Add Spring Boot Hello World guide

Add Spring Boot Hello World Guide

Fixes gh-3866

docs/docs.gradle

@@ -18,6 +18,8 @@ project('manual') {
 
 	asciidoctor {
 		backends = ['docbook5']
+		def ghTag = snapshotBuild ? 'master' : project.version
+		def ghUrl = "https://github.com/spring-projects/spring-security/tree/$ghTag"
 		options = [
 		  eruby: 'erubis',
 		  attributes: [
@@ -33,6 +35,8 @@ project('manual') {
 			  'spring-security-version' : project.version,
 			  'spring-version' : springVersion,
 			  revnumber : project.version,
+			  'gh-url': ghUrl,
+			  'gh-samples-url': "$ghUrl/samples",
 			  docinfo : ""
 		  ]
 		]

docs/guides/src/docs/asciidoc/_hello-includes/exploring-the-secured-application-boot.asc

@@ -0,0 +1,21 @@
+=== Exploring the secured application
+
+Start the application as we did in <<running-the-{starter-appname}-application>>
+
+Navigate to http://localhost:8080/ and click on the *_secured pages_* link and you will be prompted to login.
+
+==== Authenticating to the secured application
+
+Try entering an invalid username and password:
+
+* *Username* _invalid_
+* *Password* _invalid_
+
+You should see an error message stating that authentication failed. Now try entering a valid username and password:
+
+* *Username* _user_
+* *Password* _password_
+
+You should now see the page that we wanted to secure.
+
+NOTE: The reason we can successfully authenticate with *Username* _user_ and *Password* _password_ is because that is what we configured in our <<security-config-java,SecurityConfig>>.

docs/guides/src/docs/asciidoc/_hello-includes/secure-the-application-boot.asc

@@ -0,0 +1,118 @@
+== Securing the application
+
+Before securing the application, it is important to ensure that the existing application works as we did in <<running-the-{starter-appname}-application>>. Now that the application runs without security, we are ready to add security to our application. This section demonstrates the minimal steps to add Spring Security to our application.
+
+=== Updating your dependencies
+
+include::../{include-maven-repository}[]
+
+In order to use Spring Security you must add the necessary dependencies. For the sample we will add the following Spring Security dependencies:
+
+.pom.xml
+[source,xml]
+[subs="verbatim,attributes"]
+----
+<dependencies>
+  <!-- ... other dependency elements ... -->
+  <dependency>
+	<groupId>org.springframework.security</groupId>
+	<artifactId>spring-security-web</artifactId>
+	<version>{spring-security-version}</version>
+  </dependency>
+  <dependency>
+	<groupId>org.springframework.security</groupId>
+	<artifactId>spring-security-config</artifactId>
+	<version>{spring-security-version}</version>
+  </dependency>
+  <dependency>
+	<groupId>org.thymeleaf.extras</groupId>
+	<artifactId>thymeleaf-extras-springsecurity4</artifactId>	<1>
+	<version>2.1.2.RELEASE</version>
+  </dependency>
+</dependencies>
+----
+
+<1> We are using http://www.thymeleaf.org/[Thymeleaf] for our view template engine
+and need to add an additional dependency for the https://github.com/thymeleaf/thymeleaf-extras-springsecurity[Thymeleaf - Spring Security integration module].
+
+After you have completed this, you need to ensure that STS knows about the updated dependencies by:
+
+* Right click on the _spring-security-samples-{starter-config-type}-{starter-appname}_ application
+* Select *Maven->Update project...*
+* Ensure the project is selected, and click *OK*
+
+=== Creating your Spring Security configuration
+
+The next step is to create a Spring Security configuration.
+
+* Right click the _spring-security-samples-{starter-config-type}-{starter-appname}_ project in the Package Explorer view
+* Select *New->Class*
+* Enter _org.springframework.security.samples.config_ for the *Package*
+* Enter _SecurityConfig_ for the *Name*
+* Click *Finish*
+* Replace the file with the following contents:
+
+[[security-config-java]]
+.src/main/java/org/springframework/security/samples/config/SecurityConfig.java
+[source,java]
+----
+package org.springframework.security.samples.config;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+
+@EnableWebSecurity
+public class SecurityConfig extends WebSecurityConfigurerAdapter {
+
+	@Override
+	protected void configure(HttpSecurity http) throws Exception {
+		http
+			.authorizeRequests()
+				.antMatchers("/css/**", "/index").permitAll()		<1>
+				.antMatchers("/user/**").hasRole("USER")			<2>
+				.and()
+			.formLogin()
+				.loginPage("/login").failureUrl("/login-error");	<3>
+	}
+
+	@Autowired
+	public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
+		auth
+			.inMemoryAuthentication()
+				.withUser("user").password("password").roles("USER");
+	}
+}
+----
+
+<1> requests matched against _/css/**_ and _/index_ are fully accessible
+<2> requests matched against _/user/**_ require a user to be authenticated and must be associated to the _USER_ role
+<3> form-based authentication is enabled with a custom login page and failure url
+
+
+NOTE: The name of the configureGlobal method is not important. However, it is important to only configure AuthenticationManagerBuilder in a class annotated with either `@EnableWebSecurity`, `@EnableGlobalMethodSecurity`, or `@EnableGlobalAuthentication`. Doing otherwise has unpredictable results.
+
+[[servlet-api-integration]]
+The <<security-config-java,SecurityConfig>> will:
+
+* Require authentication to requests matched against _/user/**_
+* Specifies the URL to send users to for form-based login
+* Allow the user with the *Username* _user_ and the *Password* _password_ to authenticate with form based authentication
+* Allow the user to logout
+* http://en.wikipedia.org/wiki/Cross-site_request_forgery[CSRF attack] prevention
+* http://en.wikipedia.org/wiki/Session_fixation[Session Fixation] protection
+* Security Header integration
+** http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security[HTTP Strict Transport Security] for secure requests
+** http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx[X-Content-Type-Options] integration
+** Cache Control (can be overridden later by your application to allow caching of your static resources)
+** http://msdn.microsoft.com/en-us/library/dd565647(v=vs.85).aspx[X-XSS-Protection] integration
+** X-Frame-Options integration to help prevent http://en.wikipedia.org/wiki/Clickjacking[Clickjacking]
+* Integrate with the following Servlet API methods
+** http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getRemoteUser()[HttpServletRequest#getRemoteUser()]
+** http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getUserPrincipal()[HttpServletRequest.html#getUserPrincipal()]
+** http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#isUserInRole(java.lang.String)[HttpServletRequest.html#isUserInRole(java.lang.String)]
+** http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#login(java.lang.String,%20java.lang.String)[HttpServletRequest.html#login(java.lang.String, java.lang.String)]
+** http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#logout()[HttpServletRequest.html#logout()]
+

