Spring Security Basics

Spring Security is the de facto framework for securing Spring applications. It provides authentication, authorization, and protection against common vulnerabilities in a declarative, flexible, and production-ready way. Whether you are building web apps, REST APIs, or microservices with Spring Boot, understanding these basics is essential.

What is Spring Security?

Spring Security is a comprehensive security framework built on top of the Spring ecosystem. Its primary goals are:

• Authentication: Verify the identity of users.
• Authorization: Decide what users are allowed to access.
• Protection: Safeguard applications from threats like CSRF, XSS, session hijacking, and common attacks.

Key Features:

• Integration with Spring Boot for easy configuration.
• Flexible security policies for roles, permissions, and URL access.
• Support for JWT, OAuth2 / OIDC, LDAP, and database authentication.
• Extensible and highly customizable for real-world applications.

Core Concepts

Spring Security is built on two fundamental concepts: Authentication and Authorization. Understanding these is essential for securing your applications effectively.

Authentication

Authentication is about confirming the identity of a user. Spring Security provides multiple authentication mechanisms:

• Form-based login – Traditional username/password login.
• HTTP Basic authentication – Simple header-based authentication for APIs.
• JWT (JSON Web Tokens) – Stateless authentication for REST APIs.
• OAuth2 / OIDC login – Single Sign-On (SSO) and third-party authentication.

Example: Form Login Authentication

if (userDetailsService.loadUserByUsername(username) !=null &&
    passwordEncoder.matches(rawPassword, storedPassword)) {
// Authentication successful
}

Authorization

Authorization decides whether an authenticated user has access to specific resources or actions. It uses roles and permissions to enforce rules.

• Role-Based Access Control (RBAC): Users are assigned roles like ADMIN, USER, etc.
• Method-level security: Annotate methods with @PreAuthorize, @Secured, or @PostAuthorize.
• URL-level security: Protect specific endpoints in your application.

Example:

@PreAuthorize("hasRole('ADMIN')")
publicvoiddeleteUser(Long userId) { ... }

Only users with the ADMIN role can execute this method.

Security Filter Chain

Spring Security uses a filter chain to process incoming requests:

• Filters intercept requests and responses.
• AuthenticationFilter validates credentials.
• AuthorizationFilter enforces access rules.

This chain ensures every request is verified and secured before reaching your application logic.

Password Management

• Never store passwords in plain text.
• Always use strong hashing algorithms:

Spring Security automatically handles encoding and verification during authentication.

Session & Stateless Security

• Stateful Security: Stores user session in HTTP session (traditional web apps).
• Stateless Security: Uses JWT or tokens, no server session, scalable for REST APIs and microservices.

Key Components of Spring Security

Spring Security with Spring Boot

Spring Boot makes security setup quick and efficient:

• Default basic security is enabled automatically.
• Add spring-boot-starter-security to enable full security features.
• Configure custom authentication and authorization with minimal boilerplate.

Example: Basic configuration:

@Configuration
@EnableWebSecurity
publicclassSecurityConfig {
@Bean
public SecurityFilterChainfilterChain(HttpSecurity http)throws Exception {
        http
            .authorizeHttpRequests(auth -> auth
                .requestMatchers("/admin/**").hasRole("ADMIN")
                .anyRequest().authenticated())
            .formLogin(Customizer.withDefaults())
            .httpBasic(Customizer.withDefaults());
return http.build();
    }
}

Protecting REST APIs

For modern web applications, REST API security is critical. Spring Security supports:

• JWT-based stateless authentication
• Role-based endpoint access
• CORS configuration for cross-origin requests
• Method-level security for service methods

Example: JWT filter checks the token before processing API requests, ensuring only authorized users access protected endpoints.

Authentication vs Authorization in Spring Security

Understanding the difference between authentication and authorization is crucial for securing your Spring Boot applications.

Best Practices for Beginners

1. Always use strong password encoding (BCryptPasswordEncoder).
2. Keep sensitive endpoints role-protected.
3. Enable HTTPS in production.
4. Use JWT or OAuth2 for stateless, scalable applications.
5. Avoid hardcoding credentials; use environment variables or properties.
6. Monitor security logs and integrate with Spring Boot Actuator for observability.

Why Learn Spring Security?

• Essential for real-world enterprise applications.
• Integrates seamlessly with Spring Boot microservices.
• Provides production-ready security with minimal setup.
• Improves career skills in Java backend development.
• Enables safe, scalable, and maintainable applications.

Conclusion

Spring Security is a powerful, flexible, and extensible framework that ensures your Spring Boot applications are safe, scalable, and production-ready. Mastering the basics of authentication, authorization, and filter chains is the foundation for advanced security topics like JWT, OAuth2, and method-level access control.

By following best practices and leveraging Spring Boot defaults, developers can secure web applications and REST APIs effectively while maintaining performance and scalability.