Master Custom Spring Security Configuration in Spring Boot
This article walks through customizing Spring Security in a Spring Boot application by creating a custom security configuration class, overriding authentication manager, web security, and HttpSecurity methods, and explains the default and common HttpSecurity settings with code examples.
1. Introduction
Today we will learn how to customize Spring Security configuration. We have previously mentioned WebSecurityConfigurerAdapter, and we know that Spring Boot's auto‑configuration uses SecurityAutoConfiguration which imports the Spring Boot web security configuration class SpringBootWebSecurityConfiguration. We will customize it.
2. Custom Spring Boot Web Security Configuration
We copy the source of SpringBootWebSecurityConfiguration and rename it CustomSpringBootWebSecurityConfiguration:
@Configuration
@ConditionalOnClass(WebSecurityConfigurerAdapter.class)
@ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.SERVLET)
public class CustomSpringBootWebSecurityConfiguration {
@Configuration
@Order(SecurityProperties.BASIC_AUTH_ORDER)
static class DefaultConfigurerAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
super.configure(auth);
}
@Override
public void configure(WebSecurity web) throws Exception {
super.configure(web);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
}
}
}In DefaultConfigurerAdapter we override three methods to define our security access strategy.
2.1 AuthenticationManager configuration method
The method void configure(AuthenticationManagerBuilder auth) configures the AuthenticationManager, which manages all UserDetails and related components such as PasswordEncoder. Detailed analysis of AuthenticationManager is omitted here.
2.2 Core filter configuration method
The method void configure(WebSecurity web) configures WebSecurity, which is based on a Servlet Filter and delegates to DelegatingFilterProxy. Usually we use ignoring() to exclude static resources from Spring Security control.
2.3 Security filter chain configuration method
The method void configure(HttpSecurity http) configures HttpSecurity, building a SecurityFilterChain. This is the most frequently used method for defining custom security policies.
3. HttpSecurity configuration
3.1 Default configuration
protected void configure(HttpSecurity http) throws Exception {
logger.debug("Using default configure(HttpSecurity). If subclassed this will potentially override subclass configure(HttpSecurity).");
http.authorizeRequests()
.anyRequest().authenticated()
.and()
.formLogin().and()
.httpBasic();
}This default configuration requires authentication for all requests, enables form‑login at /login, protects against CSRF and XSS attacks, and enables HTTP Basic authentication.
3.2 Commonly used methods
HttpSecurityuses a builder pattern to flexibly define access strategies. Earlier XML‑based configuration has been replaced by Java‑based configuration. Commonly used methods are demonstrated in the code above.
4. Summary
We have covered many aspects of Spring Security and are now ready to customize it for practical scenarios in upcoming articles.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Programmer DD
A tinkering programmer and author of "Spring Cloud Microservices in Action"
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.