A Comprehensive Guide to Spring Security
Spring Security is a powerful and customizable authentication and access-control framework that is used to secure Spring-based applications. It’s a standard in the industry for securing Spring-based applications, particularly for projects requiring complex security requirements. In this guide, we will explore the core functionalities of Spring Security and how it maintains the integrity of applications.
An Introduction to Spring Security
Spring Security is a framework that focuses on providing both authentication and authorization to Java applications. Like all Spring projects, the real power of Spring Security is found in how easily it can be extended to meet custom requirements.
Why Use Spring Security
Spring Security offers a comprehensive security solution for Java applications. The benefits of using Spring Security include:
-
Comprehensive and extensible: It provides protection against attacks like session fixation, clickjacking, cross-site request forgery, and others.
-
Declarative security via annotations: It integrates with Spring MVC seamlessly, offering method-level security using simple annotations.
-
Community and maintenance: It is actively maintained and has a large and active community of users, making it a reliable choice for securing your Spring applications.
Core Components of Spring Security
Authentication
In the context of Spring Security, authentication is the act of verifying the identity of an application user. Spring Security provides an Authentication object representing this information.
Authorization
Once authentication is successful, authorization is the next step. It is handled by the AccessDecisionManager which answers the question, “what authenticated users are allowed to do.”
Principal
A principal in Spring Security is an entity that is being authenticated. In a regular web application, this would be the logged-in user.
Granted Authority
Granted authorities are the permissions granted to a principal. It’s a way of specifying what a principal can do.
Configuring Spring Security
Spring Security can be added to your Spring application by adding the following dependencies to your Maven pom.xml:
1
2
3
4
5
6
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
</dependencies>
Spring Security will automatically secure all HTTP endpoints in your application once the dependency is added.
You can configure Spring Security by creating a configuration class annotated with @EnableWebSecurity:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
package org.mengsoft.adminbackend.common.config;
import org.mengsoft.adminbackend.entity.SysUser;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
/**
* Spring Security Config
* @program: admin-backend
* @Site www.mengsoft.org
*/
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity
.cors()
.and()
.csrf()// We don't need CSRF for JWT based authentication
.disable()
.sessionManagement()// Stateless
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers(HttpMethod.GET, // Static resources
"/",
"/*.html",
"/favicon.ico",
"/**/*.html",
"/**/*.css",
"/**/*.js",
"/swagger-resources/**",
"/v2/api-docs/**"
)
.permitAll()
.antMatchers("/admin/login", "/admin/register")// Login and Register should be allowed without authentication
.permitAll()
.antMatchers(HttpMethod.OPTIONS)// OPTIONS requests should be allowed without authentication
.permitAll()
// .antMatchers("/**")// For test
// .permitAll()
.anyRequest()// Authenticate all other requests
.authenticated();
// Disable cache
httpSecurity.headers().cacheControl();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService())
.passwordEncoder(passwordEncoder());
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
}
The above configuration will secure all HTTP endpoints except static resources. It enables form-based login and register for all users.
Conclusion
While this guide offers an introduction to Spring Security and its essential concepts, remember that this is just the beginning. The framework has extensive features to cater to various complex security needs. With the increasing number of security threats and the need for secure applications, it’s crucial to have a robust and reliable framework such as Spring Security as a part of your application architecture.
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. Welcome to reprint, and please indicate the source: Lingjun Meng's Blog Keep the content of the article complete and the above statement information!