docs/guides/src/docs/asciidoc/_includes/setting-up-the-sample-boot.asc

@@ -0,0 +1,41 @@
+////
+
+Variables:
+
+starter-appname: the name of the module users should start with to complete the exercise
+starter-config-type: the type of configuration the starter sample uses: javaconfig, xml, boot
+completed-appname: the name of the module that contains the completed application
+completed-config-type: the type of configuration the completed sample uses: javaconfig, xml, boot
+download-url: the URL to download the Spring Security distribution
+
+////
+
+== Setting up the sample
+
+This section outlines how to setup a workspace within https://spring.io/tools/sts[Spring Tool Suite (STS)] so that you can follow along with this guide. The next section outlines generic steps for how to apply Spring Security to your existing application. While you could simply apply the steps to your existing application, we encourage you to follow along with this guide in order to reduce the complexity.
+
+=== Obtaining the sample project
+
+Extract the {download-url}[Spring Security Distribution] to a known location and remember it as _SPRING_SECURITY_HOME_.
+
+=== Import the {starter-appname} sample application
+
+In order to follow along, we encourage you to import the {starter-appname} sample application into your IDE. You may use any IDE you prefer, but the instructions in this guide will assume you are using Spring Tool Suite (STS).
+
+TIP: The completed sample application can be found at _SPRING_SECURITY_HOME_/samples/{completed-config-type}/{completed-appname}
+
+* If you do not have STS installed, download STS from https://spring.io/tools
+* Start STS and import the sample application into STS using the following steps:
+** *File->Import*
+** *Existing Maven Projects*
+** Click *Next >*
+** Click *Browse...*
+** Navigate to the samples (i.e. _SPRING_SECURITY_HOME_/samples/{starter-config-type}/{starter-appname}) and click *OK*
+** Click *Finish*
+
+=== Running the {starter-appname} application
+
+In the following exercise we will be modifying the _spring-security-samples-{starter-config-type}-{starter-appname}_  application. Before we make any changes, it is best to verify that the sample works properly. Perform the following steps to ensure that _spring-security-samples-{starter-config-type}-{starter-appname}_  works.
+
+* Right click on the _spring-security-samples-{starter-config-type}-{starter-appname}_ application
+* Select *Run As->Spring Boot App*

docs/guides/src/docs/asciidoc/form.asc → docs/guides/src/docs/asciidoc/form-javaconfig.asc

