DEV Community

Abhishek Batra
Abhishek Batra

Posted on

Securing Applications with Spring Boot and Spring Security

#java #security #springboot #tutorial

Security is a critical aspect of any application. Spring Boot, combined with its comprehensive and flexible security framework—Spring Security—offers efficient solutions to safeguard applications against various threats.

In this blog post, we’ll explore key security features in Spring Boot, starting from basic authentication and moving toward advanced topics like JWT and OAuth2. We’ll learn how to configure security settings, implement authentication and authorization, secure REST API.

🔑 Introduction to Spring Security

Spring Security is a powerful and highly customizable framework for authentication (verifying identity) and access control (authorizing access). It is the standard choice for securing Spring-based applications.

With Spring Boot, integrating Spring Security is seamless, thanks to auto-configuration and sensible defaults that provide immediate protection upon adding the dependency.

Key Features of Spring Security

  • Comprehensive Authentication and Authorization: Supports multiple mechanisms like Basic Auth, Form-based login, and OAuth2, alongside role-based access control (RBAC).
  • Protection Against Common Threats: Defends against CSRF (Cross-Site Request Forgery), session fixation, clickjacking, and other common vulnerabilities.
  • Method-Level Security: Allows securing service-layer methods using annotations like @PreAuthorize or @Secured.
  • Highly Configurable: Offers the flexibility to fine-tune every security setting based on application needs.

🛠️ Adding the Spring Security Dependency

Before implementing custom security, you must add the Spring Security dependency. If you used the Spring Initializr and selected Spring Security, you're all set. Otherwise, add the following to your pom.xml

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>
Enter fullscreen mode Exit fullscreen mode

Immediate Security: After adding the dependency and restarting, Spring Security automatically secures all endpoints. It uses a default user (username: user) and generates a temporary password, which is printed in the console logs (look for "Using generated security password").

🔐 Configuring Basic Authentication
Authentication is the process of verifying a user's identity, typically by validating credentials. Once validated, Spring Security grants the user an Authentication object stored in the SecurityContext.

Basic Authentication Overview
Basic Authentication is a simple scheme built into the HTTP protocol. It encodes the username and password using Base64 and sends them in the Authorization HTTP header.

Configuration Example
You can explicitly configure Basic Authentication and secure all requests using a SecurityFilterChain bean.

@Configuration
@EnableWebSecurity
public class SecurityConfig {

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
            .authorizeHttpRequests(auth -> auth
                .anyRequest().authenticated() // All requests must be authenticated
            )
            .httpBasic(); // Enables Basic Authentication

        return http.build();
    }
}
Enter fullscreen mode Exit fullscreen mode

Limitations of Basic Authentication
While simple, Basic Authentication has significant drawbacks:

  • Encoded, Not Encrypted: Base64 encoding is not encryption. Credentials are easily decoded, making them vulnerable if the connection is not secured with HTTPS.
  • No Expiration Mechanism: It lacks built-in support for expiring or refreshing credentials, which is critical for modern security practices.
  • Limited Authorization Control: It is best for simple, quick protections and doesn't inherently support fine-grained access control.

Note: For enhanced security and flexibility, especially for stateless REST APIs, JWT (JSON Web Token) or OAuth2 is strongly recommended.

👥 Role-Based Access Control (RBAC)

RBAC is a mechanism that restricts access to resources based on the user's assigned role (e.g., ADMIN, USER, GUEST). Spring Security simplifies this by integrating roles into its authorization model.

RBAC Configuration Example
You define access rules within the authorizeHttpRequests section of your configuration.
Note: The @override protected void configure(HttpSecurity http) format is from the deprecated WebSecurityConfigurerAdapter; the modern approach uses the SecurityFilterChain as shown above.

Here is how to apply role-based authorization using the modern approach:

@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
    http
        .authorizeHttpRequests(auth -> auth
            // Requires the user to have the 'ADMIN' role
            .requestMatchers("/admin/**").hasRole("ADMIN")

            // Requires the user to have either 'USER' or 'ADMIN' role
            .requestMatchers("/user/**").hasAnyRole("USER", "ADMIN")

            // All other requests must be authenticated
            .anyRequest().authenticated() 
        )
        // ... other security settings
        .httpBasic(); 

    return http.build();
}
Enter fullscreen mode Exit fullscreen mode
  • Only users with the ADMIN role can access /admin/** endpoints.
  • Users with either the USER or ADMIN role can access /user/** endpoints.

Top comments (0)