What is the username and password when starting Spring Boot with Tomcat?

Confirming Spring Security configuration

To begin with, ensure you have the spring-boot-starter-security in your pom.xml file:

<!-- Obligatory joke: What's a developer's favourite pick-up line? "Are you an exception? Let me catch you." -->
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>


With this dependency, Spring Boot auto-configures a user with the username user and a random password, logged during startup.

Customizing security - Two approaches

Customizing your application security can be done in two ways - through properties files and security configurations.

Using properties files

Bypass auto-generation by setting username and password in your application.properties or application.yml:

spring.security.user.name=myuser
spring.security.user.password=mypassword


Implementing security configurations

For a strong grip, use @EnableWebSecurity and extend the WebSecurityConfigurerAdapter class:

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
            .anyRequest().authenticated()
            .and()
            .formLogin();
    }
}


You can also define an in-memory authentication with custom details:

//This is where the magic begins
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    auth
        .inMemoryAuthentication()
        .withUser("customuser").password(passwordEncoder().encode("custompass")).roles("USER");
}

@Bean
public PasswordEncoder passwordEncoder() {
    return new BCryptPasswordEncoder();
}


Preventing common pitfalls in security setup

Property encoding issues

Ensure property encoding is correct. Usernames in properties files should not be quoted to avoid login issues:

# Incorrect
spring.security.user.name="myuser"

# Correct
spring.security.user.name=myuser


Encrypted storage of passwords

Use {bcrypt} or {scrypt} password encoder prefixes for secure storage in properties:

//Who doesn't love hidden treasures?
spring.security.user.password={bcrypt}mypassword


Enhancing your mansion's guard

The SecurityAutoConfiguration class auto-secures the mansion, but adding a-custom InMemoryUserDetailsManager opts for a well-trained guard. Enable CSRF protection and use BCryptPasswordEncoder for encoding.

Consider enabling command-line inputs for dynamic guard switch and watch your logs for traces of intrusion.