Build a Secure Spring Boot App in Minutes with Spring Security

In modern web applications, security is essential, and Spring Security provides a comprehensive authentication and authorization solution for Spring Boot projects.

Why Choose Spring Security?

Security in web apps consists of two core aspects:

Authentication : confirming who the user is.

Authorization : determining what the user is allowed to do.

Spring Security acts as a professional "security steward" with a built‑in filter chain, mature authentication/authorization models, CSRF protection, session management, password encoding, and more. Its "secure by default" philosophy means that simply adding the starter dependency enables basic protection without extra configuration.

Build the Minimal Viable Project from Scratch

Add the Core Dependency

In pom.xml add the Spring Security starter:

<dependency>
  <groupId>org.springframework.boot</groupId>
  <artifactId>spring-boot-starter-security</artifactId>
</dependency>

After adding this dependency, Spring Boot automatically activates security configuration.

Create a Basic Controller

Write a simple controller to expose a home page and a dashboard page:

@GetMapping("/")
public String home() {
    return "home";
}

@GetMapping("/dashboard")
public String dashboard(Model model, Principal principal) {
    if (principal != null) {
        model.addAttribute("username", principal.getName());
    }
    return "dashboard";
}

The Principal object provides information about the currently logged‑in user.

Prepare Page Files

home.html

: the application’s home page, accessible without login (but will be intercepted by Spring Security and redirected to the login page). dashboard.html: the dashboard page, displayed after a successful login and shows the username.

Temporarily Ignore User Configuration

Comment out the default user settings in application.yml to observe Spring Security’s default behavior:

# spring:
#   security:
#     user:
#       name: user
#       password: acowbo123
#       roles: USER

Run the Project and Observe Default Behavior

Start the application with mvn spring-boot:run. The console prints a line similar to:

Using generated security password: 3160e790-0ee7-4561-bfca-41edb701dd88

The generated password is shown, and the default username is user. Accessing http://localhost:18080 redirects to Spring Security’s default login page. Log in with the printed password and the username user, then navigate to /dashboard to see the logged‑in username.

How the Random Password Is Generated

The password originates from Spring Boot’s auto‑configuration. The relevant package is org.springframework.boot.autoconfigure.security.servlet and the core class is UserDetailsServiceAutoConfiguration. When no custom UserDetailsService bean is defined and no spring.security.user.password property is set, Spring Boot creates an in‑memory user with username user and a random UUID password (controlled by the passwordGenerated flag).

Customizing Username and Password

In real projects you usually need custom credentials. Spring Security offers two common approaches:

Method A – Configuration File (good for demos)

Uncomment and edit the user section in application.yml:

spring:
  security:
    user:
      name: user
      password: acowbo123
      roles: USER

After restarting, the console no longer prints a random password; you can log in with the configured username and password. This method is simple but stores the password in plain text, which is unsuitable for production.

Method B – Bean Configuration (recommended for production)

Define a PasswordEncoder (e.g., BCryptPasswordEncoder) to hash passwords, configure a UserDetailsService such as InMemoryUserDetailsManager to add users and roles, and customize a SecurityFilterChain to set path rules, login page, logout logic, etc. This approach requires more code but provides flexible, secure authentication suitable for complex production requirements.

Summary and Next Steps

After following this guide you should be able to:

Quickly set up a Spring Boot application protected by Spring Security.

Understand how the default user and random password are generated.

Customize usernames and passwords either via configuration files or bean definitions.

Further learning can include creating a custom login page, using BCryptPasswordEncoder for password hashing, implementing role‑based authorization, and diving deeper into Spring Security’s filter chain to master request processing.