1. Add Dependencies
First, integrate Spring Security into your Spring Boot application by adding the Spring Security dependency to your project's pom.xml (for Maven projects) or build.gradle (for Gradle projects). For example, for a Maven project, you can add the following dependency:
<dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency>
For a Gradle project, you can add:
implementation 'org.springframework.boot:spring-boot-starter-security'
2. Configure Spring Security
After adding the dependency, Spring Boot automatically configures basic security settings. For instance, it enforces authentication for all incoming HTTP requests and creates a default user (with username 'user', whose password is printed to the console upon application startup).
3. Customize User Authentication
In most cases, you need to customize the user authentication process to align with your business requirements. You can achieve this by implementing the UserDetailsService interface. For example:
@Service public class MyUserDetailsService implements UserDetailsService { @Autowired private UserRepository userRepository; @Override public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { User user = userRepository.findByUsername(username); if (user == null) { throw new UsernameNotFoundException("User not found"); } return new org.springframework.security.core.userdetails.User(user.getUsername(), user.getPassword(), new ArrayList<>()); } }
4. Configure Custom Security Policies
Customize security policies by extending the WebSecurityConfigurerAdapter class and overriding its methods, such as defining publicly accessible paths and authentication requirements:
@Configuration @EnableWebSecurity public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Autowired private UserDetailsService userDetailsService; @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/", "/home").permitAll() .anyRequest().authenticated() .and() .formLogin() .loginPage("/login") .permitAll() .and() .logout() .permitAll(); } @Override public void configure(AuthenticationManagerBuilder auth) throws Exception { auth.userDetailsService(userDetailsService); } }
5. Use Password Encoder
For security, it is recommended to encrypt user passwords. Spring Security 5 recommends using PasswordEncoder. Configure it in SecurityConfiguration as follows:
@Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); } @Override public void configure(AuthenticationManagerBuilder auth) throws Exception { auth.userDetailsService(userDetailsService) .passwordEncoder(passwordEncoder()); }
Conclusion
By following these steps, you can successfully integrate Spring Security into your Spring Boot application. This not only protects your application from unauthorized access but also provides robust authentication and authorization capabilities.