasic` +or `formLogin`. To add method-level security to a web application, you can also add `@EnableGlobalMethodSecurity` +with your desired settings. Additional information can be found in the {spring-security-reference}#jc-method[Spring Security Reference]. The default `AuthenticationManager` has a single user (the user name is '`user`', and the @@ -2867,49 +2867,29 @@ NOTE: If you fine-tune your logging configuration, ensure that the `org.springframework.boot.autoconfigure.security` category is set to log `INFO`-level messages. Otherwise, the default password is not printed. -You can change the password by providing a `security.user.password`. This and other -useful properties are externalized via -{sc-spring-boot-autoconfigure}/security/SecurityProperties.{sc-ext}[`SecurityProperties`] -(properties with a prefix of "security"). - The default security configuration is implemented in `SecurityAutoConfiguration` and in the classes imported from there (`SpringBootWebSecurityConfiguration` for web security and `AuthenticationManagerConfiguration` for authentication configuration, which is also relevant in non-web applications). To switch off the default web application security -configuration completely, you can add a bean with `@EnableWebSecurity` (this does not -disable the authentication manager configuration or Actuator's security). To customize -it, you normally use external properties and beans of type `WebSecurityConfigurerAdapter` -(for example, to add form-based login). - -NOTE: If you add `@EnableWebSecurity` and also disable Actuator security, you get the -default form-based login for the entire application, unless you add a custom -`WebSecurityConfigurerAdapter`. +configuration completely, you can add a bean of type `WebSecurityConfigurerAdapter` (this does not +disable the authentication manager configuration or Actuator's security). To also switch off the authentication manager configuration, you can add a bean of type -`AuthenticationManager` or configure the global `AuthenticationManager` by autowiring an -`AuthenticationManagerBuilder` into a method in one of your `@Configuration` classes. +`UserDetailsService`, `AuthenticationProvider` or `AuthenticationManager`. There are several secure applications in the {github-code}/spring-boot-samples/[Spring Boot samples] to get you started with common use cases. The basic features you get by default in a web application are: -* An `AuthenticationManager` bean with in-memory store and a single user (see -`SecurityProperties.User` for the properties of the user). -* Ignored (insecure) paths for common static resource locations (`+/css/**+`, `+/js/**+`, -`+/images/**+`, `+/webjars/**+`, and `+**/favicon.ico+`). -* HTTP Basic security for all other endpoints. -* Security events published to Spring's `ApplicationEventPublisher` (successful and -unsuccessful authentication and access denied). -* Common low-level features (HSTS, XSS, CSRF, caching) provided by Spring Security. +* A `UserDetailsService` bean with in-memory store and a single user with a generated password. +* Form-based login or HTTP Basic security (depending on Content-Type) for the entire application (including +actuator endpoints if actuator is on the classpath). -All of the above can be switched on and off or modified by setting external properties -(`+security.*+`). To override the access rules without changing any other auto-configured -features, add a `@Bean` of type `WebSecurityConfigurerAdapter` with -`@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)` and configure it to meet your needs. - -NOTE: By default, a `WebSecurityConfigurerAdapter` matches any path. If you do not want -to completely override Spring Boot's auto-configured access rules, your adapter must -explicitly configure the paths that you do want to override. +Access rules can be overriden by adding a custom `WebSecurityConfigurerAdapter`. Spring Boot +provides convenience methods that can be used to override access rules for actuator endpoints +and static resources. `EndpointRequest` can be used to create a `RequestMatcher` that is based on the +`management.endpoints.web.base-path` property. `StaticResourceRequest` can be used to +create a `RequestMatcher` for static resources in commonly used locations. [[boot-features-security-oauth2]] === OAuth2