Bird
Raised Fist0
Spring Bootframework~5 mins

Spring Security auto-configuration in Spring Boot - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What is Spring Security auto-configuration?
It is a feature in Spring Boot that automatically sets up basic security settings for your application without needing manual configuration.
Click to reveal answer
beginner
Which dependency triggers Spring Security auto-configuration in a Spring Boot project?
Adding the spring-boot-starter-security dependency triggers the auto-configuration of Spring Security.
Click to reveal answer
intermediate
What default behavior does Spring Security auto-configuration provide?
It secures all HTTP endpoints by requiring authentication and provides a default login form and a generated password in the console.
Click to reveal answer
intermediate
How can you customize Spring Security auto-configuration?
You can create your own <code>@Configuration</code> class with <code>@EnableWebSecurity</code> and define beans like <code>SecurityFilterChain</code> to override defaults.
Click to reveal answer
intermediate
What happens if you exclude Spring Security auto-configuration?
Your application will not have any security settings applied automatically, so endpoints will be open unless you configure security manually.
Click to reveal answer
What triggers Spring Security auto-configuration in a Spring Boot app?
AAdding spring-boot-starter-data-jpa dependency
BAdding spring-boot-starter-web dependency
CAdding spring-boot-starter-security dependency
DAdding spring-boot-starter-thymeleaf dependency
What is the default behavior of Spring Security auto-configuration?
AAll HTTP endpoints require authentication with a default login form
BOnly POST requests require authentication
CAll HTTP endpoints are open without authentication
DIt disables security by default
How can you disable Spring Security auto-configuration?
AAdd @EnableAutoConfiguration annotation
BRemove spring-boot-starter-security dependency
CAdd @SpringBootApplication annotation
DAdd spring-boot-starter-web dependency
Which class can you define to customize Spring Security auto-configuration?
ADataSourceConfig
BApplicationRunner
CRestController
DSecurityFilterChain
What does Spring Security auto-configuration print in the console on startup?
AA generated default user password
BDatabase connection details
CApplication version info
DNo output related to security
Explain how Spring Security auto-configuration works in a Spring Boot application.
Think about what happens when you add the security starter to your project.
You got /4 concepts.
    Describe ways to customize or override Spring Security auto-configuration.
    Consider how you can add your own security rules in Spring Boot.
    You got /4 concepts.

      Practice

      (1/5)
      1. What happens when you add spring-boot-starter-security to a Spring Boot project without any additional configuration?
      easy
      A. The application runs without any security restrictions.
      B. All web endpoints are secured with a default login page.
      C. Only REST endpoints are secured, web pages remain open.
      D. The application throws an error due to missing configuration.

      Solution

      1. Step 1: Understand default behavior of spring-boot-starter-security

        Adding this starter enables Spring Security auto-configuration which secures all web endpoints by default.

      2. Step 2: Recognize the default login page

        Spring Security provides a default login page automatically when no custom security config is provided.

      3. Final Answer:

        All web endpoints are secured with a default login page. -> Option B

      4. Quick Check:

        Default security = secured endpoints + login page [OK]
      Hint: Default security locks all endpoints with login page [OK]
      Common Mistakes:
      • Thinking endpoints remain open without config
      • Assuming only REST endpoints are secured
      • Believing an error occurs without config
      2. Which of the following is the correct way to disable Spring Security auto-configuration in a Spring Boot application?
      easy
      A. @Configuration(exclude = SecurityAutoConfiguration.class)
      B. @EnableAutoConfiguration(exclude = SecurityAutoConfiguration.class)
      C. @ComponentScan(exclude = SecurityAutoConfiguration.class)
      D. @SpringBootApplication(exclude = SecurityAutoConfiguration.class)

      Solution

      1. Step 1: Identify the correct annotation to exclude auto-configuration

        Spring Boot allows excluding auto-configurations via the exclude attribute in @SpringBootApplication.

      2. Step 2: Confirm the correct class to exclude

        The class to exclude for disabling security auto-configuration is SecurityAutoConfiguration.class.

