In this quick post, I’d like to help you find the correct answer to the question “Is the @EnableWebSecurity annotation necessary in Spring?” The answer is both Yes and No. Read on for details.

You know, in Java application development with the Spring framework and Spring Security, you typically use the @EnableWebSecurity annotation in a configuration class to enable web security configurations. For example:

@Configuration
@EnableWebSecurity
public class AppSecurityConfig   {
     
	// security configurations... 
}

However, have you noticed that when you forget to use this annotation, the security of your application still works as expected? Is there something wrong? What’s the truth?

 

1. When is the @EnableWebSecurity Annotation mandatory?

You must use this annotation in Java projects that use only the Spring framework (no Spring Boot). Use it to let Spring Security implement some basic configurations for HTTP security, web security and exploit protection. There are no auto configurations in non-Spring Boot projects so you have to specify this annotation in a configuration class. Otherwise, you will have to write quite a lot of code for basic security configurations, which is time-consuming and error-prone.

2. When is the @EnableWebSecurity Annotation is optional?

In Spring Boot projects, it’s optional to use the @EnableWebSecurity annotation because when Spring Security is present in the classpath, the SecurityAutoConfiguration class imports the SpringBootWebSecurityConfiguration class:

...
@Import({ SpringBootWebSecurityConfiguration.class, ... })
public class SecurityAutoConfiguration {

	...

}

Then the SpringBootWebSecurityConfiguration class adds the @EnableWebSecurity annotation like this:

class SpringBootWebSecurityConfiguration {

	...
	@ConditionalOnClass(EnableWebSecurity.class)
	@EnableWebSecurity
	static class WebSecurityEnablerConfiguration {

	}
}

This means Spring Security auto-configuration feature, which is activated by Spring Boot auto-configuration when it finds Spring Security in the classpath, will end up using the @EnableWebSecurity annotation. That’s the reason why you don’t have to use this annotation explicitly in Spring Boot projects. Makes sense now?

 

Reference:

• EnableWebSecurity Annotation Javadocs

 

 

Other Spring Annotations:

• Spring @Service Annotation Examples
• Spring @Component Annotation Examples
• Spring @Repository Annotation Examples
• Spring @Configuration Annotation Examples
• Spring @Controller Annotation Examples
• Spring @RestController Annotation Examples
• Spring @Bean Annotation Examples

 

Complete Spring framework Tutorials

 

Complete Spring Security Tutorials

 

In Spring Boot projects, it’s optional to use the @EnableWebSecurity annotation because when Spring Security is present in the classpath, the SecurityAutoConfiguration class imports the SpringBootWebSecurityConfiguration class: