Bird
Raised Fist0
Spring Bootframework~10 mins

Spring Security auto-configuration in Spring Boot - Step-by-Step Execution

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Concept Flow - Spring Security auto-configuration
Start Spring Boot App
Spring Boot scans classpath
Detect spring-boot-starter-security
Load SecurityAutoConfiguration
Apply default security settings
Create default user & password
Secure all HTTP endpoints
App ready with security
Spring Boot detects the security starter, loads auto-configuration, sets default security rules, and creates a default user automatically.
Execution Sample
Spring Boot
/* spring-boot-starter-security dependency added */
@SpringBootApplication
public class App {
  public static void main(String[] args) {
    SpringApplication.run(App.class, args);
  }
}
This code starts a Spring Boot app with Spring Security auto-configured by default.
Execution Table
StepActionCondition/CheckResult/Effect
1Start Spring Boot appApp main method runsSpring Boot context starts
2Classpath scanspring-boot-starter-security present?Yes, detected
3Load SecurityAutoConfigurationAuto-config enabled?Yes, loaded
4Apply default securityNo custom security config?Default security applied
5Create default userNo user defined?User 'user' with generated password created
6Secure HTTP endpointsAll endpoints secured by defaultAuthentication required for all requests
7App readySecurity activeApp runs with default security
8ExitNo further configAuto-configuration complete
💡 Auto-configuration stops after applying default security and creating default user.
Variable Tracker
VariableStartAfter Step 3After Step 5Final
securityAutoConfigLoadedfalsetruetruetrue
defaultUserCreatedfalsefalsetruetrue
httpEndpointsSecuredfalsefalsetruetrue
Key Moments - 3 Insights
Why does Spring Security create a default user automatically?
Because no custom user is defined, the auto-configuration creates a default user to secure the app by default, as shown in execution_table step 5.
What happens if I add my own security configuration?
The auto-configuration backs off and does not apply defaults, so your config takes priority. This is implied by the condition in step 4.
Are all HTTP endpoints secured by default?
Yes, by default all endpoints require authentication, as shown in step 6 of the execution_table.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table, at which step is the default user created?
AStep 5
BStep 3
CStep 6
DStep 2
💡 Hint
Check the 'Action' column for 'Create default user' in the execution_table.
According to variable_tracker, what is the value of 'httpEndpointsSecured' after step 5?
Afalse
Btrue
Cundefined
Dnull
💡 Hint
Look at the 'httpEndpointsSecured' row and the 'After Step 5' column in variable_tracker.
If you add a custom security configuration, which step in execution_table would likely be skipped?
AStep 5
BStep 6
CStep 4
DStep 2
💡 Hint
Step 4 checks if no custom config exists before applying defaults.
Concept Snapshot
Spring Security auto-configuration:
- Detects spring-boot-starter-security on classpath
- Loads SecurityAutoConfiguration automatically
- Applies default security if no custom config
- Creates default user 'user' with random password
- Secures all HTTP endpoints by default
- Auto-config backs off if custom security config exists
Full Transcript
When you start a Spring Boot app with the spring-boot-starter-security dependency, Spring Boot scans the classpath and detects the security starter. It then loads the SecurityAutoConfiguration class automatically. If you have not defined your own security configuration, Spring applies default security settings. This includes creating a default user named 'user' with a generated password and securing all HTTP endpoints so they require authentication. The app then runs with these default security settings. If you add your own security configuration, the auto-configuration will back off and not apply these defaults. This process ensures your app is secure out of the box with minimal setup.

Practice

(1/5)
1. What happens when you add spring-boot-starter-security to a Spring Boot project without any additional configuration?
easy
A. The application runs without any security restrictions.
B. All web endpoints are secured with a default login page.
C. Only REST endpoints are secured, web pages remain open.
D. The application throws an error due to missing configuration.

Solution

  1. Step 1: Understand default behavior of spring-boot-starter-security

    Adding this starter enables Spring Security auto-configuration which secures all web endpoints by default.

  2. Step 2: Recognize the default login page

    Spring Security provides a default login page automatically when no custom security config is provided.

  3. Final Answer:

    All web endpoints are secured with a default login page. -> Option B

  4. Quick Check:

    Default security = secured endpoints + login page [OK]
Hint: Default security locks all endpoints with login page [OK]
Common Mistakes:
  • Thinking endpoints remain open without config
  • Assuming only REST endpoints are secured
  • Believing an error occurs without config
2. Which of the following is the correct way to disable Spring Security auto-configuration in a Spring Boot application?
easy
A. @Configuration(exclude = SecurityAutoConfiguration.class)
B. @EnableAutoConfiguration(exclude = SecurityAutoConfiguration.class)
C. @ComponentScan(exclude = SecurityAutoConfiguration.class)
D. @SpringBootApplication(exclude = SecurityAutoConfiguration.class)

Solution

  1. Step 1: Identify the correct annotation to exclude auto-configuration

    Spring Boot allows excluding auto-configurations via the exclude attribute in @SpringBootApplication.

