Spring Security

Security for Java applications was always a pain for developers, especially in Java Enterprise Edition. There was a lot of boilerplate code to look up objects in the application servers, and the security layer was often heavily customized for the application.

In that chaotic scenario, the Spring Team decided to create a Spring Security project to help developers handle the security layer on the Java application.

In the beginning, the project had extensive support for Java Enterprise Edition and integration with EJB 3 security annotations. Nowadays, the project supports many different ways to handle authorization and authentication for Java applications.

Spring Security provides a comprehensive model to add authorization and authentication for Java applications. The framework can be configured with a couple of annotations, which makes the task of adding a security layer extremely easy. The other important characteristics concern how the framework can be extended. There are some interfaces that enable developers to customize the default framework behaviors, and it makes the framework customized for different application requirements.

It is an umbrella project, and it is subdivided into these modules:

• spring-security-core
• spring-security-remoting
• spring-security-web
• spring-security-config
• spring-security-ldap
• spring-security-acl
• spring-security-cas
• spring-security-openid
• spring-security-test

These are the main modules, and there are many other projects to support a wide range of types of authentication. The module covers the following authentication and authorization types:

• LDAP
• HTTP Basic
• OAuth
• OAuth2
• OpenID
• CAAS
• JAAS

The module also offers a domain-specific language (DSL) to provide an easy configuration. Let's see a simple example:

http
  .formLogin()
    .loginPage("/login")
     .failureUrl("/login?error")
      .and()
    .authorizeRequests()
      .antMatchers("/signup","/about").permitAll()
      .antMatchers("/admin/**").hasRole("ADMIN")
      .anyRequest().authenticated();

As we can see, the DSL makes the configuration task extremely easy and very understandable.

Spring Security's main features are as follows:

• Session management
• Protection against attacks (CSRF, session fixation, and others)
• Servlet API integration
• Authentication and authorization

We will learn more about Spring Security in Chapter 8, Circuit Breakers and Security. We will also put it into practice.