Spring Security Tutorial

In this tutorial, we will learn about Spring Security Frameworks. We will start with the basics and go through the configuration of various frameworks to work with Spring Security. We will also do some handson coding to perform CRUD operation using Spring Security Frameworks.

What is Spring Security?

Spring Security is one of most popular Spring Project to secure a Spring/Spring Boot based application. Spring security provides us many in-built features to implement authentication and authorization in our application.

Spring Security started in late 2003 as The Acegi Security System for Spring as a simple Spring based security implementation. In May 2006, after being used in numerous production softwares, community improvements and bug fixes, 1.0.0 was released. By the end of 2007, Acegi Security System was rebranded as Spring Security and it became an Official Spring Portfolio Project.

What is Authentication?

Authentication ensures that the user or the client is the one who is claim to be. There are many ways in which Spring Security enables us to perform authentication. Spring Security supports Basic Authentication, LDAP authentication, JDBC authentication, etc.

What is Authorization?

Authorization ensures whether the user has permission for the action or not. If our application is a complex one, with different kinds of users such as admins, regular users, other less privileged users, we need to maintain access control in our application. For example, a guest user should not be able to access admin content. So, to control access to various resources within our application, we need to check if a user has permission to access that resource. Spring Security supports roles, claims etc. to provide user level authorization.

Authentication Methods supported by Spring Security

Spring Security supports a large set of authentication models. Most of these authentication models are developed by either third parties or by Internet Engineering Task Force, IETF as a standard body. Being able to integrate with wide set of third parties autentication models, spring security becomes very popular among developers to integrate in their projects. Spring provides its own authentication features as well. Following list shows the various authentication methods supported by Spring security.

• HTTP BASIC authentication headers

• HTTP Digest authentication headers

• HTTP X.509 client certificate exchange

• LDAP

• Form-based authentication

• OpenID authentication

• Authentication based on pre-established request headers

• JA-SIG Central Authentication Service, a open source single sign on system

• Transparent authentication context propagation for Remote Method Invocation (RMI) and HttpInvoker

• Remember Me

• Anonymous authentication

• Run-as authentication

• Java Authentication and Authorization Service (JAAS)

• JEE container autentication

• Kerberos

• Java Open Source Single Sign On (JOSSO)

• OpenNMS Network Management Platform

• AppFuse

• AndroMDA

• Mule ESB

• Direct Web Request (DWR)

• Grails

• Tapestry

• JTrac

• Jasypt

• Roller

• Elastic Path

• Atlassian Crowd

We can integrate own custom authentication mechanism as well with Spring Security.

Audience

This tutorial will be useful for graduates, post graduates, and research students who either have an interest in this subject or have this subject as a part of their curriculum. The reader can be a beginner or an advanced learner.

Prerequisites

Though there is NO mandatory requirement to have for this tutorial. However, if you have any or all (supercool) prior knowledge on any below mentioned technologies that will be an added advantage −

• About 30 minutes

• Basic Spring Security knowledge

• A Basic understanding of the Apache Solr Database.

• A java based IDE (Eclipse, STS or IntelliJ IDEA)

• JDK 1.8 or later

• Gradle 4+ or Maven 3.2+

• Apache Solr installed