Spring Security offers authentication and authorization of our application using basic servlet filters.Web apps are vulnerable to security breaches and threats, as anybody who uses the Internet will access them. Any REST endpoints may have limited access to individual users, such as reviewing records or admin-related tasks, for example.
To secure URLs, we can use Spring Security. By providing efficient , flexible security features such as authentication and authorization, Spring Security is a security system that secures J2EE-based enterprise applications. For securing Spring-based software, it is the de facto standard.
There are mainly four concept on which spring security works
1. Authentication.
2. Authorization
3. Password Storage
4. Servlet Filters
1. Authentication:
Used to confirm that an application is used by an user by providing valid credentials to validate who you are! Authentication is the authentication of the principal (user, system, responsible for executing an operation in an application).
2. Authorization:
It is in addition to authentication. Authenticating users may be enough for a basic application, but let’s think of a wide enterprise application.
⦁ A normal employee will have only limited permission to perform certain operations ( e.g. customer service executive). We do not wish to allow this employee to perform other operations.
⦁ Our back-end product manager was only allowed to work on the products. We do not allow product managers to alter consumer data or order data.
⦁ Ecommerce manager can work with both customer and order information, but product information can not be modified.
⦁ Only System admin can perform all the operations.
With basic authentication, we can’t limit logging in as we don’t have user rights or authorization information. Until the user attempts to access a device, authorization helps to provide this information. It is an access management procedure, determining whether or not it requires an operation to be taken by a principal (access-control → admin, user, manager, leader, contractor, anonymous etc)
3. Password Storage
Ensuring that our passwords are secure and difficult to access is another key objective of every security process. The PasswordEncoder interface of Spring Protection performs a one-way transfer for a password (we can’t decode a password).Spring Security has many PasswordEncoders, below is a list for your reference:
- BCryptPasswordEncoder.
- Argon2PasswordEncoder.
- Pbkdf2PasswordEncoder
- SCryptPasswordEncoder.
4. Servlet Filters
Spring Security uses Java servlet filters to launch the security review of our web application.
Benefits of Spring security
Here are some of the main benefits of Spring Security:
⦁ Servlet API integration.
⦁ Extensible support for both Authentication and Authorization.
⦁ Protection against attacks like session fixation, click jacking.
⦁ Spring MVC integration.
⦁ Ability to secure application against brute force attacks.
⦁ Portability.
⦁ Protection against CSRF attacks.
⦁ Java configuration support
To enable basic spring security for J2EE applications, we follow the three steps below.
- Add required jar into our project
- Declear filter in pom.xml
- Configuration of Java using SecurityConfiguration class
Security Modules
The security module consists of separate jar files centered on their configuration. The primary purpose is to allow the user to be integrated in accordance with the requirements. In order to provide minimum spring protection for your Maven project , please include the dependencies in your pom.xml below.
core — (spring-security-core.jar) :– This module provides key authentication and access-contol classes and interfaces, remote support, and basic APIs. It is required by any application that uses Spring Security. Supports standalone programs, remote clients, system (service layer) security, and JDBC user provisioning. Contains the following top-level packages:
⦁ org.springframework.security.core
⦁ org.springframework.security.access
⦁ org.springframework.security.authentication
⦁ org.springframework.security.provisioning
Web — (spring-security-web.jar) :- This module includes filters and the related web security infrastructure files. It includes everything that relies on the servlet API. You need it if you need the Spring Security Web Authentication service and URL-based Access Control.(org.springframework.security.web)
Config — (spring-security-config.jar):- This module provides a security namespace parsing code and a Java configuration code. You need it if you are using the Spring Security XML namespace for configuration or the Spring Security Java Configuration support.(main package org.springframework.security.config)
LDAP — (spring-security-config.jar) :- This module provides the LDAP authentication and distribution code. This is required if you need to use LDAP authentication or manage LDAP user entries.(main package org.springframework.security.ldap)
OAuth 2.0 Core — (spring-security-oauth2-core.jar) :- Core Provides support for the adoption of OAuth 2.0. (main package org.springframework.security.oauth2.core)
OAuth 2.0 Client —(spring-security-oauth2-core.jar) :- Provides support for the adoption of OAuth 2.0. (main package org.springframework.security.oauth2.client)