Table of Contents
- What is Spring Security?
- Core Features of Spring Security
- How Spring Security Works
- Spring Security Architecture
- Adding Spring Security to a Spring Boot Application
- Default Behavior and Auto-Configuration
- Summary
1. What is Spring Security?
Spring Security is a powerful and customizable authentication and access control framework for Java applications, especially those built using the Spring framework. It is the de facto standard for securing Spring-based applications.
Spring Security offers comprehensive security services for:
- Authentication – verifying the identity of users.
- Authorization – controlling access to resources based on roles/permissions.
It supports a wide range of security features including form-based login, OAuth2, JWT, LDAP, method-level security, and much more.
2. Core Features of Spring Security
Spring Security comes with a rich set of security features:
- Authentication and Authorization: Built-in support for user login and role-based access control.
- Password Encoding: Uses secure hashing algorithms (like BCrypt) to store passwords.
- Security Headers: Helps protect against attacks such as XSS, clickjacking, etc.
- CSRF Protection: Cross-Site Request Forgery protection is enabled by default.
- Session Management: Controls concurrent sessions and session invalidation.
- Method-Level Security: Allows securing methods using annotations such as
@PreAuthorize,@Secured. - Integration: Easily integrates with OAuth2, LDAP, SAML, and custom authentication providers.
3. How Spring Security Works
Spring Security works by configuring a filter chain that intercepts incoming HTTP requests and processes them through various security filters.
Basic Flow:
- A user sends a request to a secured resource.
- The request hits the Security Filter Chain, which checks if the resource requires authentication.
- If yes, Spring Security checks whether the user is authenticated and has the necessary authority.
- If authenticated and authorized, access is granted. If not, a suitable error (like 401 or 403) is returned.
The filters in the chain can handle:
- Logging in/out
- Validating session or tokens
- CSRF validation
- Applying security headers
4. Spring Security Architecture
Key components in Spring Security:
- SecurityFilterChain: Central component for applying security filters to incoming requests.
- AuthenticationManager: Responsible for processing authentication requests.
- UserDetailsService: Interface to fetch user-specific data.
- GrantedAuthority: Represents the role or privilege assigned to a user.
- SecurityContext: Holds the currently authenticated user’s details in a thread-local storage.
- PasswordEncoder: Used to hash passwords before storing and comparing them.
5. Adding Spring Security to a Spring Boot Application
Step 1: Add Dependency
In pom.xml:
xmlCopyEdit<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
Or for Gradle:
groovyCopyEditimplementation 'org.springframework.boot:spring-boot-starter-security'
Step 2: Default Behavior
Once the dependency is added, Spring Boot auto-configures basic security:
- All endpoints are secured by default.
- A login form is available at
/login. - A default in-memory user with a generated password is created.
On application startup, a password will be printed in the logs:
pgsqlCopyEditUsing generated security password: 9d5b6142-XXXX-XXXX
You can use this to log in with the default user user.
6. Default Behavior and Auto-Configuration
When Spring Security is included:
- All HTTP endpoints require authentication.
- A login page is auto-generated at
/login. - HTTP Basic and Form-based authentication are enabled.
- CSRF protection is enabled.
- Static resources (like CSS, JS) are allowed by default.
You can customize this behavior using a configuration class:
javaCopyEdit@Configuration
public class SecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests()
.requestMatchers("/public/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin();
return http.build();
}
}
7. Summary
Spring Security is a full-featured, highly customizable framework for securing Java applications. Its plug-and-play integration with Spring Boot makes it easy to set up authentication and authorization for your REST APIs or web applications.
Key Points:
- It provides robust security features including CSRF, headers, sessions, and method-level access control.
- Security is applied through a filter chain that intercepts and processes every request.
- Once integrated, all endpoints are protected by default until explicitly configured.
In upcoming modules, we will cover:
- Custom user details and authentication providers
- JWT-based security
- Role-based access control
- Method-level and endpoint-level security
- Integration with Spring Boot APIs
This foundational understanding is essential as we dive deeper into securing real-world applications using Spring Security.
