This version is still in development and is not considered stable yet. For the latest stable version, please use Spring Security 6.1.12! |
Hello Spring Security
This section covers the minimum setup for how to use Spring Security with Spring Boot.
The completed application can be found in our samples repository. For your convenience, you can download a minimal Spring Boot + Spring Security application by clicking here. |
Starting Hello Spring Security Boot
You can now run the Spring Boot application by using the Maven Plugin’s run
goal.
The following example shows how to do so (and the beginning of the output from doing so):
$ ./mvn spring-boot:run
...
INFO 23689 --- [ restartedMain] .s.s.UserDetailsServiceAutoConfiguration :
Using generated security password: 8e557245-73e2-4286-969a-ff57fe326336
...
Spring Boot Auto Configuration
Spring Boot automatically:
-
Enables Spring Security’s default configuration, which creates a servlet
Filter
as a bean namedspringSecurityFilterChain
. This bean is responsible for all the security (protecting the application URLs, validating submitted username and passwords, redirecting to the log in form, and so on) within your application. -
Creates a
UserDetailsService
bean with a username ofuser
and a randomly generated password that is logged to the console. -
Registers the
Filter
with a bean namedspringSecurityFilterChain
with the Servlet container for every request.
Spring Boot is not configuring much, but it does a lot. A summary of the features follows:
-
Require an authenticated user for any interaction with the application
-
Generate a default login form for you
-
Let the user with a username of
user
and a password that is logged to the console to authenticate with form-based authentication (in the preceding example, the password is8e557245-73e2-4286-969a-ff57fe326336
) -
Protects the password storage with BCrypt
-
Lets the user log out
-
CSRF attack prevention
-
Session Fixation protection
-
Security Header integration
-
HTTP Strict Transport Security for secure requests
-
X-Content-Type-Options integration
-
Cache Control (can be overridden later by your application to allow caching of your static resources)
-
X-XSS-Protection integration
-
X-Frame-Options integration to help prevent Clickjacking
-
-
Integrate with the following Servlet API methods: