Spring Security Architecture

Last Updated : 31 Oct, 2022

Spring Security framework adds two important capabilities to web applications,

Authentication
Authorization/Access Control

This framework provides protection against popular security issues like SCRF attacks, or Fixation attacks. It provides a secure and standard way to set up user login functionality in web applications and thus provides quick user authentication and access control.

Authentication

Authentication is the process of verifying the identity of the computer user. It is the process of verifying the user and devices before allowing them to access the resources. In Java, the AuthenticationManager interface is responsible for handling authentication events.

Example:

The AuthenticationManager interface method “authenticate()” returns authentication (i.e if authentication= true )if it verifies the identity. The AuthenticationException is thrown if it identifies an invalid identity or principal. It returns null if he cannot decide the identity.

Authorization/Access Control

When a user or a device is authenticated, the next step is authorization which is the process of allowing the authority to perform certain tasks or operations. In Java, AccessDecisionManager and AccessDecsionVoter classes help in the authorization process.

Example:

The class ConfigAttribute provides the secure object metadata to provide the permission required to access it. The AccessDecisionVoter handles the Spring Expression Language (SpEL) expressions. ConfigAttribute is an interface that contains only one method that returns a string that defines the rules for access control.

Advantages

Provides support for Java Configuration
Provides support for integration with Spring MVC
Provides protection against major security issues
Provides efficient portability

Sample Java Configuration File

Java

// Configuration Java File 
import org.springframework.context.annotation.*; 
import org.springframework.security.config.annotation.web.builders.HttpSecurity; 
import org.springframework.security.config.annotation.web.configuration.*; 
import org.springframework.security.core.userdetails.User; 
import org.springframework.security.core.userdetails.UserDetailsService; 
import org.springframework.security.provisioning.InMemoryUserDetailsManager; 
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer; 
  
@EnableWebSecurity
public class WebSecurityConfig implements WebMvcConfigurer { 
    // method to authenticate by collecting user related 
    // data 
    @Bean
    public UserDetailsService userDetailsService() 
        throws Exception 
    { 
        // Managing the users in the memory database 
        InMemoryUserDetailsManager manager 
            = new InMemoryUserDetailsManager(); 
  
        // Creating the new user with userid AbhijeetRathore 
        // and Password Abhijeet123 
        manager.createUser(User.withDefaultPasswordEncoder() 
                               .username("AbhijeetRathore") 
                               .password("Abhijeet123") 
                               .roles("USER") 
                               .build()); 
  
        // returns User detail service 
        return manager; 
    } 
  
    // configuring MVC Configuration with HTTP Security 
    protected void configure(HttpSecurity http) 
        throws Exception 
    { 
        // define the role of the user 
        http.antMatcher("/") 
            .authorizeRequests() 
            .anyRequest() 
            .hasRole("ADMIN") 
            .and() 
            .httpBasic(); 
    } 
}

Suggest improvement

Introduction to Spring Security and its Features

Spring Security Annotations

Share your thoughts in the comments

Servlets and JSP

Spring

SpringBoot

Spring MVC

Spring Security

JUnit 5