@@ -1,10 +1,12 @@
 = Creating a Custom Login Form
 :author: Rob Winch
-:starter-appname: javaconfig/hellomvc
-:completed-appname: javaconfig/form
+:starter-appname: hellomvc
+:starter-config-type: javaconfig
+:completed-appname: form
+:completed-config-type: javaconfig
 :include-dir: _includes
 
-This guide builds off of link:hellomvc.html[Hello Spring MVC Security Java Config] to explain how to configure and use a custom login form with Spring Security Java Configuration.
+This guide builds off of link:hellomvc-javaconfig.html[Hello Spring MVC Security Java Config] to explain how to configure and use a custom login form with Spring Security Java Configuration.
 
 include::{include-dir}/setting-up-the-sample.asc[]
 
@@ -17,7 +19,7 @@ Verify the application is working:
 
 = Overriding the default configure(HttpSecurity) method
 
-As we saw in link:hellomvc.html[Hello Spring MVC Security Java Config], Spring Security's `WebSecurityConfigurerAdapter` provides some convenient defaults to get our application
+As we saw in link:hellomvc-javaconfig.html[Hello Spring MVC Security Java Config], Spring Security's `WebSecurityConfigurerAdapter` provides some convenient defaults to get our application
 up and running quickly. However, our login form does not look like the rest of our application. Let's see how we can update our configuration to use a custom form.
 
 == Default configure(HttpSecurity)

docs/guides/src/docs/asciidoc/hellomvc.asc → docs/guides/src/docs/asciidoc/hellomvc-javaconfig.asc

@@ -1,7 +1,9 @@
 = Hello Spring MVC Security Java Config
 :author: Rob Winch
 :starter-appname: insecuremvc
-:completed-appname: javaconfig/hellomvc
+:starter-config-type: xml
+:completed-appname: hellomvc
+:completed-config-type: javaconfig
 :include-dir: _includes
 :hello-include-dir: _hello-includes
 
@@ -16,13 +18,13 @@ Verify the application is working:
 * Now click on the Inbox link and see the message listed. You can click on the summary link to see the details displayed again.
 
 
-include::{hello-include-dir}/secure-the-application.asc[]
+include::{hello-include-dir}/secure-the-application-javaconfig.asc[]
 
 === Registering Spring Security with the war
 
 We have created the Spring Security configuration, but we still need to register it with the war. This can be done using the following steps:
 
-* Right click the _spring-security-samples-{starter-appname}_ project the Package Explorer view
+* Right click the _spring-security-samples-{starter-config-type}-{starter-appname}_ project the Package Explorer view
 * Select *New->Class*
 * Enter _org.springframework.security.samples.config_ for the *Package*
 * Enter MessageSecurityWebApplicationInitializer for the *Name*
@@ -79,7 +81,7 @@ The `@ComponentScan` is loading all configuration within the same package (and c
 
 NOTE: Had <<security-config-java,SecurityConfig>> not been loaded, we could have used an `@Import(SecurityConfig.class)` above the class definition of <<root-configuration-java,RootConfiguration>> or added <<security-config-java,SecurityConfig>> as one of the results for `getRootConfigClasses()`.
 
-include::{hello-include-dir}/exploring-the-secured-application.asc[]
+include::{hello-include-dir}/exploring-the-secured-application-javaconfig.asc[]
 
 ==== Displaying the user name
 
@@ -116,10 +118,10 @@ In order to help protect against http://en.wikipedia.org/wiki/Cross-site_request
 * the HTTP method must be a POST
 * the CSRF token must be added to the request. Since we have used `@EnableWebSecurity` and are using Thymeleaf, the CSRF token is automatically added as a hidden input for you (view the source to see it).
 
-NOTE: If you were not using Spring MVC taglibs or Thymeleaf, you can access the CsrfToken on the ServletRequest using the attribute _csrf.  You can find an example of including the CSRF token in a JSP within the link:helloworld.html[Hello Spring Security Java Config].
+NOTE: If you were not using Spring MVC taglibs or Thymeleaf, you can access the CsrfToken on the ServletRequest using the attribute _csrf.  You can find an example of including the CSRF token in a JSP within the link:helloworld-javaconfig.html[Hello Spring Security Java Config].
 
