As per spring docs
Add this annotation to an
@Configuration
class to have the Spring Security configuration defined in anyWebSecurit
@EnableWebSecurity
is used for spring security java configuration. Add this annotation with @configuration
on top of your security java class that extends WebSecurityConfigurerAdapter
.
Override the configure(WebSecurity web)
& configure(HttpSecurity http)
. This is the replacement of xml based configurations like and . This way you can limit requested urls coming from specific urls also enable form based log in.
The @EnableWebSecurity
is a marker annotation. It allows Spring to find (it's a @Configuration
and, therefore, @Component
) and automatically apply the class to the global WebSecurity
.
If I don't annotate any of my class with
@EnableWebSecurity
still the application prompting for username and password.
Yes, it is the default behavior. If you looked at your classpath, you could find other classes marked with that annotation (depends on your dependencies):
SpringBootWebSecurityConfiguration
;FallbackWebSecurityAutoConfiguration
;WebMvcSecurityConfiguration
.Consider them carefully, turn the needed configuration off, or override its behavior.
The Spring Boot Reference Guide explains well about it. If you search with @EnableWebSecurity
:
To switch off the default web application security configuration completely you can add a bean with
@EnableWebSecurity
(this does not disable the authentication manager configuration or Actuator’s security). To customize it you normally use external properties and beans of typeWebSecurityConfigurerAdapter
(e.g. to add form-based login)....
If you add
@EnableWebSecurity
and also disable Actuator security, you will get the default form-based login for the entire application unless you add a customWebSecurityConfigurerAdapter
....
If you define a
@Configuration
with@EnableWebSecurity
anywhere in your application it will switch off the default webapp security settings in Spring Boot (but leave the Actuator’s security enabled). To tweak the defaults try setting properties insecurity.*
(seeSecurityProperties
for details of available settings) and SECURITY section of Common application properties.
Apparently, it's to switch off the default web application security configuration and add your own.