|
|
@@ -1,74 +0,0 @@
|
|
|
-[[servlet-hello]]
|
|
|
-= Hello Spring Security
|
|
|
-
|
|
|
-This section covers the minimum setup for how to use Spring Security with Spring Boot.
|
|
|
-
|
|
|
-[NOTE]
|
|
|
-====
|
|
|
-The completed application can be found {gh-samples-url}/servlet/spring-boot/java/hello-security[in our samples repository].
|
|
|
-For your convenience, you can download a minimal Spring Boot + Spring Security application by https://start.spring.io/starter.zip?type=maven-project&language=java&packaging=jar&jvmVersion=1.8&groupId=example&artifactId=hello-security&name=hello-security&description=Hello%20Security&packageName=example.hello-security&dependencies=web,security[clicking here].
|
|
|
-====
|
|
|
-
|
|
|
-[[servlet-hello-dependencies]]
|
|
|
-== Updating Dependencies
|
|
|
-
|
|
|
-The only step you need to do is update the dependencies by using xref:getting-spring-security.adoc#getting-maven-boot[Maven] or xref:getting-spring-security.adoc#getting-gradle-boot[Gradle].
|
|
|
-
|
|
|
-[[servlet-hello-starting]]
|
|
|
-== Starting Hello Spring Security Boot
|
|
|
-
|
|
|
-You can now https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#using-boot-running-with-the-maven-plugin[run the Spring Boot application] by using the Maven Plugin's `run` goal.
|
|
|
-The following example shows how to do so (and the beginning of the output from doing so):
|
|
|
-
|
|
|
-.Running Spring Boot Application
|
|
|
-====
|
|
|
-[source,bash]
|
|
|
-----
|
|
|
-$ ./mvn spring-boot:run
|
|
|
-...
|
|
|
-INFO 23689 --- [ restartedMain] .s.s.UserDetailsServiceAutoConfiguration :
|
|
|
-
|
|
|
-Using generated security password: 8e557245-73e2-4286-969a-ff57fe326336
|
|
|
-
|
|
|
-...
|
|
|
-----
|
|
|
-====
|
|
|
-
|
|
|
-
|
|
|
-[[servlet-hello-auto-configuration]]
|
|
|
-== Spring Boot Auto Configuration
|
|
|
-
|
|
|
-// FIXME: Link to relevant portions of documentation
|
|
|
-// FIXME: Link to Spring Boot's Security Auto configuration classes
|
|
|
-// FIXME: Add a links for what user's should do next
|
|
|
-
|
|
|
-Spring Boot automatically:
|
|
|
-
|
|
|
-* Enables Spring Security's default configuration, which creates a servlet `Filter` as a bean named `springSecurityFilterChain`.
|
|
|
-This bean is responsible for all the security (protecting the application URLs, validating submitted username and passwords, redirecting to the log in form, and so on) within your application.
|
|
|
-* Creates a `UserDetailsService` bean with a username of `user` and a randomly generated password that is logged to the console.
|
|
|
-* Registers the `Filter` with a bean named `springSecurityFilterChain` with the Servlet container for every request.
|
|
|
-
|
|
|
-Spring Boot is not configuring much, but it does a lot.
|
|
|
-A summary of the features follows:
|
|
|
-
|
|
|
-* Require an authenticated user for any interaction with the application
|
|
|
-* Generate a default login form for you
|
|
|
-* Let the user with a username of `user` and a password that is logged to the console to authenticate with form-based authentication (in the preceding example, the password is `8e557245-73e2-4286-969a-ff57fe326336`)
|
|
|
-* Protects the password storage with BCrypt
|
|
|
-* Lets the user log out
|
|
|
-* https://en.wikipedia.org/wiki/Cross-site_request_forgery[CSRF attack] prevention
|
|
|
-* https://en.wikipedia.org/wiki/Session_fixation[Session Fixation] protection
|
|
|
-* Security Header integration
|
|
|
-** https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security[HTTP Strict Transport Security] for secure requests
|
|
|
-** https://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx[X-Content-Type-Options] integration
|
|
|
-** Cache Control (can be overridden later by your application to allow caching of your static resources)
|
|
|
-** https://msdn.microsoft.com/en-us/library/dd565647(v=vs.85).aspx[X-XSS-Protection] integration
|
|
|
-** X-Frame-Options integration to help prevent https://en.wikipedia.org/wiki/Clickjacking[Clickjacking]
|
|
|
-* Integrate with the following Servlet API methods:
|
|
|
-** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getRemoteUser()[`HttpServletRequest#getRemoteUser()`]
|
|
|
-** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getUserPrincipal()[`HttpServletRequest#getUserPrincipal()`]
|
|
|
-** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#isUserInRole(java.lang.String)[`HttpServletRequest#isUserInRole(java.lang.String)`]
|
|
|
-** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#login(java.lang.String,%20java.lang.String)[`HttpServletRequest#login(java.lang.String, java.lang.String)`]
|
|
|
-** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#logout()[`HttpServletRequest#logout()`]
|
|
|
-
|
Rob Winch