mirror of
https://github.com/spring-projects/spring-boot.git
synced 2024-09-03 04:26:12 +08:00
Update Security features documentation
Closes gh-10844
This commit is contained in:
Madhura Bhave
parent
8230cc5028
commit
7c3e555ff9
@ -2848,10 +2848,10 @@ that you can see how to set things up.
|
||||
|
||||
[[boot-features-security]]
|
||||
== Security
|
||||
If Spring Security is on the classpath, then web applications are secure by default with
|
||||
'`basic`' authentication on all HTTP endpoints. To add method-level security to a web
|
||||
application, you can also add `@EnableGlobalMethodSecurity` with your desired settings.
|
||||
Additional information can be found in the {spring-security-reference}#jc-method[Spring
|
||||
If Spring Security is on the classpath, then web applications are secure by default. Spring Boot
|
||||
relies on Spring Security’s content-negotiation strategy to determine whether to use `httpBasic`
|
||||
or `formLogin`. To add method-level security to a web application, you can also add `@EnableGlobalMethodSecurity`
|
||||
with your desired settings. Additional information can be found in the {spring-security-reference}#jc-method[Spring
|
||||
Security Reference].
|
||||
|
||||
The default `AuthenticationManager` has a single user (the user name is '`user`', and the
|
||||
@ -2867,49 +2867,29 @@ NOTE: If you fine-tune your logging configuration, ensure that the
|
||||
`org.springframework.boot.autoconfigure.security` category is set to log `INFO`-level
|
||||
messages. Otherwise, the default password is not printed.
|
||||
|
||||
You can change the password by providing a `security.user.password`. This and other
|
||||
useful properties are externalized via
|
||||
{sc-spring-boot-autoconfigure}/security/SecurityProperties.{sc-ext}[`SecurityProperties`]
|
||||
(properties with a prefix of "security").
|
||||
|
||||
The default security configuration is implemented in `SecurityAutoConfiguration` and in
|
||||
the classes imported from there (`SpringBootWebSecurityConfiguration` for web security
|
||||
and `AuthenticationManagerConfiguration` for authentication configuration, which is also
|
||||
relevant in non-web applications). To switch off the default web application security
|
||||
configuration completely, you can add a bean with `@EnableWebSecurity` (this does not
|
||||
disable the authentication manager configuration or Actuator's security). To customize
|
||||
it, you normally use external properties and beans of type `WebSecurityConfigurerAdapter`
|
||||
(for example, to add form-based login).
|
||||
|
||||
NOTE: If you add `@EnableWebSecurity` and also disable Actuator security, you get the
|
||||
default form-based login for the entire application, unless you add a custom
|
||||
`WebSecurityConfigurerAdapter`.
|
||||
configuration completely, you can add a bean of type `WebSecurityConfigurerAdapter` (this does not
|
||||
disable the authentication manager configuration or Actuator's security).
|
||||
|
||||
To also switch off the authentication manager configuration, you can add a bean of type
|
||||
`AuthenticationManager` or configure the global `AuthenticationManager` by autowiring an
|
||||
`AuthenticationManagerBuilder` into a method in one of your `@Configuration` classes.
|
||||
`UserDetailsService`, `AuthenticationProvider` or `AuthenticationManager`.
|
||||
There are several secure applications in the {github-code}/spring-boot-samples/[Spring
|
||||
Boot samples] to get you started with common use cases.
|
||||
|
||||
The basic features you get by default in a web application are:
|
||||
|
||||
* An `AuthenticationManager` bean with in-memory store and a single user (see
|
||||
`SecurityProperties.User` for the properties of the user).
|
||||
* Ignored (insecure) paths for common static resource locations (`+/css/**+`, `+/js/**+`,
|
||||
`+/images/**+`, `+/webjars/**+`, and `+**/favicon.ico+`).
|
||||
* HTTP Basic security for all other endpoints.
|
||||
* Security events published to Spring's `ApplicationEventPublisher` (successful and
|
||||
unsuccessful authentication and access denied).
|
||||
* Common low-level features (HSTS, XSS, CSRF, caching) provided by Spring Security.
|
||||
* A `UserDetailsService` bean with in-memory store and a single user with a generated password.
|
||||
* Form-based login or HTTP Basic security (depending on Content-Type) for the entire application (including
|
||||
actuator endpoints if actuator is on the classpath).
|
||||
|
||||
All of the above can be switched on and off or modified by setting external properties
|
||||
(`+security.*+`). To override the access rules without changing any other auto-configured
|
||||
features, add a `@Bean` of type `WebSecurityConfigurerAdapter` with
|
||||
`@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)` and configure it to meet your needs.
|
||||
|
||||
NOTE: By default, a `WebSecurityConfigurerAdapter` matches any path. If you do not want
|
||||
to completely override Spring Boot's auto-configured access rules, your adapter must
|
||||
explicitly configure the paths that you do want to override.
|
||||
Access rules can be overriden by adding a custom `WebSecurityConfigurerAdapter`. Spring Boot
|
||||
provides convenience methods that can be used to override access rules for actuator endpoints
|
||||
and static resources. `EndpointRequest` can be used to create a `RequestMatcher` that is based on the
|
||||
`management.endpoints.web.base-path` property. `StaticResourceRequest` can be used to
|
||||
create a `RequestMatcher` for static resources in commonly used locations.
|
||||
|
||||
[[boot-features-security-oauth2]]
|
||||
=== OAuth2
|
||||
|
||||
Loading…
Reference in New Issue
Block a user