spring-security/docs/modules/ROOT/pages/servlet/getting-started.adoc

[[servlet-hello]]
= Hello Spring Security

This section covers the minimum setup for how to use Spring Security with Spring Boot.

[NOTE]
====
The completed application can be found {gh-samples-url}/servlet/spring-boot/java/hello-security[in our samples repository].
For your convenience, you can download https://start.spring.io/starter.zip?type=maven-project&language=java&packaging=jar&jvmVersion=1.8&groupId=example&artifactId=hello-security&name=hello-security&description=Hello%20Security&packageName=example.hello-security&dependencies=web,security[a minimal Spring Boot + Spring Security application].
====

[[servlet-hello-dependencies]]
== Updating Dependencies

The only step you need to do is update the dependencies by using xref:getting-spring-security.adoc#getting-maven-boot[Maven] or xref:getting-spring-security.adoc#getting-gradle-boot[Gradle].

[[servlet-hello-starting]]
== Starting Hello Spring Security Boot

You can now https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#using-boot-running-with-the-maven-plugin[run the Spring Boot application] by using the Maven Plugin's `run` goal.
The following example shows how to do so (and the beginning of the output from doing so):

.Running Spring Boot Application
====
[source,bash]
----
$ ./mvn spring-boot:run
...
INFO 23689 --- [  restartedMain] .s.s.UserDetailsServiceAutoConfiguration :

Using generated security password: 8e557245-73e2-4286-969a-ff57fe326336

...
----
====


[[servlet-hello-auto-configuration]]
== Spring Boot Auto Configuration

// FIXME: Link to relevant portions of documentation
// FIXME: Link to Spring Boot's Security Auto configuration classes
// FIXME: Add links for what user's should do next

Spring Boot automatically:

* Enables Spring Security's default configuration, which creates a servlet `Filter` as a bean named `springSecurityFilterChain`.
This bean is responsible for all the security (protecting the application URLs, validating submitted username and passwords, redirecting to the login form, and so on) within your application.
* Creates a `UserDetailsService` bean with a username of `user` and a randomly generated password that is logged to the console.
* Registers the `Filter` with a bean named `springSecurityFilterChain` with the Servlet container for every request.

Spring Boot is not configuring much, but it does a lot.
A summary of the features follows:

* Require an authenticated user for any interaction with the application
* Generate a default login form for you
* Let the user with a username of `user` and a password that is logged to the console to authenticate with form-based authentication (in the preceding example, the password is `8e557245-73e2-4286-969a-ff57fe326336`)
* Protects the password storage with BCrypt
* Lets the user log out
* https://en.wikipedia.org/wiki/Cross-site_request_forgery[CSRF attack] prevention
* https://en.wikipedia.org/wiki/Session_fixation[Session Fixation] protection
* Security Header integration
** https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security[HTTP Strict Transport Security] for secure requests
** https://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx[X-Content-Type-Options] integration
** Cache Control (can be overridden later by your application to allow caching of your static resources)
** https://msdn.microsoft.com/en-us/library/dd565647(v=vs.85).aspx[X-XSS-Protection] integration
** X-Frame-Options integration to help prevent https://en.wikipedia.org/wiki/Clickjacking[Clickjacking]
* Integrate with the following Servlet API methods:
** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getRemoteUser()[`HttpServletRequest#getRemoteUser()`]
** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getUserPrincipal()[`HttpServletRequest.html#getUserPrincipal()`]
** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#isUserInRole(java.lang.String)[`HttpServletRequest.html#isUserInRole(java.lang.String)`]
** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#login(java.lang.String,%20java.lang.String)[`HttpServletRequest.html#login(java.lang.String, java.lang.String)`]
** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#logout()[`HttpServletRequest.html#logout()`]
Reduce folders 2021-08-19 15:17:49 -04:00			`[[servlet-hello]]`
			`= Hello Spring Security`

			`This section covers the minimum setup for how to use Spring Security with Spring Boot.`

			`[NOTE]`
			`====`
			`The completed application can be found {gh-samples-url}/servlet/spring-boot/java/hello-security[in our samples repository].`
Editing pass I went through everything to get it to fit with Spring's docuemntation standard. Lots of small changes for punctuation, grammar, usage, voice, and so on. Also added some links, mostly to the API Javadoc. 2021-04-21 17:01:26 -04:00			`For your convenience, you can download https://start.spring.io/starter.zip?type=maven-project&language=java&packaging=jar&jvmVersion=1.8&groupId=example&artifactId=hello-security&name=hello-security&description=Hello%20Security&packageName=example.hello-security&dependencies=web,security[a minimal Spring Boot + Spring Security application].`
Reduce folders 2021-08-19 15:17:49 -04:00			`====`

