This guide explains how to configure Spring Security using Java configuration without XML in a clear and practical way for Spring Boot applications. By 2025, preferred approach is using SecurityFilterChain rather than deprecated WebSecurityConfigurerAdapter.
Adding Spring Security to Your Project
Include the Spring Security starter in your build configuration:
<dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency>
This simple addition brings core security support: authentication, CSRF protection, filters, and default login form.
Java-Based Security Configuration
Spring Security allows you to define configurations using Java classes and annotations like @Configuration and @EnableWebSecurity.
Example: In-Memory Authentication with Form Login
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests(auth -> auth
.anyRequest().authenticated()
)
.formLogin(Customizer.withDefaults());
return http.build();
}
@Bean
public UserDetailsService userDetailsService() {
var user = User.withDefaultPasswordEncoder()
.username("user")
.password("password")
.roles("USER")
.build();
return new InMemoryUserDetailsManager(user);
}
}
This setup ensures every endpoint requires authentication, provides a default login form, supports logout, and protects against common exploits like CSRF and session fixation.
Registering Security in Servlet Environments
In a non-Spring Boot servlet application, register the Spring Security filter chain using AbstractSecurityWebApplicationInitializer:
public class SecurityWebApplicationInitializer
extends AbstractSecurityWebApplicationInitializer {
}
This class automatically registers the security filter chain for all URLs. For mixed MVC applications, ensure WebSecurityConfig is included alongside other configuration classes.
Securing Specific REST Endpoints
Use Java configuration to restrict access by roles and enable form login:
http
.authorizeHttpRequests(auth -> auth
.requestMatchers("/api/public/**").permitAll()
.requestMatchers("/api/admin/**").hasRole("ADMIN")
.anyRequest().authenticated()
)
.formLogin(Customizer.withDefaults());
Optionally add .csrf().disable() when using stateless APIs and JWT tokens.
Key Benefits of Java Configuration
- Eliminates XML, ensuring more readable and maintainable setup.
- Java-based classes allow compile-time validation and fast iteration.
- Brings stronger alignment with modern Spring Boot and Spring Security 6 standards.
- Leverages default security headers and protection mechanisms automatically.
Best Practices for Production Use
- Always use a secure password encoder instead of
withDefaultPasswordEncoder()— useBCryptPasswordEncoderor stronger. - For database-backed users, implement
UserDetailsServiceto load users from persistent storage. - Restrict CORS and CSRF policies explicitly for APIs.
- Rotate credentials and enforce strong password policies or token-based authentication.
FAQs
What replaces WebSecurityConfigurerAdapter in Spring Security 6?
Use SecurityFilterChain bean methods styled around HttpSecurity. The older adapter class is deprecated.
How is CSRF protection handled by default?
Enabled automatically. It’s advised to disable CSRF protection explicitly when using stateless authentication like JWT.
How to add role-based access control?
Use .hasRole("ADMIN") or .hasAuthority("ROLE_USER") within authorizeHttpRequests() configuration.
Can Spring Security serve a custom login page?
Yes. Use .loginPage("/login") and configure controller/view templates for custom forms.
How to secure a REST API using HTTP Basic or JWT?
Disable default form login, enable HTTP Basic (http.httpBasic()), or configure JWT token filters and disable sessions. Use http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).
What security headers are enabled by default?
Spring Security sets HTTP Strict Transport Security, X-Frame-Options, X-XSS-Protection, Cache-Control, and X-Content-Type-Options automatically.
