root
/
spring-boot
1
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

Update reference doc with security changes

Browse Source 
Fixes gh-11172
pull/11237/merge
Madhura Bhave 7 years ago
parent 47ed096981
commit a5ce4a10f1
1 changed files with 21 additions and 57 deletions
Show Stats Download Patch File Download Diff File

78
spring-boot-project/spring-boot-docs/src/main/asciidoc/howto.adoc
Unescape Escape View File

@ -2249,67 +2249,18 @@ of how to register handlers in the servlet container.
[[howto-switch-off-spring-boot-security-configuration]] [[howto-switch-off-spring-boot-security-configuration]]
=== Switch off the Spring Boot Security Configuration === Switch off the Spring Boot Security Configuration
If you define a `@Configuration` with `@EnableWebSecurity` anywhere in your application, If you define a `@Configuration` with a `WebSecurityConfigurerAdapter` in your application,
it switches off the default webapp security settings in Spring Boot (but leaves the it switches off the default webapp security settings in Spring Boot.
Actuator's security enabled). To tweak the defaults try setting properties in
`+security.*+` (see
{sc-spring-boot-autoconfigure}/security/SecurityProperties.{sc-ext}[`SecurityProperties`]
for details of available settings) and the `SECURITY` section of
"`<<common-application-properties-security,Common Application Properties>>`".
[[howto-change-the-authenticationmanager-and-add-user-accounts]] [[howto-change-the-authenticationmanager-and-add-user-accounts]]
=== Change the AuthenticationManager and Add User Accounts === Change the AuthenticationManager and Add User Accounts
If you provide a `@Bean` of type `AuthenticationManager`, the default one is not If you provide a `@Bean` of type `AuthenticationManager`, `AuthenticationProvider`
or `UserDetailsService`, the default `@Bean` for `InMemoryUserDetailsManager` is not
created, so you have the full feature set of Spring Security available (such as created, so you have the full feature set of Spring Security available (such as
http://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#jc-authentication[various authentication options]). http://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#jc-authentication[various authentication options]).
Spring Security also provides a convenient `AuthenticationManagerBuilder`, which can be The easiest way to add user accounts is to provide your own `UserDetailsService` bean.
used to build an `AuthenticationManager` with common options. The recommended way to
use this in a webapp is to inject it into a void method in a
`WebSecurityConfigurerAdapter`, as shown in the following example:
[source,java,indent=0,subs="verbatim,quotes,attributes"]
----
@Configuration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("barry").password("password").roles("USER"); // ... etc.
}
// ... other stuff for application security
}
----
You get the best results if you put this in a nested class or a standalone class
(that is, not mixed in with a lot of other `@Beans` that might be allowed to influence the
order of instantiation). The {github-code}/spring-boot-samples/spring-boot-sample-web-secure[secure web sample]
is a useful template to follow.
If you experience instantiation issues (for example, when using JDBC or JPA for the user detail store),
it might be worth extracting the `AuthenticationManagerBuilder` callback into a
`GlobalAuthenticationConfigurerAdapter` (in the `init()` method so that it happens before the
authentication manager is needed elsewhere), as shown in the following example:
[source,java,indent=0,subs="verbatim,quotes,attributes"]
----
@Configuration
public class AuthenticationManagerConfiguration extends
GlobalAuthenticationConfigurerAdapter {
@Override
public void init(AuthenticationManagerBuilder auth) {
auth.inMemoryAuthentication() // ... etc.
}
}
----
[[howto-enable-https]] [[howto-enable-https]]
@ -2333,10 +2284,23 @@ by adding some entries to `application.properties`, as shown in the following ex
(The presence of either of those properties switches on the valve. Alternatively, you can (The presence of either of those properties switches on the valve. Alternatively, you can
add the `RemoteIpValve` yourself by adding a `TomcatServletWebServerFactory` bean.) add the `RemoteIpValve` yourself by adding a `TomcatServletWebServerFactory` bean.)
Spring Security can also be configured to require a secure channel for all (or some) To configure Spring Security to require a secure channel for all (or some)
requests. To switch that on in a Spring Boot application, set requests, consider adding your own `WebSecurityConfigurerAdapter` that adds the following
`security.require_ssl` to `true` in `application.properties`. `HttpSecurity` configuration:
[source,java,indent=0,subs="verbatim,quotes,attributes"]
----
@Configuration
public class SslWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
// Customize the application security
http.requiresChannel().anyRequest().requiresSecure();
}
}
----
[[howto-hotswapping]] [[howto-hotswapping]]

Write Preview
Loading…
Cancel
Save