Basics of Spring Security

What is spring security?

  • Spring security is a security framework build on top of spring that is providing security to secure our application
  • Spring security handles the application-level security.
  • Spring security handles some of the basic security out of the box when added to the application
    • Login and Logout functionality.
    • Allow/Block access to URLs to logged-in users.
    • Allow/Block access to URLs to logged-in users and with certain rules.
    • Handles common vulnerabilities.
  • Thus helping application developers to worry less about security and can focus more on development on application,
  • Functionalities that Spring Security offer :
    • Username and password authentication.
    • SSO / OKTA / LDAP
    • App level authorization
    • Intra app authorization like OAuth
    • Microservice security (using token, JWT)
    • Method level secuirty
  • 5 Core Concepts of Spring Security
    • Authentication.
      • Knowledge based Authentication – Done by some user unique data, possibility an id and password
      • Possession based Authentication – Phone call or text msg for OTP or keycard or badges
      • Note : Multiple Authentication can be used as well (Example : 2FA : Two Factor Authentication)
    • Authorization
      • Checking if user has access to do what is he suppose to do is called Authorization.
    • Principal
      • Principal is user who you have already identified by using Authentication i.e principal is the currently logged in user or an account.
    • Granted Authority
      • Fine grain permission of a particular user.
    • Roles
      • Roles are Group of Authorities that are assigned together

Leave a Comment