  2. Step 2: Confirm the correct class to exclude

    The class to exclude for disabling security auto-configuration is SecurityAutoConfiguration.class.

  3. Final Answer:

    @SpringBootApplication(exclude = SecurityAutoConfiguration.class) -> Option D

  4. Quick Check:

    Disable auto-config = exclude in @SpringBootApplication [OK]
Hint: Exclude SecurityAutoConfiguration in @SpringBootApplication [OK]
Common Mistakes:
  • Using @EnableAutoConfiguration instead of @SpringBootApplication
  • Trying to exclude in @ComponentScan or @Configuration
  • Not specifying the correct class to exclude
3. Given this Spring Boot application with spring-boot-starter-security added and no custom security config, what will happen when a user accesses /hello endpoint?
 @RestController
 public class HelloController {
   @GetMapping("/hello")
   public String hello() {
     return "Hello World";
   }
 }
medium
A. The user sees "Hello World" without login.
B. The endpoint returns 404 Not Found.
C. The user is redirected to a login page before seeing "Hello World".
D. The application throws a runtime exception.

Solution

  1. Step 1: Recall default security behavior with no custom config

    All endpoints are secured and require authentication by default.

  2. Step 2: Understand access flow to /hello endpoint

    Accessing /hello triggers Spring Security to redirect to the default login page before allowing access.

  3. Final Answer:

    The user is redirected to a login page before seeing "Hello World". -> Option C

  4. Quick Check:

    Default security = login redirect before access [OK]
Hint: No config means login page before any endpoint access [OK]
Common Mistakes:
  • Assuming endpoints are open without login
  • Expecting 404 error for existing endpoint
  • Thinking runtime exception occurs
4. You added spring-boot-starter-security but your application fails to start with a bean creation error related to AuthenticationManager. What is the likely cause?
medium
A. You defined a custom SecurityFilterChain but forgot to expose an AuthenticationManager bean.
B. You did not add spring-boot-starter-web dependency.
C. You excluded SecurityAutoConfiguration but still use security annotations.
D. You have multiple @SpringBootApplication classes.

Solution

  1. Step 1: Understand the error context with AuthenticationManager bean

    When customizing security by defining a SecurityFilterChain, Spring Boot no longer auto-configures AuthenticationManager.

  2. Step 2: Identify missing bean definition

    You must manually expose an AuthenticationManager bean to satisfy dependencies.

  3. Final Answer:

    You defined a custom SecurityFilterChain but forgot to expose an AuthenticationManager bean. -> Option A

  4. Quick Check:

    Custom filter chain needs AuthenticationManager bean [OK]
Hint: Custom SecurityFilterChain requires AuthenticationManager bean [OK]
Common Mistakes:
  • Blaming missing web dependency
  • Ignoring need for AuthenticationManager bean
  • Assuming multiple @SpringBootApplication causes this error
5. You want to customize Spring Security auto-configuration to allow public access to /public/** endpoints but secure all others with form login. Which configuration snippet correctly achieves this?
hard
A. Define a SecurityFilterChain bean with http.authorizeHttpRequests().requestMatchers("/public/**").permitAll().anyRequest().authenticated().and().formLogin().
B. Exclude SecurityAutoConfiguration and manually configure WebSecurityConfigurerAdapter to permit /public/**.
C. Add @EnableWebSecurity and override configure(HttpSecurity http) to permit /public/** and disable form login.
D. Add @SpringBootApplication(exclude = SecurityAutoConfiguration.class) and use http.csrf().disable().

Solution

  1. Step 1: Use SecurityFilterChain bean to customize security rules

    Spring Security 5.7+ recommends defining a SecurityFilterChain bean for custom rules.

  2. Step 2: Permit /public/** and require authentication for others with form login

    The method chain authorizeHttpRequests().requestMatchers("/public/**").permitAll().anyRequest().authenticated().and().formLogin() correctly sets these rules.

  3. Final Answer:

    Define a SecurityFilterChain bean with http.authorizeHttpRequests().requestMatchers("/public/**").permitAll().anyRequest().authenticated().and().formLogin() -> Option A

  4. Quick Check:

    Permit public paths + secure others + form login = Define a SecurityFilterChain bean with http.authorizeHttpRequests().requestMatchers("/public/**").permitAll().anyRequest().authenticated().and().formLogin(). [OK]
Hint: Use SecurityFilterChain bean with permitAll and formLogin [OK]
Common Mistakes:
  • Excluding auto-config and using deprecated WebSecurityConfigurerAdapter
  • Disabling form login when it is required
  • Misusing @EnableWebSecurity without proper bean