Spring Security – Enabling Default Spring Security

In the previous post, we learnt how to create our brand new spring boot application. Now the questions comes, how to secure my spring boot application ? How to ensure my application resources are restricted to limited users ? and so on,

In this post, let’s see how to enable spring security in our spring boot application.

Prerequisite

• A simple spring boot application

Add spring security dependencies

That’s it. Let’s run our application now.

Yes, it is up and running.

But, why do we see some additional logs on startup ? Ok. Let’s check our api.

Oops… My api is redirected to some login page ????? The login page is looking for some credentials ????? Where do I have them ?????

Yes, It’s all because of the spring security dependency we added. The spring security simply started protecting our API using it’s default login page and expecting credentials to proceed further.

So, how it happened ?

Spring Boot automatically:

• Enables Spring Security’s default configuration, which creates a servlet Filter as a bean named springSecurityFilterChain. This bean is responsible for all the security (protecting the application URLs, validating submitted username and passwords, redirecting to the log in form, and so on) within your application.
• Creates a UserDetailsService bean with a username of user and a randomly generated password that is logged to the console.
• Registers the Filter with a bean named springSecurityFilterChain with the Servlet container for every request.

Spring Boot is not configuring much, but it does a lot. A summary of the features follows:

• Require an authenticated user for any interaction with the application
• Generate a default login form for you
• Let the user with a username of user and a password that is logged to the console to authenticate with form-based authentication (in the preceding example, the password is 8e557245-73e2-4286-969a-ff57fe326336)
• Protects the password storage with BCrypt
• Lets the user log out
• CSRF attack prevention
• Session Fixation protection
• Security Header integration
  • HTTP Strict Transport Security for secure requests
  • X-Content-Type-Options integration
  • Cache Control (can be overridden later by your application to allow caching of your static resources)
  • X-XSS-Protection integration
  • X-Frame-Options integration to help prevent Clickjacking
• Integrate with the following Servlet API methods:
  • HttpServletRequest#getRemoteUser()
  • HttpServletRequest.html#getUserPrincipal()
  • HttpServletRequest.html#isUserInRole(java.lang.String)
  • HttpServletRequest.html#login(java.lang.String, java.lang.String)
  • HttpServletRequest.html#logout()

You can also refer spring security documentation here.

Ok. now, where will I find the credentials to login ?

The default user name is “user” and the password will be generated during starting up the application. We can get the same from console as below,

Let’s provide the credentials now,

Wow.. It worked now. So our API is protected by default spring security configuration thus it is accessible only if credentials are provided.