Golden Recursion Inc. logoGolden Recursion Inc. logo
Advanced Search
Spring Security

Spring Security

Spring Security is a powerful and highly customizable authentication and access-control framework. It is the de-facto standard for securing Spring-based applications.

All edits

Edits on 24 Jan, 2022
Oksana Shumei
Oksana Shumei edited on 24 Jan, 2022
Edits made to:
Table (+1 rows) (+4 cells) (+102 characters)
Table

Title
Date
Link

What is Spring security?

June 17, 2020

Oksana Shumei
Oksana Shumei edited on 24 Jan, 2022
Edits made to:
Table (+1 rows) (+4 cells) (+92 characters)
Table

Title
Date
Link

Spring Security | FULL COURSE

December 18, 2019

Oksana Shumei
Oksana Shumei edited on 24 Jan, 2022
Edits made to:
Article (-101 characters)
Article

In the future, we are also planning to add on this introduction with more advanced tutorials such as:

Oksana Shumei
Oksana Shumei edited on 24 Jan, 2022
Edits made to:
Article (+101 characters)
Article

In the future, we are also planning to add on this introduction with more advanced tutorials such as:

Oksana Shumei
Oksana Shumei edited on 24 Jan, 2022
Edits made to:
Article (+135 characters)
Article

After learning what it is good for, we have taken a look at some important concepts that can help us understand Spring Security better.

Oksana Shumei
Oksana Shumei edited on 24 Jan, 2022
Edits made to:
Article (+259 characters)
Article

n this article, we have started by defining Spring Security and tried to provide insights about what kind of things a security framework provides. I hope it is more clear after reading the features section and seeing the example use cases for Spring Security.

Oksana Shumei
Oksana Shumei edited on 24 Jan, 2022
Edits made to:
Article (+10/-10 characters)
Article

Conclusion

Conclusion

Oksana Shumei
Oksana Shumei edited on 24 Jan, 2022
Edits made to:
Article (+10 characters)
Article

Conclusion

Oksana Shumei
Oksana Shumei edited on 24 Jan, 2022
Edits made to:
Article (+96 characters)
Article

This could be the configuration for Auth0 blog permissions if it was built with Spring Security.

Oksana Shumei
Oksana Shumei edited on 24 Jan, 2022
Edits made to:
Article (+511 characters)
Article
@Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
            .antMatchers("/").permitAll
            .antMatchers("/new-blog-post").hasAnyAuthority("ADMIN", "AUTH0 EMPLOYEE", "GUEST_WRITER")
            .antMatchers("/edit/**").hasAnyAuthority("ADMIN", "EDITOR")
            .antMatchers("/delete/**").hasAuthority("ADMIN")
            .and()
            .formLogin().permitAll()
            .and()
            .logout().permitAll();
    }
Oksana Shumei
Oksana Shumei edited on 24 Jan, 2022
Edits made to:
Article (+661 characters)
Article

Now that we know about Ant Matchers, we are able to specify the paths that filters will be applied to, but we still lack some flexibility to define role-specific permissions. For example, we could want an endpoint to be accessible only by users who have the role ADMIN or any arbitrary set of roles. By using role-based authorization/authentication, we can achieve such behavior. I will not give the whole code or a tutorial for implementing role-based security since it would be the topic for a whole new article by itself but you should know that Spring Security allows you to define roles for your users and apply filters depending on those roles as follows:

Oksana Shumei
Oksana Shumei edited on 24 Jan, 2022
Edits made to:
Article (+37/-37 characters)
Article

User Roles (Role-based Authorization)

User Roles (Role-based Authorization)

Oksana Shumei
Oksana Shumei edited on 24 Jan, 2022
Edits made to:
Article (+37 characters)
Article

User Roles (Role-based Authorization)

Oksana Shumei
Oksana Shumei edited on 24 Jan, 2022
Edits made to:
Article (+264 characters)
Article

This code snippet allows all GET requests to URLs that start with "/public/" to bypass the filters. For any other request, the API consumer should be authenticated, and the custom filters will also apply. Code similar to this can be found in a Configuration class.

Oksana Shumei
Oksana Shumei edited on 24 Jan, 2022
Edits made to:
Article (+412 characters)
Article
@Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers(HttpMethod.GET, "/public/**").permitAll()
                .anyRequest().authenticated()
                .and()
                .addFilter(new CustomFilter(authenticationManager())
                .addFilter(new JWTAuthorizationFilter(authenticationManager()))
    }

Oksana Shumei
Oksana Shumei edited on 24 Jan, 2022
Edits made to:
Article (+22/-22 characters)
Article

Example configuration:

Example configuration:

Oksana Shumei
Oksana Shumei edited on 24 Jan, 2022
Edits made to:
Article (+22 characters)
Article

Example configuration:

Oksana Shumei
Oksana Shumei edited on 24 Jan, 2022
Edits made to:
Article (+465 characters)
Article

"Filters are nice and all, but they apply to every request as soon as I add them to my security configuration, and what if I want to apply a filter only to a single REST resource?" you might ask. This is when URL Matchers should come to the scene. URL Matchers in Spring Security are called Ant Matchers, historically named after Apache Ant build system, and they allow us to specify a regex-like matcher to determine which endpoints should be subject to filtering.

Oksana Shumei
Oksana Shumei edited on 24 Jan, 2022
Edits made to:
Article (+8/-8 characters)
Article

Matchers

Matchers

Oksana Shumei
Oksana Shumei edited on 24 Jan, 2022
Edits made to:
Article (+8 characters)
Article

Matchers

Golden logo
By using this site, you agree to our Terms & Conditions.