Open In App

Introduction to Spring Security and its Features

Improve
Improve
Like Article
Like
Save
Share
Report

Spring Security is one of the projects by the Spring team that is built using the Spring framework in Java. This project aims to make it easy for developers to secure web applications against common exploits such as Cross-Site Request Forgery (CSRF) attacks. It contains code that can be customized or used as-is, depending on the use case. Its major function is to manage authentication and authorization at both the Web request and method invocation levels. Internally, the spring security framework contains a series of servlet filters that handle various aspects of security. Although it adheres to Spring’s set-up conventions, programmers may select between default provisions and modify them to their specific requirements. Spring security works on the following four core concepts

  • Authentication – Is the user really who he claims to be?
  • Authorization – Does the user have the appropriate role?
  • Password Storage – How is the password stored? In Memory or a database.
  • Servlet Filters – Are there any new filters that we need to add or just use the default ones provided by the spring team?

Advantages of Spring Security

These are some of the major advantages of Spring security.

  • Protection against attacks like session fixation, csrf and clickjacking.
  • Spring MVC integration.
  • Support Java Configuration.
  • Portable
  • Integration of Servlet API
  • Protect against brute force attacks.
  • Active community and open source, with updates against new exploits.

Maven Setup for Spring Security

For setting up spring-security-core:

You have to add the following dependency inside your pom.xml file. 

<properties>
<spring-security.version>6.0.2.RELEASE</spring-security.version>
<spring.version>5.2.8.RELEASE</spring.version>
</properties>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
</dependency>

For setting up spring-security-web:

You have to add the following dependency inside your pom.xml file. 

<dependencies>
<!-- ... other dependency elements ... -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
</dependencies>

Generally, it is considered good practice to always include spring boot security starters. It allows maven to automatically pull the supported version of spring security, according to the requirements of your project. This reduces the bugs and makes version control a lot easier.

Spring Security Features

  1. Authorization
  2. Single sign-on
  3. Software Localization
  4. Remember-me
  5. LDAP (Lightweight Directory Access Protocol)
  6. JAAS (Java Authentication and Authorization Service) LoginModule
  7. Web Form Authentication
  8. Digest Access Authentication
  9. HTTP Authorization
  10. Basic Access Authentication        
     

1. Authorization:

This functionality is provided by Spring Security and allows the user to be authorized before accessing resources. It enables developers to set access controls for resources.

2. Single sign-on:

This feature allows a user to utilize a single account to access different apps (user name and password).

3. Software Localization:

This capability enables us to create user interfaces for applications in any language.

4. Remember-me:

With the help of HTTP Cookies, Spring Security provides this capability. It remembers the user and prevents them from logging in from the same workstation until they log out.

5. LDAP (Lightweight Directory Access Protocol):

That is an open application protocol for managing and interacting with dispersed directory information services over the Internet Protocol.

6. JAAS (Java Authentication and Authorization Service) LoginModule:

This is a Java-based Pluggable Authentication Module. It is supported by Spring Security’s authentication procedure.

7. Web Form Authentication:

Web forms capture and authenticate user credentials from the web browser during this procedure. While we wish to build web form authentication, Spring Security supports it.

8. Digest Access Authentication:

We can make the authentication procedure more secure with this functionality than with Basic Access Authentication. Before delivering sensitive data over the network, it requests that the browser verify the user’s identity.

9. HTTP Authorization:

Using Apache Ant paths or regular expressions, Spring provides this functionality for HTTP authorization of web request URLs.

10. Basic Access Authentication:

Spring Security has support for Basic Access Authentication, which is used to give a user name and password when performing network requests.       

Features Added in Spring Security 6.0

1. OAuth 2.0 Login:

This feature allows users to connect to the app using their current GitHub or Google accounts. The Authorization Code Grant defined in the OAuth 2.0 Authorization Framework is used to implement this functionality.

2. Reactive Support:

Spring Security 6.0 adds support for reactive programming and reactive web runtimes, as well as the ability to interact with Spring WebFlux.

3. Modernized Password Encoding:

Spring Security 6.0 introduces the DelegatingPasswordEncoder, a new way to store passwords. The format for storing passwords is: {id} encodedPassword. List of ids for various password encoders are:

  • {bcrypt}$2a$10$dXJ3SW6G7P50lGmMkkmwe.20cQQubK3.HZWzG3YB1tlRy.fqvM/BG
  • {noop}password
  • {pbkdf2}5d923b44a6d129f3ddf3e3c8d29412723dcbde72445e8ef6bf3b508fbf17fa4ed4d6b99ca763d8dc
  • {scrypt}$e0801$8bWJaSu2IKSn9Z9kM+TPXfOc/9bdYSrN1oD9qfVThWEwdRTnO7re7Ei+fUZRJ68k9lTyuTeUp4of4g24hHnazw==$OAOec05+bXxvuu/1qZ6NUR+xQYvYv7BeL1QxwRpY5Pc=
  • {sha256}97cde38028ad898ebc02e690819fa220e88c62e0699403e94fff291cfffaf8410849f27605abcbc0

Last Updated : 09 Jan, 2024
Like Article
Save Article
Previous
Next
Share your thoughts in the comments
Similar Reads