MVC Security
The default security configuration is implemented in SecurityAutoConfiguration
and UserDetailsServiceAutoConfiguration
.
SecurityAutoConfiguration
imports SpringBootWebSecurityConfiguration
for web security and UserDetailsServiceAutoConfiguration
configures authentication, which is also relevant in non-web applications.
To switch off the default web application security configuration completely or to combine multiple Spring Security components such as OAuth2 Client and Resource Server, add a bean of type SecurityFilterChain
(doing so does not disable the UserDetailsService
configuration or Actuator’s security).
To also switch off the UserDetailsService
configuration, you can add a bean of type UserDetailsService
, AuthenticationProvider
, or AuthenticationManager
.
Access rules can be overridden by adding a custom SecurityFilterChain
bean.
Spring Boot provides convenience methods that can be used to override access rules for actuator endpoints and static resources.
EndpointRequest
can be used to create a RequestMatcher
that is based on the management.endpoints.web.base-path
property.
PathRequest
can be used to create a RequestMatcher
for resources in commonly used locations.