Introduction to Spring Security and its Features

Spring Security is a framework for securing Java applications. It provides authentication, authorization and protection against common vulnerabilities, while integrating seamlessly with Spring Boot for easy configuration.

Why Use Spring Security?

In modern applications, security is not optional it’s a necessity. Whether you are building a simple web application or a large-scale microservices system, protecting user data and application resources is important.

• Integrates seamlessly with Spring Boot and Spring MVC.
• Provides flexible authentication and authorization mechanisms.
• Helps prevent common security threats.
• Supports enterprise-level requirements such as LDAP, OAuth2 and JWT.

Key Features of Spring Security

Spring Security provides various security features, including:

1. Authentication and Authorization

• Authentication: Verifies the identity of users (e.g., login with username and password).
• Authorization: Determines whether a user has permission to perform a specific action (e.g., access a page or API).

2. Comprehensive Protection Against Common Vulnerabilities

Spring Security offers out-of-the-box protection for many well-known security threats, including:

• CSRF (Cross-Site Request Forgery)
• Session Fixation Attacks
• Clickjacking
• Cross-Site Scripting (XSS) (with content security policies)

3. Seamless Integration with Spring Framework

Spring Security is tightly integrated with Spring Boot and Spring MVC, which means you can enable security features with minimal configuration. For example, adding spring-boot-starter-security to your project automatically applies basic authentication.

4. Password Management

• Supports modern password encoding mechanisms such as bcrypt.
• Provides built-in utilities for hashing and verifying passwords.

5. Method-Level Security

You can secure specific methods in your application using annotations such as:

• @PreAuthorize
• @PostAuthorize
• @Secured

Example:

@PreAuthorize("hasRole('ADMIN')")
public void deleteUser(Long id) {
    // only admins can delete users
}

6. Support for Modern Security Standards

• JWT (JSON Web Tokens) for stateless authentication.
• OAuth2 and OpenID Connect for single sign-on (SSO).
• LDAP for enterprise authentication.

Example: Basic Authentication in Spring Boot

Step 1. Create a new Spring Boot project

Use Spring Initializr or create manually.

Suggested project coordinates:

• Project: Maven Project
• Group: com.example
• Artifact: demo
• Java: 17 (or your preferred LTS)
• Add Dependencies: Spring Web and Spring Security
• Click Generate: downloads demo.zip.

Extract the zip to a folder and import project on IDE.

pom.xml:

<project xmlns="http://maven.apache.org/POM/4.0.0" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 
    http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>3.2.4</version>
        <relativePath/>
    </parent>
    <groupId>com.example</groupId>
    <artifactId>demo</artifactId>
    <version>0.0.1-SNAPSHOT</version>
    <name>spring-security-basic-auth-demo</name>
    <description>Spring Boot Basic Auth Demo</description>
    <properties>
        <java.version>17</java.version>
    </properties>
    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
        </dependency>
    </dependencies>
    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
            </plugin>
        </plugins>
    </build>
</project>

Step 2. Add a simple REST controller

Create a java class inside -> src/main/java/com/example/demo/HelloController.java with:

HelloController.java

package com.example.demo;

import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
public class HelloController {

    @GetMapping("/hello")
    public String hello() {
        return "Welcome! You are successfully authenticated."
    }
}

Step 3. Configure credentials (recommended)

Set properties inside -> src/main/resources/application.properties and add:

application.properties

spring.security.user.name=admin
spring.security.user.password=admin123

Step 4. Run the application

Open main class and run an application:

DemoApplication.java

package com.example.demo;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;

@SpringBootApplication
public class DemoApplication {
  public static void main(String[] args) {
    SpringApplication.run(DemoApplication.class, args);
  }
}

Step 5. Test the secured endpoint

Open browser visit ->

http://localhost:8080/login

We saw login prompt appears with user name and password

Output:

Fill details

• Uername-> admin
• password -> admin123.

And Click Sing in then you can see message.

Advantages of Spring Security

Some major benefits of using Spring Security include:

• Protection against threats like CSRF, session fixation and clickjacking.
• Integration with Spring MVC and Spring Boot.
• Supports Java-based configuration.
• Works with standard Servlet API.
• Prevents brute-force attacks.
• Active open-source community ensuring continuous improvements.

Related Article

Spring Security Tutorial