Over a million developers have joined DZone.

Spring Security With Spring Boot 2.0: Authentication Using the Servlet Stack

DZone's Guide to

Spring Security With Spring Boot 2.0: Authentication Using the Servlet Stack

Spring Security, in combination with Spring Boot 2.0, makes it easy to secure your endpoints and set up authentication. Here's a brief guide.

· Security Zone ·
Free Resource

Mobile is increasingly becoming a part of every consumers’ identity, but the increasing use of this digital channel is escalating the security risks faced by consumers and institutions.

Spring Security is a great framework. In addition to its time-saving capabilities, it is flexible enough to customize to help it suit your own needs. As Spring evolves, so does Spring Security, making it easier to set up security in your project.

Spring Boot 2.0 is out there, and we will take advantage of it for our security projects.

In this project, we aim at creating as simple a security-backed project as possible. To get started, we shall create a simple Spring Boot 2.0 project.

For that, we can use the Spring Initializr application.

The end result of this process will be to have a Spring boot 2 project with Gradle.

buildscript {
    ext {
        springBootVersion = '2.0.1.RELEASE'
    repositories {
    dependencies {

apply plugin: 'java'
apply plugin: 'eclipse'
apply plugin: 'org.springframework.boot'
apply plugin: 'io.spring.dependency-management'

group = 'com.gkatzioura.security'
version = '0.0.1-SNAPSHOT'
sourceCompatibility = 1.8

repositories {

dependencies {

Now be aware that with Spring Boot 2 there are two stacks to go. Either the Servlet stack or the WebFlux reactive stack. On this tutorial we shall use the servlet stack. We will cover WebFlux on another tutorial.

Let's go and add our first controller.

package com.gkatzioura.security.simple.controller;

import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

public class HelloWorldController {

    public ResponseEntity<String> hello(String name) {

        return new ResponseEntity<>("Hello "+name, HttpStatus.OK);


If we try to access the endpoint http://localhost:8080/hello?name=john, we will be presented with a login screen.

Thus, including the security dependency in our project auto-secures our endpoints and configures a user with a password.

In order to retrieve the password, you can check at the login screen. The username will be 'user' and the password will be the one that Spring autogenerates.

Of course, using an autogenerated password is not sufficient, thus, we are going to provide the username and the password of our choice.

One of the ways to do that is to set your username and password in the application.yaml file

      name: test-user
      password: test-password

Now, putting your passwords in the file system, especially when not encrypted, is not a good practice, let alone being uploaded in your version control system since application.yaml is a source file. Also, anyone with access to the binary can retrieve the username and password.

Therefore, instead of putting this sensitive information in the application.yaml file, you can set them by using environmental variables.

So your environmental variables would be:


To sum up, this was the easiest and fastest way to add security to your project. In the next post, we will do the same thing, but using the WebFlux reactive stack.

Explore the authentication advancements that are designed to secure accounts and payments—without overburdening consumers with a friction-laden experience.

security ,spring security ,spring boot ,authentication ,tutorial

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}