      3. Final Answer:

        @SpringBootApplication(exclude = SecurityAutoConfiguration.class) -> Option D

      4. Quick Check:

        Disable auto-config = exclude in @SpringBootApplication [OK]
      Hint: Exclude SecurityAutoConfiguration in @SpringBootApplication [OK]
      Common Mistakes:
      • Using @EnableAutoConfiguration instead of @SpringBootApplication
      • Trying to exclude in @ComponentScan or @Configuration
      • Not specifying the correct class to exclude
      3. Given this Spring Boot application with spring-boot-starter-security added and no custom security config, what will happen when a user accesses /hello endpoint?
       @RestController
 public class HelloController {
   @GetMapping("/hello")
   public String hello() {
     return "Hello World";
   }
 }
      medium
      A. The user sees "Hello World" without login.
      B. The endpoint returns 404 Not Found.
      C. The user is redirected to a login page before seeing "Hello World".
      D. The application throws a runtime exception.

      Solution

      1. Step 1: Recall default security behavior with no custom config

        All endpoints are secured and require authentication by default.

      2. Step 2: Understand access flow to /hello endpoint

        Accessing /hello triggers Spring Security to redirect to the default login page before allowing access.

      3. Final Answer:

        The user is redirected to a login page before seeing "Hello World". -> Option C

      4. Quick Check:

        Default security = login redirect before access [OK]
      Hint: No config means login page before any endpoint access [OK]
      Common Mistakes:
      • Assuming endpoints are open without login
      • Expecting 404 error for existing endpoint
      • Thinking runtime exception occurs
      4. You added spring-boot-starter-security but your application fails to start with a bean creation error related to AuthenticationManager. What is the likely cause?
      medium
      A. You defined a custom SecurityFilterChain but forgot to expose an AuthenticationManager bean.
      B. You did not add spring-boot-starter-web dependency.
      C. You excluded SecurityAutoConfiguration but still use security annotations.
      D. You have multiple @SpringBootApplication classes.

      Solution

      1. Step 1: Understand the error context with AuthenticationManager bean

        When customizing security by defining a SecurityFilterChain, Spring Boot no longer auto-configures AuthenticationManager.

      2. Step 2: Identify missing bean definition

        You must manually expose an AuthenticationManager bean to satisfy dependencies.

      3. Final Answer:

        You defined a custom SecurityFilterChain but forgot to expose an AuthenticationManager bean. -> Option A

      4. Quick Check:

        Custom filter chain needs AuthenticationManager bean [OK]
      Hint: Custom SecurityFilterChain requires AuthenticationManager bean [OK]
      Common Mistakes:
      • Blaming missing web dependency
      • Ignoring need for AuthenticationManager bean
      • Assuming multiple @SpringBootApplication causes this error
      5. You want to customize Spring Security auto-configuration to allow public access to /public/** endpoints but secure all others with form login. Which configuration snippet correctly achieves this?
      hard
      A. Define a SecurityFilterChain bean with http.authorizeHttpRequests().requestMatchers("/public/**").permitAll().anyRequest().authenticated().and().formLogin().
      B. Exclude SecurityAutoConfiguration and manually configure WebSecurityConfigurerAdapter to permit /public/**.
      C. Add @EnableWebSecurity and override configure(HttpSecurity http) to permit /public/** and disable form login.
      D. Add @SpringBootApplication(exclude = SecurityAutoConfiguration.class) and use http.csrf().disable().

      Solution

      1. Step 1: Use SecurityFilterChain bean to customize security rules

        Spring Security 5.7+ recommends defining a SecurityFilterChain bean for custom rules.

      2. Step 2: Permit /public/** and require authentication for others with form login

        The method chain authorizeHttpRequests().requestMatchers("/public/**").permitAll().anyRequest().authenticated().and().formLogin() correctly sets these rules.

      3. Final Answer:

        Define a SecurityFilterChain bean with http.authorizeHttpRequests().requestMatchers("/public/**").permitAll().anyRequest().authenticated().and().formLogin() -> Option A

      4. Quick Check:

        Permit public paths + secure others + form login = Define a SecurityFilterChain bean with http.authorizeHttpRequests().requestMatchers("/public/**").permitAll().anyRequest().authenticated().and().formLogin(). [OK]
      Hint: Use SecurityFilterChain bean with permitAll and formLogin [OK]
      Common Mistakes:
      • Excluding auto-config and using deprecated WebSecurityConfigurerAdapter
      • Disabling form login when it is required
      • Misusing @EnableWebSecurity without proper bean