0% found this document useful (0 votes)

26 views5 pages

Spring Security Guide

Spring Security is a customizable framework for authentication and access control in Java applications, primarily those using Spring. It manages user authentication through a flow involving login requests and credential verification, while authorization determines user permissions for resource access. The framework allows for various customizations, including user details services and security configurations, as demonstrated in a real-world example of securing a REST API.

Uploaded by

princethelittleking

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

26 views5 pages

Spring Security Guide

Uploaded by

princethelittleking

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 5

Spring Security - How It Works

Spring Security is a powerful and highly customizable authentication and access-control framework

for Java applications, especially those built with Spring. It helps developers secure their apps by

handling:

- Authentication (who are you?)

- Authorization (what are you allowed to do?)

1. Authentication Flow

- A user tries to log in (e.g., via a login form).

- Spring Security intercepts the login request using a UsernamePasswordAuthenticationFilter.

- It passes the credentials to an AuthenticationManager.

- This manager uses an AuthenticationProvider (like DaoAuthenticationProvider) to verify the

credentials.

- If successful, it returns an Authentication object and stores it in the SecurityContext.

2. Authorization Flow

- This determines if a user has permission to access a specific resource.

- You can configure URL-based access or use annotations like @PreAuthorize.

3. SecurityContext and Filters

- Every request is checked through the Security Filter Chain.

- Authenticated user info is stored in the SecurityContextHolder (usually stored in session).

4. Customizations

- Custom login page, UserDetailsService, filters, JWT, OAuth2, etc.

Example Java Config:

http

.authorizeHttpRequests()

.requestMatchers("/admin/**").hasRole("ADMIN")

.anyRequest().authenticated();

---

Real-World Example: Securing a REST API

1. Dependencies (Maven)

- spring-boot-starter-security

- spring-boot-starter-web

2. UserDetailsService Implementation:

@Service

public class MyUserDetailsService implements UserDetailsService {

@Override

public UserDetails loadUserByUsername(String username) {

if (username.equals("admin")) {

return User.builder()

.username("admin")

.password(new BCryptPasswordEncoder().encode("admin123"))

.roles("ADMIN")

.build();

} else if (username.equals("user")) {
return User.builder()

.username("user")

.password(new BCryptPasswordEncoder().encode("user123"))

.roles("USER")

.build();

throw new UsernameNotFoundException("User not found");

3. Security Configuration:

@Configuration

@EnableWebSecurity

public class SecurityConfig {

@Bean

public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {

http

.csrf().disable()

.authorizeHttpRequests(auth -> auth

.requestMatchers("/admin/**").hasRole("ADMIN")

.requestMatchers("/user/**").hasRole("USER")

.requestMatchers("/public/**").permitAll()

.anyRequest().authenticated()

.formLogin(Customizer.withDefaults());

return http.build();

}
@Bean

public PasswordEncoder passwordEncoder() {

return new BCryptPasswordEncoder();

4. Controller Endpoints:

@RestController

public class TestController {

@GetMapping("/public/hello")

public String publicHello() {

return "Hello from public!";

@GetMapping("/user/hello")

public String userHello() {

return "Hello user!";

@GetMapping("/admin/hello")

public String adminHello() {

return "Hello admin!";

Testing:
- /public/hello ? No login needed

- /user/hello ? Login as user/user123

- /admin/hello ? Login as admin/admin123

CAS-004 Updated Dumps - CompTIA Advanced Security Practitioner (CASP+) Exam
No ratings yet
CAS-004 Updated Dumps - CompTIA Advanced Security Practitioner (CASP+) Exam
54 pages
Hazim Dahir, Jason Davis, Stuart Clark, Quinn Snyder - Cisco Certified DevNet Professional DEVCOR 350-901 Official Cert Guide-Cisco Press (2022)
No ratings yet
Hazim Dahir, Jason Davis, Stuart Clark, Quinn Snyder - Cisco Certified DevNet Professional DEVCOR 350-901 Official Cert Guide-Cisco Press (2022)
776 pages
Spring Boot JWT Security Tutorial
No ratings yet
Spring Boot JWT Security Tutorial
15 pages
Spring Security Zero To Master Along With JWT, OAUTH2 PDF
No ratings yet
Spring Security Zero To Master Along With JWT, OAUTH2 PDF
109 pages
Introduction of SAC Multi-Actions Public API - SAP Community
100% (1)
Introduction of SAC Multi-Actions Public API - SAP Community
33 pages
Spring Security - A Comprehensive Guide
No ratings yet
Spring Security - A Comprehensive Guide
12 pages
Spring Security
No ratings yet
Spring Security
8 pages
15 Spring Security
No ratings yet
15 Spring Security
7 pages
Guide To Spring Security
No ratings yet
Guide To Spring Security
15 pages
Spring Security
No ratings yet
Spring Security
5 pages
Spring Security
No ratings yet
Spring Security
16 pages
Guide To Spring Security
No ratings yet
Guide To Spring Security
16 pages
A Complete Guide To Spring Security With SpringBoot - by Satya Kaveti - Medium
No ratings yet
A Complete Guide To Spring Security With SpringBoot - by Satya Kaveti - Medium
43 pages
Spring Security for Java Developers
No ratings yet
Spring Security for Java Developers
33 pages
01 Sep 2021 ClassNotes
No ratings yet
01 Sep 2021 ClassNotes
2 pages
Springsecurity 181008152249
No ratings yet
Springsecurity 181008152249
36 pages
Spring Security
No ratings yet
Spring Security
2 pages
Normal 5f89d02c9d162
No ratings yet
Normal 5f89d02c9d162
2 pages
Spring Security 5
No ratings yet
Spring Security 5
28 pages
Spring Security
No ratings yet
Spring Security
7 pages
Springbooot Security
No ratings yet
Springbooot Security
3 pages
Spring Security
No ratings yet
Spring Security
21 pages
Spring Security Audit & Configuration Guide
No ratings yet
Spring Security Audit & Configuration Guide
10 pages
Spring Security for J2EE Developers
No ratings yet
Spring Security for J2EE Developers
12 pages
Spring Security for Developers
No ratings yet
Spring Security for Developers
11 pages
02 Sep 2021 ClassNotes
No ratings yet
02 Sep 2021 ClassNotes
4 pages
Spring Security Setup Guide
No ratings yet
Spring Security Setup Guide
14 pages
Top 20 Spring Security Interview Questions
No ratings yet
Top 20 Spring Security Interview Questions
2 pages
Spring Security Zero To Master Along With JWT, OAUTH2
No ratings yet
Spring Security Zero To Master Along With JWT, OAUTH2
106 pages
Spring Security: Authentication Authorization
100% (1)
Spring Security: Authentication Authorization
4 pages
Spring Security Reference
No ratings yet
Spring Security Reference
281 pages
Secure REST APIs with Spring Boot
No ratings yet
Secure REST APIs with Spring Boot
14 pages
Spring Security
No ratings yet
Spring Security
16 pages
5-Spring Security Notes
100% (1)
5-Spring Security Notes
6 pages
Spring Boot Token Based Authentication With Spring Security and JWT
No ratings yet
Spring Boot Token Based Authentication With Spring Security and JWT
30 pages
Spring Security Reference
No ratings yet
Spring Security Reference
138 pages
Spring Security. Authentication and Authorization
No ratings yet
Spring Security. Authentication and Authorization
65 pages
Spring Security
No ratings yet
Spring Security
35 pages
Spring MVC Security Guide
No ratings yet
Spring MVC Security Guide
158 pages
Spring Security Reference
No ratings yet
Spring Security Reference
242 pages
Spring Security
No ratings yet
Spring Security
7 pages
Spring Security for Developers
No ratings yet
Spring Security for Developers
88 pages
Springsecurity
No ratings yet
Springsecurity
134 pages
Spring Security
No ratings yet
Spring Security
134 pages
Spring Security JWT Implementation Guide
No ratings yet
Spring Security JWT Implementation Guide
3 pages
6 Security v2
No ratings yet
6 Security v2
11 pages
Spring Security 6 Notes
No ratings yet
Spring Security 6 Notes
2 pages
Spring Security
No ratings yet
Spring Security
134 pages
Spring Security
No ratings yet
Spring Security
133 pages
AZ-500 Exam Q&A for IT Professionals
No ratings yet
AZ-500 Exam Q&A for IT Professionals
5 pages
Jwt-Handbook-V0 14 1 PDF
No ratings yet
Jwt-Handbook-V0 14 1 PDF
120 pages
APIM
No ratings yet
APIM
5 pages
Modelo Examen
No ratings yet
Modelo Examen
29 pages
Single Sign On To SAP Cloud Integration (CPI Runti... - SAP Community
No ratings yet
Single Sign On To SAP Cloud Integration (CPI Runti... - SAP Community
44 pages
Access Google Sheets with Python API
No ratings yet
Access Google Sheets with Python API
5 pages
Odoo SaaS Setup Guide
No ratings yet
Odoo SaaS Setup Guide
9 pages
Switch to API Imports in Power BI
No ratings yet
Switch to API Imports in Power BI
2 pages
OWASP London20170928 Suleman Malik PDF
No ratings yet
OWASP London20170928 Suleman Malik PDF
28 pages
Pandago API Version 1.1.0 1
No ratings yet
Pandago API Version 1.1.0 1
22 pages
CCS Module 6
No ratings yet
CCS Module 6
23 pages
Full Stack Developer Program
No ratings yet
Full Stack Developer Program
8 pages
T1 - Extend The Power Platform With Custom Connectors
No ratings yet
T1 - Extend The Power Platform With Custom Connectors
20 pages
Identity and Access Management Designer - 5
No ratings yet
Identity and Access Management Designer - 5
14 pages
Day Dreams Final Solution
No ratings yet
Day Dreams Final Solution
13 pages
Detailed Steps To Set Up Google Drive OAuth2 Credentials in n8n
No ratings yet
Detailed Steps To Set Up Google Drive OAuth2 Credentials in n8n
3 pages
REST Authentication Methods Guide
No ratings yet
REST Authentication Methods Guide
4 pages
OAG Oauth UserGuide
No ratings yet
OAG Oauth UserGuide
121 pages
n8n Setup 1
No ratings yet
n8n Setup 1
9 pages
API - Developer Documentation - SmartThings
No ratings yet
API - Developer Documentation - SmartThings
135 pages
Api Rest
No ratings yet
Api Rest
322 pages
Third-Party Apps On Facebook Privacy and The Illus
No ratings yet
Third-Party Apps On Facebook Privacy and The Illus
11 pages
SAP S/4HANA Cloud: Electronic Docs Setup
No ratings yet
SAP S/4HANA Cloud: Electronic Docs Setup
14 pages
Line Notify Api
No ratings yet
Line Notify Api
6 pages
How To Setup Oauth2 Authentication With Microsoft: Global Support
No ratings yet
How To Setup Oauth2 Authentication With Microsoft: Global Support
6 pages
Access Management Market Overview
No ratings yet
Access Management Market Overview
125 pages

