From a5ce4a10f18164fb5de454ab5ff2171209e7dd41 Mon Sep 17 00:00:00 2001 From: Madhura Bhave Date: Mon, 11 Dec 2017 14:53:58 -0800 Subject: [PATCH] Update reference doc with security changes Fixes gh-11172 --- .../src/main/asciidoc/howto.adoc | 78 +++++-------------- 1 file changed, 21 insertions(+), 57 deletions(-) diff --git a/spring-boot-project/spring-boot-docs/src/main/asciidoc/howto.adoc b/spring-boot-project/spring-boot-docs/src/main/asciidoc/howto.adoc index 6407284bc7..72e37547d9 100644 --- a/spring-boot-project/spring-boot-docs/src/main/asciidoc/howto.adoc +++ b/spring-boot-project/spring-boot-docs/src/main/asciidoc/howto.adoc @@ -2249,67 +2249,18 @@ of how to register handlers in the servlet container. [[howto-switch-off-spring-boot-security-configuration]] === Switch off the Spring Boot Security Configuration -If you define a `@Configuration` with `@EnableWebSecurity` anywhere in your application, -it switches off the default webapp security settings in Spring Boot (but leaves the -Actuator's security enabled). To tweak the defaults try setting properties in -`+security.*+` (see -{sc-spring-boot-autoconfigure}/security/SecurityProperties.{sc-ext}[`SecurityProperties`] -for details of available settings) and the `SECURITY` section of -"`<>`". - +If you define a `@Configuration` with a `WebSecurityConfigurerAdapter` in your application, +it switches off the default webapp security settings in Spring Boot. [[howto-change-the-authenticationmanager-and-add-user-accounts]] === Change the AuthenticationManager and Add User Accounts -If you provide a `@Bean` of type `AuthenticationManager`, the default one is not +If you provide a `@Bean` of type `AuthenticationManager`, `AuthenticationProvider` +or `UserDetailsService`, the default `@Bean` for `InMemoryUserDetailsManager` is not created, so you have the full feature set of Spring Security available (such as http://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#jc-authentication[various authentication options]). -Spring Security also provides a convenient `AuthenticationManagerBuilder`, which can be -used to build an `AuthenticationManager` with common options. The recommended way to -use this in a webapp is to inject it into a void method in a -`WebSecurityConfigurerAdapter`, as shown in the following example: - -[source,java,indent=0,subs="verbatim,quotes,attributes"] ----- - @Configuration - public class SecurityConfiguration extends WebSecurityConfigurerAdapter { - - @Autowired - public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { - auth.inMemoryAuthentication() - .withUser("barry").password("password").roles("USER"); // ... etc. - } - - // ... other stuff for application security - - } ----- - -You get the best results if you put this in a nested class or a standalone class -(that is, not mixed in with a lot of other `@Beans` that might be allowed to influence the -order of instantiation). The {github-code}/spring-boot-samples/spring-boot-sample-web-secure[secure web sample] -is a useful template to follow. - -If you experience instantiation issues (for example, when using JDBC or JPA for the user detail store), -it might be worth extracting the `AuthenticationManagerBuilder` callback into a -`GlobalAuthenticationConfigurerAdapter` (in the `init()` method so that it happens before the -authentication manager is needed elsewhere), as shown in the following example: - -[source,java,indent=0,subs="verbatim,quotes,attributes"] ----- - @Configuration - public class AuthenticationManagerConfiguration extends - GlobalAuthenticationConfigurerAdapter { - - @Override - public void init(AuthenticationManagerBuilder auth) { - auth.inMemoryAuthentication() // ... etc. - } - - } ----- - +The easiest way to add user accounts is to provide your own `UserDetailsService` bean. [[howto-enable-https]] @@ -2333,10 +2284,23 @@ by adding some entries to `application.properties`, as shown in the following ex (The presence of either of those properties switches on the valve. Alternatively, you can add the `RemoteIpValve` yourself by adding a `TomcatServletWebServerFactory` bean.) -Spring Security can also be configured to require a secure channel for all (or some) -requests. To switch that on in a Spring Boot application, set -`security.require_ssl` to `true` in `application.properties`. +To configure Spring Security to require a secure channel for all (or some) +requests, consider adding your own `WebSecurityConfigurerAdapter` that adds the following +`HttpSecurity` configuration: +[source,java,indent=0,subs="verbatim,quotes,attributes"] +---- + @Configuration + public class SslWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter { + + @Override + protected void configure(HttpSecurity http) throws Exception { + // Customize the application security + http.requiresChannel().anyRequest().requiresSecure(); + } + + } +---- [[howto-hotswapping]]