SpringBoot : Security Configuration using HTTPSecurity vs WebSecurity

In this article, we’ll have a look at customizing Security Configuration and when to use HTTPSecurity vs WebSecurity configurations.

Spring Boot has become the de facto standard for developing production ready Java microservices. At some point we need to add security to our microservices and with Spring Boot we can do with the help of the Spring Security library.

At high level Spring Boot Security is a set of servlet filters that help you customize authentication and authorization to your microservices.

Spring Boot Security Auto-Configuration

In order to add security to our Spring Boot application, add the security starter dependency, with gradle we can do that by adding

uber(“org.springframework.boot:spring-boot-starter-security”)

You can find more on this from spring documentation.

Once starter-security is on the classpath, It will include SecurityAutoConfiguration class containing default security configuration. Which means Spring Boot application automatically secures all HTTP endpoints with “basic” authentication.

Customizing Security Configuration

To customize security for Springboot Application we need to have class and

a. Annotate with @EnableWebSecurity, which will apply the class to the global WebSecurity