fuhouyin/spring-boot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
spring-boot/spring-boot-project/spring-boot-docs/src/docs/asciidoc/howto/security.adoc
Phillip Webb 711a0c19e6 Use consistent asciidoctor subs attribute 
Closes gh-25101
2021-05-04 13:01:20 -07:00

49 lines
2.6 KiB
Plaintext
Raw Blame History

[[howto.security]]
== Security
This section addresses questions about security when working with Spring Boot, including questions that arise from using Spring Security with Spring Boot.
For more about Spring Security, see the {spring-security}[Spring Security project page].
[[howto.security.switch-off-spring-boot-configuration]]
=== Switch off the Spring Boot Security Configuration
If you define a `@Configuration` with a `WebSecurityConfigurerAdapter` or a `SecurityFilterChain` bean in your application, it switches off the default webapp security settings in Spring Boot.
[[howto.security.change-user-details-service-and-add-user-accounts]]
=== Change the UserDetailsService and Add User Accounts
If you provide a `@Bean` of type `AuthenticationManager`, `AuthenticationProvider`, or `UserDetailsService`, the default `@Bean` for `InMemoryUserDetailsManager` is not created.
This means you have the full feature set of Spring Security available (such as {spring-security-docs}#servlet-authentication[various authentication options]).
The easiest way to add user accounts is to provide your own `UserDetailsService` bean.
[[howto.security.enable-https]]
=== Enable HTTPS When Running behind a Proxy Server
Ensuring that all your main endpoints are only available over HTTPS is an important chore for any application.
If you use Tomcat as a servlet container, then Spring Boot adds Tomcat's own `RemoteIpValve` automatically if it detects some environment settings, and you should be able to rely on the `HttpServletRequest` to report whether it is secure or not (even downstream of a proxy server that handles the real SSL termination).
The standard behavior is determined by the presence or absence of certain request headers (`x-forwarded-for` and `x-forwarded-proto`), whose names are conventional, so it should work with most front-end proxies.
You can switch on the valve by adding some entries to `application.properties`, as shown in the following example:
[source,yaml,indent=0,subs="verbatim",configprops,configblocks]
----
server:
tomcat:
remoteip:
remote-ip-header: "x-forwarded-for"
protocol-header: "x-forwarded-proto"
----
(The presence of either of those properties switches on the valve.
Alternatively, you can add the `RemoteIpValve` by customizing the `TomcatServletWebServerFactory` using a `WebServerFactoryCustomizer` bean.)
To configure Spring Security to require a secure channel for all (or some) requests, consider adding your own `SecurityFilterChain` bean that adds the following `HttpSecurity` configuration:
[source,java,indent=0,subs="verbatim"]
----
include::{docs-java}/howto/security/enablehttps/MySecurityConfig.java[]
----
Reference in New Issue View Git Blame Copy Permalink