 Restart the application server and click the Log out button and see that the application logs you out successfully.
 
 == Conclusion
 
-You should now know how to secure your application using Spring Security without using any XML. Next, we will see how to link:form.html[customize our login form].
+You should now know how to secure your application using Spring Security without using any XML. Next, we will see how to link:form-javaconfig.html[customize our login form].

docs/guides/src/docs/asciidoc/helloworld-boot.asc

@@ -0,0 +1,97 @@
+= Hello Spring Security with Boot
+:author: Joe Grandja
+:starter-appname: insecure
+:starter-config-type: boot
+:completed-appname: helloworld
+:completed-config-type: boot
+:include-dir: _includes
+:hello-include-dir: _hello-includes
+
+This guide provides instructions on how to add Spring Security to an existing Spring Boot application.
+
+include::{include-dir}/setting-up-the-sample-boot.asc[]
+
+Verify the application is working by navigating to http://localhost:8080/
+
+Click on the *_secured pages_* link and verify the page states *TODO Secure this*
+
+Once you have verified the application runs, stop the application server using the following steps:
+
+* In the _Boot Dashboard_ view select the running application
+* Click the stop button (a red square) to stop the application
+
+include::{hello-include-dir}/secure-the-application-boot.asc[]
+
+include::{hello-include-dir}/exploring-the-secured-application-boot.asc[]
+
+==== Displaying the user name
+
+Now that we have authenticated, let's update the application to display the username. Update the complete content of */index.html* with the following:
+
+.src/main/resources/templates/index.html
+[source,html]
+----
+<!DOCTYPE html>
+<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org" xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity4">
+    <head>
+        <title>Hello Spring Security</title>
+        <meta charset="utf-8" />
+        <link rel="stylesheet" href="/css/main.css" th:href="@{/css/main.css}" />
+    </head>
+    <body>
+        <div th:fragment="logout" class="logout" sec:authorize="isAuthenticated()">		<1>
+            Logged in user: <span sec:authentication="name"></span> |					<2>
+            Roles: <span sec:authentication="principal.authorities"></span>				<3>
+            <div>
+                <form action="#" th:action="@{/logout}" method="post">					<4>
+                    <input type="submit" value="Logout" />
+                </form>
+            </div>
+        </div>
+        <h1>Hello Spring Security</h1>
+        <p>This is an unsecured page, but you can access the secured pages after authenticating.</p>
+        <ul>
+            <li>Go to the <a href="/user/index" th:href="@{/user/index}">secured pages</a></li>
+        </ul>
+    </body>
+</html>
+----
+
+NOTE: We are using http://www.thymeleaf.org/[Thymeleaf] for our view template engine and
+https://github.com/thymeleaf/thymeleaf-extras-springsecurity[Thymeleaf - Spring Security integration modules]
+in order to utilize the _sec:authentication_ and _sec:authorize_ attributes.
+
+<1> Displays the Thymeleaf fragment (DOM Node) if the current user has been authenticated.
+<2> Displays the name of the currently authenticated principal.
+<3> Displays the authorities of the currently authenticated principal.
+<4> The logout form.
+
+TIP: Thymeleaf will automatically add the CSRF token to our logout form. If we were not using Thymleaf or Spring MVCs taglib we could also manually add the CSRF token using `<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>`.
+
+==== Update the _secured_ page
+
+The last step is to update the _secured_ page to also display the currently authenticated principal. Update the complete content of */user/index.html* with the following:
+
+.src/main/resources/templates/user/index.html
+[source,html]
+----
+<!DOCTYPE html>
+<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org">
+    <head>
+        <title>Hello Spring Security</title>
+        <meta charset="utf-8" />
+        <link rel="stylesheet" href="/css/main.css" th:href="@{/css/main.css}" />
+    </head>
+    <body>
+        <div th:substituteby="index::logout"></div>
+        <h1>This is a secured page!</h1>
+        <p><a href="/index" th:href="@{/index}">Back to home page</a></p>
+    </body>
+</html>
+----
+
+Start up the server and try visiting http://localhost:8080/ to see the updates to our application.
+
+== Conclusion
+
+You should now know how to secure your application using Spring Security with an existing Spring Boot application . To learn more refer to the link:index.html[Spring Security Guides index page].

docs/guides/src/docs/asciidoc/index.asc

@@ -1,5 +1,5 @@
 = Spring Security Guides
-Rob Winch
+Rob Winch, Joe Grandja
 
 These are step by step guides on how to use Spring Security.
 
