Introduction to Spring Security and its Features

Spring Security is a framework that allows a programmer to use JEE components to set security limitations on Spring-framework-based Web applications. In a nutshell, it’s a library that can be utilized and customized to suit the demands of the programmer. Because it is a part of the same Spring family as Spring Web MVC, it works well together. Its major function is to manage authentication and authorization at both the Web request and method invocation levels. Perhaps. The most significant benefit of this framework is that it is both strong and very adaptable. Although it adheres to Spring’s set up conventions, programmers may select between default provisions and modify it to their specific requirements. Spring security works on the following four core concepts

• Authentication
• Authorization
• Password Storage
• Servlet Filters

Advantages of Spring Security

These are some of the major advantages of Spring security

• Protection against attacks like session fixation, and clickjacking.
• Spring MVC integration.
• Support Java Configuration.
• Portable
• Integration of Servlet API
• Protect against brute force attacks.

Maven Setup for Spring Security

For setting up spring-security-core:

You have to add the following dependency inside your pom.xml file. 

For setting up spring-security-web:

You have to add the following dependency inside your pom.xml file. 

Spring Security Features

1. Authorization
2. Single sign-on
3. Software Localization
4. Remember-me
5. LDAP (Lightweight Directory Access Protocol)
6. JAAS (Java Authentication and Authorization Service) LoginModule
7. Web Form Authentication
8. Digest Access Authentication
9. HTTP Authorization
10. Basic Access Authentication        
     

1. Authorization

This functionality is provided by Spring Security and allows the user to be authorized before accessing resources. It enables developers to set access controls for resources.

2. Single sign-on

This feature allows a user to utilize a single account to access different apps (user name and password).

3. Software Localization

This capability enables us to create user interfaces for applications in any language.

4. Remember-me

With the help of HTTP Cookies, Spring Security provides this capability. It remembers the user and prevents them from logging in from the same workstation until they log out.

5. LDAP (Lightweight Directory Access Protocol)

That is an open application protocol for managing and interacting with dispersed directory information services over the Internet Protocol.

6. JAAS (Java Authentication and Authorization Service) LoginModule

This is a Java-based Pluggable Authentication Module. It is supported by Spring Security’s authentication procedure.

7. Web Form Authentication

Web forms capture and authenticate user credentials from the web browser during this procedure. While we wish to build web form authentication, Spring Security supports it.

8. Digest Access Authentication :

We can make the authentication procedure more secure with this functionality than with Basic Access Authentication. Before delivering sensitive data over the network, it requests that the browser verify the user’s identity.

9. HTTP Authorization :

Using Apache Ant paths or regular expressions, Spring provides this functionality for HTTP authorization of web request URLs.

10. Basic Access Authentication :

Spring Security has support for Basic Access Authentication, which is used to give a user name and password when performing network requests.       

Features Added in Spring Security 5.0

1. OAuth 2.0 Login

This feature allows users to connect to the app using their current GitHub or Google accounts. The Authorization Code Grant defined in the OAuth 2.0 Authorization Framework is used to implement this functionality.

2. Reactive Support

Spring Security 5.0 adds support for reactive programming and reactive web runtimes, as well as the ability to interact with Spring WebFlux.

3. Modernized Password Encoding

Spring Security 5.0 introduces the DelegatingPasswordEncoder, a new password encoder that is more current and solves all of the issues with the old encoder NoOpPasswordEncoder.