How Spring Security’s Core Configurations Protect Your Application
This article breaks down Spring Security’s three core Java configuration components—@EnableWebSecurity, WebSecurityConfiguration, and AuthenticationConfiguration—explaining how they replace XML setup, register the security filter chain, build the AuthenticationManager, and enable fine‑grained HttpSecurity rules such as path protection, form login, logout, CSRF, and security headers.
Core Configuration Overview
Spring Security’s Java‑based configuration is driven by three main components: @EnableWebSecurity, WebSecurityConfiguration and AuthenticationConfiguration. Together they replace the old XML springSecurityFilterChain setup and wire the security filter chain into the servlet container.
@EnableWebSecurity
The annotation is a meta‑annotation that imports WebSecurityConfiguration and AuthenticationConfiguration and enables global authentication. Its source shows it combines @Import of WebSecurityConfiguration and SpringWebMvcImportSelector, and adds @EnableGlobalAuthentication.
WebSecurityConfiguration
Registers the core filter bean named springSecurityFilterChain. In a Spring Boot application the filter is created as a DelegatingFilterProxy that forwards requests to the security chain.
AuthenticationConfiguration
Creates the global AuthenticationManager. It imports ObjectPostProcessorConfiguration and defines a @Bean that builds an AuthenticationManagerBuilder used by the rest of the framework.
WebSecurityConfigurerAdapter and HttpSecurity
Developers extend WebSecurityConfigurerAdapter and override configure(HttpSecurity http) to declare request‑level rules. A typical example configures:
public access to "/", "/home", "/login", "/logout"
form‑login page at "/login" with permitAll() logout handling and CSRF protection
security headers such as HSTS, X‑Content‑Type‑Options, X‑XSS‑Protection, X‑Frame‑Options
exposes servlet‑API methods like HttpServletRequest#getRemoteUser(), #getUserPrincipal(), #isUserInRole(String), #login(String,String), #logout() Additional examples show how to restrict static resources, admin URLs, or combine role checks using .hasRole() and .access(). The .and() method returns the same HttpSecurity instance, allowing fluent chaining.
AuthenticationManagerBuilder
In‑memory authentication can be defined either by overriding configure(AuthenticationManagerBuilder auth) or by autowiring a global builder. Both approaches register a user admin/admin with role USER.
Understanding these components lets developers replace XML security configuration with concise Java code while retaining full control over authentication, authorization, session fixation, CSRF, and HTTP security headers.
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/", "/home", "/login", "/logout").permitAll()
.anyRequest().authenticated()
.and()
.formLogin().loginPage("/login").permitAll()
.and()
.logout().permitAll()
.and()
.csrf().disable();
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("admin").password("admin").roles("USER");
}
}Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Programmer DD
A tinkering programmer and author of "Spring Cloud Microservices in Action"
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.