@@ -8,9 +8,10 @@ These are step by step guides on how to use Spring Security.
 These are the most basic starting points for using a web based application.
 
 * link:helloworld-javaconfig.html[Hello Spring Security Java Config] - demonstrates how to integrate Spring Security with an existing application using Java-based configuration
+* link:helloworld-boot.html[Hello Spring Security with Boot] - demonstrates how to integrate Spring Security with an existing Spring Boot application
 * link:helloworld-xml.html[Hello Spring Security Xml Config] - demonstrates how to integrate Spring Security with an existing application using Xml-based configuration
-* link:hellomvc.html[Hello Spring MVC Security Java Config] - demonstrates how to integrate Spring Security with an existing Spring MVC application
+* link:hellomvc-javaconfig.html[Hello Spring MVC Security Java Config] - demonstrates how to integrate Spring Security with an existing Spring MVC application
 
 == Simple Customization
 
-* link:form.html[Creating a custom login form] - demonstrates how to create a custom login form
+* link:form-javaconfig.html[Creating a custom login form] - demonstrates how to create a custom login form

docs/manual/src/docs/asciidoc/index.adoc

@@ -409,6 +409,37 @@ Here is the list of improvements:
 * Re-organization of sample projects
 * Moved to GitHub issues
 
+[[samples]]
+== Samples and Guides (Start Here)
+
+If you are looking to get started with Spring Security, the best place to start is our Sample Applications.
+
+.Sample Applications
+|===
+| Source | Description | Guide
+
+| {gh-samples-url}/javaconfig/helloworld[Hello Spring Security]
+| Demonstrates how to integrate Spring Security with an existing application using Java-based configuration.
+| link:../../guides/html5/helloworld-javaconfig.html[Hello Spring Security Guide]
+
+| {gh-samples-url}/boot/helloworld[Hello Spring Security Boot]
+| Demonstrates how to integrate Spring Security with an existing Spring Boot application.
+| link:../../guides/html5/helloworld-boot.html[Hello Spring Security Boot Guide]
+
+| {gh-samples-url}/xml/helloworld[Hello Spring Security XML]
+| Demonstrates how to integrate Spring Security with an existing application using XML-based configuration.
+| link:../../guides/html5/helloworld-xml.html[Hello Spring Security XML Guide]
+
+| {gh-samples-url}/javaconfig/hellomvc[Hello Spring MVC Security]
+| Demonstrates how to integrate Spring Security with an existing Spring MVC application.
+| link:../../guides/html5/hellomvc-javaconfig.html[Hello Spring MVC Security Guide]
+
+| {gh-samples-url}/javaconfig/form[Custom Login Form]
+| Demonstrates how to create a custom login form.
+| link:../../guides/html5/form-javaconfig.html[Custom Login Form Guide]
+
+|===
+
 [[jc]]
 == Java Configuration
 

samples/boot/helloworld/pom.xml

@@ -3,7 +3,7 @@
   <modelVersion>4.0.0</modelVersion>
   <groupId>org.springframework.security</groupId>
   <artifactId>spring-security-samples-boot-helloworld</artifactId>
-  <version>4.1.0.RELEASE</version>
+  <version>4.1.1.BUILD-SNAPSHOT</version>
   <name>spring-security-samples-boot-helloworld</name>
   <description>spring-security-samples-boot-helloworld</description>
   <url>http://spring.io/spring-security</url>
@@ -55,13 +55,13 @@
     <dependency>
       <groupId>org.springframework.security</groupId>
       <artifactId>spring-security-config</artifactId>
-      <version>4.1.0.RELEASE</version>
+      <version>4.1.1.BUILD-SNAPSHOT</version>
       <scope>compile</scope>
     </dependency>
     <dependency>
       <groupId>org.springframework.security</groupId>
       <artifactId>spring-security-web</artifactId>
-      <version>4.1.0.RELEASE</version>
+      <version>4.1.1.BUILD-SNAPSHOT</version>
       <scope>compile</scope>
     </dependency>
     <dependency>
@@ -115,7 +115,7 @@
     <dependency>
       <groupId>org.springframework.security</groupId>
       <artifactId>spring-security-test</artifactId>
-      <version>4.1.0.RELEASE</version>
+      <version>4.1.1.BUILD-SNAPSHOT</version>
       <scope>test</scope>
     </dependency>
     <dependency>
@@ -124,6 +124,12 @@
       <scope>test</scope>
     </dependency>
   </dependencies>
+  <repositories>
+    <repository>
+      <id>spring-snapshot</id>
+      <url>https://repo.spring.io/snapshot</url>
+    </repository>
+  </repositories>
   <build>
     <plugins>
       <plugin>