			`[[servlet-hello-dependencies]]`
			`== Updating Dependencies`

			`The only step you need to do is update the dependencies by using xref:getting-spring-security.adoc#getting-maven-boot[Maven] or xref:getting-spring-security.adoc#getting-gradle-boot[Gradle].`

			`[[servlet-hello-starting]]`
			`== Starting Hello Spring Security Boot`

			You can now https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#using-boot-running-with-the-maven-plugin[run the Spring Boot application] by using the Maven Plugin's `run` goal.
			`The following example shows how to do so (and the beginning of the output from doing so):`

			`.Running Spring Boot Application`
			`====`
			`[source,bash]`
			`----`
			`$ ./mvn spring-boot:run`
			`...`
			`INFO 23689 --- [ restartedMain] .s.s.UserDetailsServiceAutoConfiguration :`

			`Using generated security password: 8e557245-73e2-4286-969a-ff57fe326336`

			`...`
			`----`
			`====`


			`[[servlet-hello-auto-configuration]]`
			`== Spring Boot Auto Configuration`

			`// FIXME: Link to relevant portions of documentation`
			`// FIXME: Link to Spring Boot's Security Auto configuration classes`
Editing pass I went through everything to get it to fit with Spring's docuemntation standard. Lots of small changes for punctuation, grammar, usage, voice, and so on. Also added some links, mostly to the API Javadoc. 2021-04-21 17:01:26 -04:00			`// FIXME: Add links for what user's should do next`
Reduce folders 2021-08-19 15:17:49 -04:00
			`Spring Boot automatically:`

			* Enables Spring Security's default configuration, which creates a servlet `Filter` as a bean named `springSecurityFilterChain`.
Editing pass I went through everything to get it to fit with Spring's docuemntation standard. Lots of small changes for punctuation, grammar, usage, voice, and so on. Also added some links, mostly to the API Javadoc. 2021-04-21 17:01:26 -04:00			`This bean is responsible for all the security (protecting the application URLs, validating submitted username and passwords, redirecting to the login form, and so on) within your application.`
Reduce folders 2021-08-19 15:17:49 -04:00			* Creates a `UserDetailsService` bean with a username of `user` and a randomly generated password that is logged to the console.
			* Registers the `Filter` with a bean named `springSecurityFilterChain` with the Servlet container for every request.

			`Spring Boot is not configuring much, but it does a lot.`
			`A summary of the features follows:`

			`* Require an authenticated user for any interaction with the application`
			`* Generate a default login form for you`
			* Let the user with a username of `user` and a password that is logged to the console to authenticate with form-based authentication (in the preceding example, the password is `8e557245-73e2-4286-969a-ff57fe326336`)
			`* Protects the password storage with BCrypt`
			`* Lets the user log out`
			`* https://en.wikipedia.org/wiki/Cross-site_request_forgery[CSRF attack] prevention`
			`* https://en.wikipedia.org/wiki/Session_fixation[Session Fixation] protection`
			`* Security Header integration`
			`** https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security[HTTP Strict Transport Security] for secure requests`
			`** https://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx[X-Content-Type-Options] integration`
			`** Cache Control (can be overridden later by your application to allow caching of your static resources)`
			`** https://msdn.microsoft.com/en-us/library/dd565647(v=vs.85).aspx[X-XSS-Protection] integration`
			`** X-Frame-Options integration to help prevent https://en.wikipedia.org/wiki/Clickjacking[Clickjacking]`
			`* Integrate with the following Servlet API methods:`
			** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getRemoteUser()[`HttpServletRequest#getRemoteUser()`]
			** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getUserPrincipal()[`HttpServletRequest.html#getUserPrincipal()`]
			** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#isUserInRole(java.lang.String)[`HttpServletRequest.html#isUserInRole(java.lang.String)`]
			** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#login(java.lang.String,%20java.lang.String)[`HttpServletRequest.html#login(java.lang.String, java.lang.String)`]
			** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#logout()[`HttpServletRequest.html#logout()`]