Spring Security
If Spring Security is on the classpath, then web applications are secured by default.
Spring Boot relies on Spring Security’s content-negotiation strategy to determine whether to use httpBasic
or formLogin
.
To add method-level security to a web application, you can also add @EnableGlobalMethodSecurity
with your desired settings.
Additional information can be found in the Spring Security Reference Guide.
The default UserDetailsService
has a single user.
The user name is user
, and the password is random and is printed at WARN level when the application starts, as shown in the following example:
Using generated security password: 78fa095d-3f4c-48b1-ad50-e24c31d5cf35 This generated password is for development use only. Your security configuration must be updated before running your application in production.
If you fine-tune your logging configuration, ensure that the org.springframework.boot.autoconfigure.security category is set to log WARN -level messages.
Otherwise, the default password is not printed.
|
You can change the username and password by providing a spring.security.user.name
and spring.security.user.password
.
The basic features you get by default in a web application are:
-
A
UserDetailsService
(orReactiveUserDetailsService
in case of a WebFlux application) bean with in-memory store and a single user with a generated password (seeSecurityProperties.User
for the properties of the user). -
Form-based login or HTTP Basic security (depending on the
Accept
header in the request) for the entire application (including actuator endpoints if actuator is on the classpath). -
A
DefaultAuthenticationEventPublisher
for publishing authentication events.
You can provide a different AuthenticationEventPublisher
by adding a bean for it.