samples/boot/helloworld/src/integration-test/java/org/springframework/security/samples/HelloWorldApplicationTests.java

@@ -76,7 +76,7 @@ public class HelloWorldApplicationTests {
 
 	@Test
 	public void loginUser() throws Exception {
-		this.mockMvc.perform(formLogin().user("user1").password("password1"))
+		this.mockMvc.perform(formLogin().user("user").password("password"))
 				.andExpect(authenticated());
 	}
 
@@ -89,7 +89,7 @@ public class HelloWorldApplicationTests {
 
 	@Test
 	public void loginUserAccessProtected() throws Exception {
-		MvcResult mvcResult = this.mockMvc.perform(formLogin().user("user1").password("password1"))
+		MvcResult mvcResult = this.mockMvc.perform(formLogin().user("user").password("password"))
 				.andExpect(authenticated())
 				.andReturn();
 
@@ -102,7 +102,7 @@ public class HelloWorldApplicationTests {
 
 	@Test
 	public void loginUserValidateLogout() throws Exception {
-		MvcResult mvcResult = this.mockMvc.perform(formLogin().user("user1").password("password1"))
+		MvcResult mvcResult = this.mockMvc.perform(formLogin().user("user").password("password"))
 				.andExpect(authenticated())
 				.andReturn();
 
@@ -117,4 +117,4 @@ public class HelloWorldApplicationTests {
 				.andExpect(unauthenticated())
 				.andExpect(status().is3xxRedirection());
 	}
-}
+}

samples/boot/helloworld/src/main/java/org/springframework/security/samples/config/SecurityConfig.java

@@ -44,7 +44,7 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
 	public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
 		auth
 			.inMemoryAuthentication()
-				.withUser("user1").password("password1").roles("USER");
+				.withUser("user").password("password").roles("USER");
 	}
 	// @formatter:on
 }

samples/boot/helloworld/src/main/resources/application.yml

@@ -9,4 +9,4 @@ logging:
 
 spring:
   thymeleaf:
-    cache: true
+    cache: false

samples/boot/helloworld/src/main/resources/templates/index.html

@@ -10,9 +10,8 @@
             Logged in user: <span sec:authentication="name"></span> |
             Roles: <span sec:authentication="principal.authorities"></span>
             <div>
-                <form action="/logout" method="post">
+                <form action="#" th:action="@{/logout}" method="post">
                     <input type="submit" value="Logout" />
-                    <input type="hidden" th:name="${_csrf.parameterName}" th:value="${_csrf.token}" />
                 </form>
             </div>
         </div>
@@ -22,4 +21,4 @@
             <li>Go to the <a href="/user/index" th:href="@{/user/index}">secured pages</a></li>
         </ul>
     </body>
-</html>
+</html>

samples/boot/helloworld/src/main/resources/templates/login.html

@@ -7,7 +7,7 @@
 	</head>
     <body>
         <h1>Login page</h1>
-        <p>Example user: user1 / password1</p>
+        <p>Example user: user / password</p>
         <p th:if="${loginError}" class="error">Wrong user or password</p>
         <form th:action="@{/login}" method="post">
             <label for="username">Username</label>:

samples/boot/insecure/build.gradle

@@ -0,0 +1,12 @@
+apply from: BOOT_SAMPLE_GRADLE
+
+springBoot {
+    mainClass = 'org.springframework.security.samples.InsecureApplication'
+}
+
+dependencies {
+    compile "org.springframework.boot:spring-boot-starter-web:1.3.3.RELEASE",
+            "org.springframework.boot:spring-boot-starter-thymeleaf:1.3.3.RELEASE"
+
+    testCompile "org.springframework.boot:spring-boot-starter-test:1.3.3.RELEASE"
+}

