Shulou(Shulou.com)06/01 Report--

This article mainly explains "how to configure spring boot 2 security". The content of the article is simple and clear, and it is easy to learn and understand. Please follow the editor's train of thought to study and learn how to configure spring boot 2 security.

Turn off Spring Boot security configuration

No matter where you define a @ Configuration annotated with @ EnableWebSecurity, it will turn off the default webapp security settings in Spring Boot. To adjust the default value, you can try setting the security.* property (see the SECURITY section on SecurityProperties and common application properties).

Change AuthenticationManager and add user account

If you provide a @ Bean of type AuthenticationManager, then the default will not be created, so you can get all the features available to Spring Security (for example, different authentication options).

Spring Security also provides a convenient AuthenticationManagerBuilder for building AuthenticationManager with common options. In a webapp, it is recommended that you inject it into a void method of WebSecurityConfigurerAdapter, such as:

@ Configurationpublic class SecurityConfiguration extends WebSecurityConfigurerAdapter {@ Autowired public void configureGlobal (AuthenticationManagerBuilder auth) throws Exception {auth.inMemoryAuthentication () .withUser ("barry") .password ("password") .roles ("USER"); / /. Etc.} / /... Other stuff for application security}

If you put it in an inner class or a separate class, you will get the best results (that is, not mixing with many other @ Beans will allow you to change the order of instantiation). Secure web sample is a useful reference template.

If you encounter instantiation problems (for example, using JDBC or JPA to store user details), it might be a good choice to extract the AuthenticationManagerBuilder callback to a GlobalAuthenticationConfigurerAdapter (put in the init () method in case authentication manager is needed elsewhere), such as:

@ Configurationpublic class AuthenticationManagerConfiguration extends GlobalAuthenticationConfigurerAdapter {@ Override public void init (AuthenticationManagerBuilder auth) {auth.inMemoryAuthentication () / /. Etc.} enable HTTPS when the current side uses a proxy server

For any application, ensuring that all primary endpoints (URL) are available only under HTTPS is an important chore. If you use Tomcat as the servlet container, Spring Boot will automatically add Tomcat's own RemoteIpValve if it finds some environment settings, and you can rely on HttpServletRequest to report whether the request is secure (even if the proxy server's downstream handles real SSL terminals). This standard behavior depends on the presence of certain request headers (x-forwarded-for and x-forwarded-proto), whose names are agreed upon, so they are valid for most front ends and agents.

You can add the following settings to application.properties to enable this feature, such as:

Server.tomcat.remote_ip_header=x-forwarded-forserver.tomcat.protocol_header=x-forwarded-proto

(one of these attributes will enable this feature, or you can add your own RemoteIpValve by adding a TomcatEmbeddedServletContainerFactorybean.)

Spring Security can also be configured to require a secure channel (channel) for all or some requests. To open it in a Spring Boot application, you just need to set the security.require_ssl in application.properties to true.

Thank you for reading, the above is the content of "how to configure spring boot 2 security". After the study of this article, I believe you have a deeper understanding of how to configure spring boot 2 security, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.