root
/
spring-boot
mirror of https://github.com/spring-projects/spring-boot.git
1
0
Fork 0
Code Issues Actions 12 Packages Projects Releases Wiki Activity

Update Security features documentation 

Closes gh-10844
This commit is contained in:
Madhura Bhave 2017-11-08 13:26:58 -08:00
parent 8230cc5028
commit 7c3e555ff9
1 changed files with 15 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
spring-boot-project/spring-boot-docs/src/main/asciidoc/spring-boot-features.adoc
View File

@ -2848,10 +2848,10 @@ that you can see how to set things up.
[[boot-features-security]] [[boot-features-security]]
== Security == Security
If Spring Security is on the classpath, then web applications are secure by default with If Spring Security is on the classpath, then web applications are secure by default. Spring Boot
'`basic`' authentication on all HTTP endpoints. To add method-level security to a web relies on Spring Securitys content-negotiation strategy to determine whether to use `httpBasic`
application, you can also add `@EnableGlobalMethodSecurity` with your desired settings. or `formLogin`. To add method-level security to a web application, you can also add `@EnableGlobalMethodSecurity`
Additional information can be found in the {spring-security-reference}#jc-method[Spring with your desired settings. Additional information can be found in the {spring-security-reference}#jc-method[Spring
Security Reference]. Security Reference].
The default `AuthenticationManager` has a single user (the user name is '`user`', and the The default `AuthenticationManager` has a single user (the user name is '`user`', and the
@ -2867,49 +2867,29 @@ NOTE: If you fine-tune your logging configuration, ensure that the
`org.springframework.boot.autoconfigure.security` category is set to log `INFO`-level `org.springframework.boot.autoconfigure.security` category is set to log `INFO`-level
messages. Otherwise, the default password is not printed. messages. Otherwise, the default password is not printed.
You can change the password by providing a `security.user.password`. This and other
useful properties are externalized via
{sc-spring-boot-autoconfigure}/security/SecurityProperties.{sc-ext}[`SecurityProperties`]
(properties with a prefix of "security").
The default security configuration is implemented in `SecurityAutoConfiguration` and in The default security configuration is implemented in `SecurityAutoConfiguration` and in
the classes imported from there (`SpringBootWebSecurityConfiguration` for web security the classes imported from there (`SpringBootWebSecurityConfiguration` for web security
and `AuthenticationManagerConfiguration` for authentication configuration, which is also and `AuthenticationManagerConfiguration` for authentication configuration, which is also
relevant in non-web applications). To switch off the default web application security relevant in non-web applications). To switch off the default web application security
configuration completely, you can add a bean with `@EnableWebSecurity` (this does not configuration completely, you can add a bean of type `WebSecurityConfigurerAdapter` (this does not
disable the authentication manager configuration or Actuator's security). To customize disable the authentication manager configuration or Actuator's security).
it, you normally use external properties and beans of type `WebSecurityConfigurerAdapter`
(for example, to add form-based login).
NOTE: If you add `@EnableWebSecurity` and also disable Actuator security, you get the
default form-based login for the entire application, unless you add a custom
`WebSecurityConfigurerAdapter`.
To also switch off the authentication manager configuration, you can add a bean of type To also switch off the authentication manager configuration, you can add a bean of type
`AuthenticationManager` or configure the global `AuthenticationManager` by autowiring an `UserDetailsService`, `AuthenticationProvider` or `AuthenticationManager`.
`AuthenticationManagerBuilder` into a method in one of your `@Configuration` classes.
There are several secure applications in the {github-code}/spring-boot-samples/[Spring There are several secure applications in the {github-code}/spring-boot-samples/[Spring
Boot samples] to get you started with common use cases. Boot samples] to get you started with common use cases.
The basic features you get by default in a web application are: The basic features you get by default in a web application are:
* An `AuthenticationManager` bean with in-memory store and a single user (see * A `UserDetailsService` bean with in-memory store and a single user with a generated password.
`SecurityProperties.User` for the properties of the user). * Form-based login or HTTP Basic security (depending on Content-Type) for the entire application (including
* Ignored (insecure) paths for common static resource locations (`+/css/**+`, `+/js/**+`, actuator endpoints if actuator is on the classpath).
`+/images/**+`, `+/webjars/**+`, and `+**/favicon.ico+`).
* HTTP Basic security for all other endpoints.
* Security events published to Spring's `ApplicationEventPublisher` (successful and
unsuccessful authentication and access denied).
* Common low-level features (HSTS, XSS, CSRF, caching) provided by Spring Security.
All of the above can be switched on and off or modified by setting external properties Access rules can be overriden by adding a custom `WebSecurityConfigurerAdapter`. Spring Boot
(`+security.*+`). To override the access rules without changing any other auto-configured provides convenience methods that can be used to override access rules for actuator endpoints
features, add a `@Bean` of type `WebSecurityConfigurerAdapter` with and static resources. `EndpointRequest` can be used to create a `RequestMatcher` that is based on the
`@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)` and configure it to meet your needs. `management.endpoints.web.base-path` property. `StaticResourceRequest` can be used to
create a `RequestMatcher` for static resources in commonly used locations.
NOTE: By default, a `WebSecurityConfigurerAdapter` matches any path. If you do not want
to completely override Spring Boot's auto-configured access rules, your adapter must
explicitly configure the paths that you do want to override.
[[boot-features-security-oauth2]] [[boot-features-security-oauth2]]
=== OAuth2 === OAuth2