samples/boot/insecure/pom.xml

@@ -0,0 +1,123 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+  <modelVersion>4.0.0</modelVersion>
+  <groupId>org.springframework.security</groupId>
+  <artifactId>spring-security-samples-boot-insecure</artifactId>
+  <version>4.1.1.BUILD-SNAPSHOT</version>
+  <name>spring-security-samples-boot-insecure</name>
+  <description>spring-security-samples-boot-insecure</description>
+  <url>http://spring.io/spring-security</url>
+  <organization>
+    <name>spring.io</name>
+    <url>http://spring.io/</url>
+  </organization>
+  <licenses>
+    <license>
+      <name>The Apache Software License, Version 2.0</name>
+      <url>http://www.apache.org/licenses/LICENSE-2.0.txt</url>
+      <distribution>repo</distribution>
+    </license>
+  </licenses>
+  <developers>
+    <developer>
+      <id>rwinch</id>
+      <name>Rob Winch</name>
+      <email>rwinch@gopivotal.com</email>
+    </developer>
+  </developers>
+  <scm>
+    <connection>scm:git:git://github.com/spring-projects/spring-security</connection>
+    <developerConnection>scm:git:git://github.com/spring-projects/spring-security</developerConnection>
+    <url>https://github.com/spring-projects/spring-security</url>
+  </scm>
+  <dependencyManagement>
+    <dependencies>
+      <dependency>
+        <groupId>org.springframework</groupId>
+        <artifactId>spring-framework-bom</artifactId>
+        <version>4.2.5.RELEASE</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
+    </dependencies>
+  </dependencyManagement>
+  <dependencies>
+    <dependency>
+      <groupId>org.springframework.boot</groupId>
+      <artifactId>spring-boot-starter-thymeleaf</artifactId>
+      <version>1.3.3.RELEASE</version>
+      <scope>compile</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.springframework.boot</groupId>
+      <artifactId>spring-boot-starter-web</artifactId>
+      <version>1.3.3.RELEASE</version>
+      <scope>compile</scope>
+    </dependency>
+    <dependency>
+      <groupId>commons-logging</groupId>
+      <artifactId>commons-logging</artifactId>
+      <version>1.2</version>
+      <scope>compile</scope>
+      <optional>true</optional>
+    </dependency>
+    <dependency>
+      <groupId>ch.qos.logback</groupId>
+      <artifactId>logback-classic</artifactId>
+      <version>1.1.2</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>junit</groupId>
+      <artifactId>junit</artifactId>
+      <version>4.12</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.assertj</groupId>
+      <artifactId>assertj-core</artifactId>
+      <version>2.2.0</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.mockito</groupId>
+      <artifactId>mockito-core</artifactId>
+      <version>1.10.19</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.slf4j</groupId>
+      <artifactId>jcl-over-slf4j</artifactId>
+      <version>1.7.7</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.springframework.boot</groupId>
+      <artifactId>spring-boot-starter-test</artifactId>
+      <version>1.3.3.RELEASE</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.springframework</groupId>
+      <artifactId>spring-test</artifactId>
+      <scope>test</scope>
+    </dependency>
+  </dependencies>
+  <repositories>
+    <repository>
+      <id>spring-snapshot</id>
+      <url>https://repo.spring.io/snapshot</url>
+    </repository>
+  </repositories>
+  <build>
+    <plugins>
+      <plugin>
+        <artifactId>maven-compiler-plugin</artifactId>
+        <configuration>
+          <source>1.7</source>
+          <target>1.7</target>
+        </configuration>
+      </plugin>
+    </plugins>
+  </build>
+</project>

samples/boot/insecure/src/integration-test/java/org.springframework.security.samples/InsecureApplicationTests.java

@@ -0,0 +1,58 @@
+/*
+ * Copyright 2012-2016 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.samples;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.SpringApplicationConfiguration;
+import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
+import org.springframework.test.context.web.WebAppConfiguration;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.test.web.servlet.setup.MockMvcBuilders;
+import org.springframework.web.context.WebApplicationContext;
+
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+/**
+ *
+ * @author Joe Grandja
+ */
+@RunWith(SpringJUnit4ClassRunner.class)
+@SpringApplicationConfiguration(InsecureApplication.class)
+@WebAppConfiguration
+public class InsecureApplicationTests {
+
+	@Autowired
+	private WebApplicationContext context;
+
+	private MockMvc mockMvc;
+
+	@Before
+	public void setup() {
+		mockMvc = MockMvcBuilders
+				.webAppContextSetup(context)
+				.build();
+	}
+
+	@Test
+	public void accessUnprotected() throws Exception {
+		this.mockMvc.perform(get("/index")).andExpect(status().isOk());
+	}
+
+}

samples/boot/insecure/src/main/java/org/springframework/security/samples/InsecureApplication.java

