Spring Security

Tharushi Rachel September 14, 2021

 Spring Security


What is Spring Security

Spring Security is a framework that allows you to construct secure Java Enterprise Applications by providing security features such as authentication and authorization. It solves all issues that arise when developing non-spring security apps and managing the application's new server environment.

Authentication and authorisation are the two key areas of application that this framework focuses on.

Authentication - process of knowing and identifying the user that wants to access.
Authorisation - process to allow authority to perform actions in the application.




Why Spring Security


For Application security framework 
  • Login/Logout functionality
  • Alow/block access to URLs to logged in users. 
  • Alow/block accress to URLs to logged in users and with certain roles.

Handle common vulnerabilities
  • Session fixation
  • Clickjacking
  • Click site request forgery
Widely adopted


What spring security can do

Username/Password authentication
SSO / OKTA / Ldap
App level authorization
Intra app authorization like OAuth
Microservice security
Method level security


Spring Security default behaviour

  • Adds mandetory authentication for URLs
  • Adds login form
  • Handles login error
  • Creates a user and sets a default password


How Authentication Works In Spring Security 

Spring Security is essentially a chain of Servlet filters designed for various purposes, according to its architecture. Each of those filters is designed to do a specific objective. So, in Spring, there are various authentication mechanisms such as Http Basic, Form based login, Ouath1, and so on.

Specific Filters that extend AbstractAuthenticationProcessingFilter handle all of these mechanisms. As a result, this Filter handles all requests, and we'll refer to it as the Authentication Filter throughout this post.








How to configure Spring Security

  1. Is annotated with @EnableWebSecurity.
  2. Extends WebSecurityConfigurer

WebSecurityConfigureAdapter

WebSecurityConfigurerAdapter is a convenience class that allows customization to both WebSecurity and HttpSecurity. 


1 - AuthenticationManagerBuilder : Configure what the authentication actually do.

2 - HttpSecurity : Configure what are the paths and what are the access restrictions for the defined paths.


Post a Comment

0 Comments