External

• WebSecurityConfigurerAdapter javadoc

Internal

• Spring Security Concepts

Overview

This article describes Java-based Spring Security configuration. This method can be used to configure the following security aspects:

• one of the available user stores, such as the in-memory user store, JDBC user store or LDAP-backed user store, or alternatively, a custom user details service.
• what web requests should be secured.

Configuration Class

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

  @Override
  protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    ...
  }

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    ...
  }
}

Security Configuration

WebSecurityConfigurerAdapter can be used t o specify which web request should be secured and which not. This configuration is specified using the following method:

@Override
protected void configure(HttpSecurity http) throws Exception {
  ...
}

The HttpSecurity object can be used to configure how security is handled at the web level:

• what security conditions should be met before allowing a request to be served.
• the custom login page.
• how to log out.
• cross-site request forgery protection.

Securing Requests