One of the crucial points during the development of a web application is its security, all the time there are new intrusion techniques and ways for your application’s security to be broken.
Keeping up to date with all these new techniques and ways to mitigate them is quite difficult, as there are many concepts that go into the process of keeping a web application secure.
For this reason, it is very common to outsource the security implementations of our applications to libraries or frameworks that were developed by experts in the security field and because of this, in this article we will talk about Spring Security.
What is Spring Security?
Firstly, Spring Security is a framework from the Spring project that has a high-level, highly customizable authentication and authorization system for Java applications.
The framework is even the official solution for implementing security features in Spring Boot applications , but it can also be used in conjunction with other frameworks.
Spring Security Features
Although the focus of Spring Security is the authentication and authorization system, it has other features that increase the security of our Java applications, here is a list of some of its main features:
- authentication system
- authorization system
- Protection against attacks such as session fixation, clickjacking and cross site request forgery
- Integration with the Servlet API
- Optional integration with Spring Web MVC
- Easy installation via a Spring Boot starter
Authentication
Basically we can say that authentication is the login in our application. This is the verification step if a given user has valid credentials (generally login and password combination) to access our application.
Specifically, the Spring Security authentication system can be configured to use different authentication strategies, as it works with the concept of authentication providers.
Authentication providers are the structures responsible for providing information about users who access the application. That way, you can have a number of different providers to use in your applications.
Spring Security itself already exposes some providers to be readily used, such as providers based on JPA, providers based on JDBC and even providers based on the LDAP standard, allowing applications to execute the authentication and authorization flow through Active Directory servers, for example.
Authorization
Authorization is a process that takes place after authentication. This is the moment where the application checks if the currently authenticated user has permission to access a certain resource.
Spring Security’s authorization system is also very flexible, as it allows us to easily define which are the possible types of users in our application, how the system relates each user to their given type and which routes in our application each type of user will have access.
All this Spring Security flexibility is possible because it provides us with some interfaces that must be implemented and thus we inform what the business rule of our application will be for carrying out the authentication and authorization processes.
Password Storage
In addition to authentication, authorization and protection systems against different types of web application vulnerabilities, Spring Security also provides encryption algorithms that prevent your application from storing your users’ passwords in plain text in the database.
The algorithms available in Spring Security are bcrypt , PBKDF2 , scrypt and argon2 . Being bcrypt the most used by the community.
Installing Spring Security
The process of installing Spring Security inside a Spring Boot application is very simple, since Spring Boot itself has a starter to install and pre-configure Spring Security.