Spring Security Guide

Uploaded by

Spring Security Guide

Uploaded by

Spring Security - How It Works

- Authentication (who are you?)

- Authorization (what are you allowed to do?)

- A user tries to log in (e.g., via a login form).

- Spring Security intercepts the login request using a UsernamePasswordAuthenticationFilter.

- It passes the credentials to an AuthenticationManager.

- This manager uses an AuthenticationProvider (like DaoAuthenticationProvider) to verify the

- If successful, it returns an Authentication object and stores it in the SecurityContext.

- This determines if a user has permission to access a specific resource.

- You can configure URL-based access or use annotations like @PreAuthorize.

3. SecurityContext and Filters

- Every request is checked through the Security Filter Chain.

- Authenticated user info is stored in the SecurityContextHolder (usually stored in session).

- Custom login page, UserDetailsService, filters, JWT, OAuth2, etc.

Real-World Example: Securing a REST API

public class MyUserDetailsService implements UserDetailsService {

public UserDetails loadUserByUsername(String username) {

throw new UsernameNotFoundException("User not found");

public class SecurityConfig {

public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {

.authorizeHttpRequests(auth -> auth

public PasswordEncoder passwordEncoder() {

return new BCryptPasswordEncoder();

public class TestController {

public String publicHello() {

return "Hello from public!";

public String userHello() {

return "Hello user!";

public String adminHello() {

return "Hello admin!";

- /user/hello ? Login as user/user123

- /admin/hello ? Login as admin/admin123

You might also like