@@ -0,0 +1,32 @@
+/*
+ * Copyright 2012-2016 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.samples;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+
+/**
+ * @author Joe Grandja
+ */
+@SpringBootApplication
+public class InsecureApplication {
+
+	public static void main(String[] args) {
+		SpringApplication.run(InsecureApplication.class, args);
+	}
+
+
+}

samples/boot/insecure/src/main/java/org/springframework/security/samples/web/MainController.java

@@ -0,0 +1,61 @@
+/*
+ * Copyright 2002-2016 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.samples.web;
+
+import org.springframework.stereotype.Controller;
+import org.springframework.ui.Model;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+
+/**
+ * @author Joe Grandja
+ */
+@Controller
+public class MainController {
+
+	@RequestMapping("/")
+	public String root() {
+		return "redirect:/index";
+	}
+
+	@RequestMapping("/index")
+	public String index() {
+		return "index";
+	}
+
+	@RequestMapping("/user/index")
+	public String userIndex() {
+		return "user/index";
+	}
+
+	@RequestMapping(value = "/login")
+	public String login() {
+		return "login";
+	}
+
+	@RequestMapping(value = "/login", method = RequestMethod.POST)
+	public String postLogin() {
+		// TODO Enable form login with Spring Security (trigger error for now)
+		return "redirect:/login-error";
+	}
+
+	@RequestMapping("/login-error")
+	public String loginError(Model model) {
+		model.addAttribute("loginError", true);
+		return "login";
+	}
+
+}

samples/boot/insecure/src/main/resources/application.yml

@@ -0,0 +1,11 @@
+server:
+  port: 8080
+
+logging:
+  level:
+    root: WARN
+    org.springframework.web: INFO
+
+spring:
+  thymeleaf:
+    cache: false

samples/boot/insecure/src/main/resources/static/css/main.css

@@ -0,0 +1,13 @@
+body {
+    font-family: sans;
+    font-size: 1em;
+}
+
+p.error {
+    font-weight: bold;
+    color: red;
+}
+
+div.logout {
+    float: right;
+}

samples/boot/insecure/src/main/resources/templates/index.html

@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org">
+    <head>
+        <title>Hello Spring Security</title>
+        <meta charset="utf-8" />
+        <link rel="stylesheet" href="/css/main.css" th:href="@{/css/main.css}" />
+    </head>
+    <body>
+        <h1>Hello Spring Security</h1>
+        <p>This is an unsecured page, but you can access the secured pages after authenticating.</p>
+        <ul>
+            <li>Go to the <a href="/user/index" th:href="@{/user/index}">secured pages</a></li>
+        </ul>
+    </body>
+</html>

samples/boot/insecure/src/main/resources/templates/login.html

@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org">
+    <head>
+        <title>Login page</title>
+        <meta charset="utf-8" />
+        <link rel="stylesheet" href="/css/main.css" th:href="@{/css/main.css}" />
+	</head>
+    <body>
+        <h1>Login page</h1>
+        <p>Example user: user / password</p>
+        <p th:if="${loginError}" class="error">Wrong user or password</p>
+        <form th:action="@{/login}" method="post">
+            <label for="username">Username</label>:
+            <input type="text" id="username" name="username" autofocus="autofocus" /> <br />
+            <label for="password">Password</label>:
+            <input type="password" id="password" name="password" /> <br />
+            <input type="submit" value="Log in" />
+        </form>
+        <p><a href="/index" th:href="@{/index}">Back to home page</a></p>
+    </body>
+</html>

samples/boot/insecure/src/main/resources/templates/user/index.html

@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org">
+    <head>
+        <title>Hello Spring Security</title>
+        <meta charset="utf-8" />
+        <link rel="stylesheet" href="/css/main.css" th:href="@{/css/main.css}" />
+    </head>
+    <body>
+		<h1>TODO Secure this</h1>
+		<p>We would like to secure this page</p>
+        <p><a href="/index" th:href="@{/index}">Back to home page</a></p>
+    </body>
+</html>