What is spring security?
- Spring security is a security framework build on top of spring that is providing security to secure our application
- Spring security handles the application-level security.
- Spring security handles some of the basic security out of the box when added to the application
- Login and Logout functionality.
- Allow/Block access to URLs to logged-in users.
- Allow/Block access to URLs to logged-in users and with certain rules.
- Handles common vulnerabilities.
- Thus helping application developers to worry less about security and can focus more on development on application,
- Functionalities that Spring Security offer :
- Username and password authentication.
- SSO / OKTA / LDAP
- App level authorization
- Intra app authorization like OAuth
- Microservice security (using token, JWT)
- Method level secuirty
- 5 Core Concepts of Spring Security
- Authentication.
- Knowledge based Authentication – Done by some user unique data, possibility an id and password
- Possession based Authentication – Phone call or text msg for OTP or keycard or badges
- Note : Multiple Authentication can be used as well (Example : 2FA : Two Factor Authentication)
- Authorization
- Checking if user has access to do what is he suppose to do is called Authorization.
- Principal
- Principal is user who you have already identified by using Authentication i.e principal is the currently logged in user or an account.
- Granted Authority
- Fine grain permission of a particular user.
- Roles
- Roles are Group of Authorities that are assigned together
- Authentication.