In this post, we are going to discuss about Spring Framework “Security” Module Basics. We will develop some simple and advanced examples in my coming posts.
Now-a-days, Developing Secure Applications is very crucial aspect to avoid Malfunctioning, Stealing or hacking our confidential data or unauthorized access. We can develop Secure applications using Spring Security Module to restrict access to our applications.
Spring 4 Security
Initially, Spring Framework was using a separate Third-Party Framework to support Spring Applications Security: Acegi Security. But it was not easy approach to develop secure applications and had some drawbacks.
Drawbacks of Spring Acegi Security
- Lot of XML Configuration
- Too much learning curve
- Does not support Annotations
To avoid all these issues, The Spring Team (Pivotal Team) has integrated “Acegi Security” framework into Spring Framework as “Spring Security” module.
Spring 4 Framework has the following modules to provide Security to the Spring-Based Applications:
- Spring Security
- Spring Security SAML
- Spring Security OAuth
- Spring Security Kerberos
- Spring Cloud Security
In Spring Framework, “Spring Security” module is the base module for rest of the Spring Security modules.
We are going to discuss some basics of “Spring Security” module in this post. We will discuss some simple and advanced real-time examples in my coming posts.
We will come back to rest of four modules once we are familiar with “Spring Security” module in my coming posts.
What is Spring Security?
Spring Security is one of the Spring Framework’s Security modules. It is a Java SE/Java EE Security Framework to provide Authentication, Authorization, SSO and other Security features for Web Applications or Enterprise Applications.
Spring Security Official website: https://projects.spring.io/spring-security/
Spring Security Documentation website: https://docs.spring.io/spring-security/site/docs/
Latest stable, Spring Security Module version is “4.0.2.RELEASE”
Spring 4 Security Features
Spring 3.x Security Framework provides the following Features:
- Authentication and Authorization.
- Supports BASIC,Digest and Form-Based Authentication.
- Supports LDAP Authentication.
- Supports OpenID Authentication.
- Supports SSO (Single Sign-On) Implementation.
- Supports Cross-Site Request Forgery (CSRF) Implementation.
- Supports “Remember-Me” Feature through HTTP Cookies.
- Supports Implementation of ACLs
- Supports “Channel Security” that means automatically switching between HTTP and HTTPS.
- Supports I18N (Internationalisation).
- Supports JAAS (Java Authentication and Authorization Service).
- Supports Flow Authorization using Spring WebFlow Framework.
- Supports WS-Security using Spring Web Services.
- Supports Both XML Configuration and Annotations. Very Less or minimal XML Configuration.
Spring 4.x Security Framework supports the following New Features:
- Supports WebSocket Security.
- Supports Spring Data Integration.
- CSRF Token Argument Resolver.
We will develop some simple examples to demonstrate these features in my coming posts.
Spring 4 Security Levels
Spring Security supports the following two Levels of Authorization
- Method Level Authorization
- URL Level Authorization
NOTE
Spring Security supports “Method Level Security” by using AOP (Aspect-Oriented Programming) that means through Aspects. Spring Security supports “URL Level Security” by using Servlet filters.
Spring 4 Security Advantages
Spring 4 Security Framework provides the following Advantages:
- Open Source Security Framework
- Flexible, Easy to Develop and Unit Test the applications
- Declarative Security Programming
- Easy of Extendability
- Easy of Maintenance
- Takes full advantage of Spring DI(Dependency Injection) and AOP.
- We can develop Loosely-Coupled Applications.
Spring 4 Security Sub-Modules
Spring 4 Security Module is again divided into 11 sub-modules. It has the following sub-modules:
- Spring Security Core Module
- Spring Security Configuration Module
- Spring Security Web Module
- Spring Security Tag Library Module
- Spring Security AspectJ Module
- Spring Security ACL Module
- Spring Security LDAP Module
- Spring Security OpenID Module
- Spring Security CAS Module
- Spring Security Cryptography Module
- Spring Security Remoting Module
In Spring Framework’s Security Sub-Module, Spring Security Core Sub-Module is the base module for rest of all Security Sub-modules.
To support these 11 Spring Security modules, Spring framework has the following jars:
- spring-security-core-4.0.2.RELEASE.jar
- spring-security-config-4.0.2.RELEASE.jar
- spring-security-web-4.0.2.RELEASE.jar
- spring-security-taglibs-4.0.2.RELEASE.jar
- spring-security-aspects-4.0.2.RELEASE.jar
- spring-security-acl-4.0.2.RELEASE.jar
- spring-security-ldap-4.0.2.RELEASE.jar
- spring-security-openid-4.0.2.RELEASE.jar
- spring-security-cas-4.0.2.RELEASE.jar
- spring-security-crypto-4.0.2.RELEASE.jar
- spring-security-remoting-4.0.2.RELEASE.jar
Almost all Spring Security JARs have similar kind of Maven or Gradle dependency entries as shown below:
Spring Security Maven
<dependencies>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>[Spring Security Module Name Here]</artifactId>
<version>4.0.2.RELEASE</version>
</dependency>
</dependencies>
Spring Security Gradle
dependencies {
compile
'org.springframework.security:[Spring Security Module Name Here]:4.0.2.RELEASE'
}
pom.xml
<dependencies>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>4.0.2.RELEASE</version>
</dependency>
</dependencies>
build.gradle
dependencies {
compile 'org.springframework.security:spring-security-core:4.0.2.RELEASE'
}
That’s it all about Spring 4 Security Module basics. It’s time to start to develop some Simple Examples to explore Spring Security module.
We will use Spring STS Suite IDE, Maven or Gradle Build Tool and Java 7/8 to develop our applications.
Please drop me a comment if you like my post or have any issues/suggestions.