Spring Security

Dhivya Muthuraj | October 2, 2020

Spring Security Overview

Web applications are susceptible to security threats and attacks, as they are accessible to anyone on the internet. There may exist some REST endpoints having restricted access to specific users. For example, updating records or admin related operations. We can use Spring Security to secure such URLs.

Spring Security is a framework that focuses on providing both authentication and authorization to Java applications. Like all other Spring projects, the real strength of Spring Security is in how easily it can be extended to meet custom requirements

Spring security works on the following four core concepts

  1. Authentication
  2. Authorization
  3. Password Storage
  4. Servlet Filters


Authentication is the act of verifying an assertion, such as the identity of a computer system user. In contrast with identification, which, as the name suggests, indicates a person/thing’s identity, authentication is the process of verifying that identity. It involves providing valid credentials to verify who you are.


For a simple application, authenticating user might be enough, but let’s think about a big enterprise application.

  • An employee (e.g. call center agent) may only have certain permissions to carry out specific operations. They are not allowed to perform all operations.
  • The back-end product managers are allowed to work only on the products. They are not allowed to change customer information or order information.
  • E-commerce managers can work on both customer and order information, but they cannot change product information.
  • The system admin can perform all the operations.

Password Storage

Making sure that our passwords are secure and difficult to hack is another primary goal of any security framework. Spring Security’s Password Encoder interface performs a one-way transformation for the password, i.e. we can’t decrypt the password. Spring Security provides several Password Encoder, here is a list:





Spring Security Modules

  • Core: spring-security-core.jar – This is core jar file and is required for every application that wants to use Spring Security. This jar file includes core access-control and core authentication classes and interfaces. We can use it in standalone applications or remote client’s applications.
  • Web: spring-security-web.jar – This jar is useful for Spring Security web authentication and URL-based access control. It includes filters and web-security infrastructure. All the classes and interfaces are located into the org.springframework.security.web package.
  • Config: spring-security-config.jar – This jar file is required for Spring Security configuration using XML and Java both. It includes Java configuration code and security namespace parsing code. All the classes and interfaces are stored in org. springframework.security.config package.

Features of Spring Security

  • Comprehensive
  • Protection against attacks
  • Servlet API integration

Advantages of Spring Security

  • Servlet API integration
  • Extensible support for both Authentication and Authorization
  • Protection against attacks like session fixation, click jacking
  • Spring MVC integration
  • Ability to secure application against brute force attacks
  • Portability
  • Protection against CSRF attacks
  • Java configuration support

To enable basic Spring Security to J2EE applications, the below 3 steps are followed:

  1. Add jar files
  2. Filter declaration to pom.xml
  3. Java configuration by using Security Configuration class

Spring Security’s web infrastructure should only be used by delegating to an instance of FilterChainProxy. The security filters should not be used by themselves. In theory you could mention each Spring Security filter bean that you need in your application context file and add a corresponding DelegatingFilterProxy entry to web.xml for each filter.

  • ChannelProcessingFilter, because it might need to redirect to a different protocol.
  • SecurityContextPersistenceFilter, so a SecurityContext can be set up in the SecurityContextHolder at the beginning of a web request. Any changes to the SecurityContext can be copied to the HttpSession when the web request ends (organized for use with the next web request).
  • ConcurrentSessionFilter, since it uses the SecurityContextHolder functionality but requires updating the SessionRegistry to reflect ongoing requests from the principal.
  • RememberMeAuthenticationFilter, so that if no earlier authentication processing mechanism updated the SecurityContextHolder, and the request presents a cookie that enables remember-me services to take place, a fitting remembered Authentication object will be put there.
  • AnonymousAuthenticationFilter, if no initial authentication processing mechanism updated the SecurityContextHolder, an anonymous Authentication object will be placed there.
  • ExceptionTranslationFilter, to grab any Spring Security abnormality so that either an HTTP error retaliation can be returned or an appropriate AuthenticationEntryPoint can be initiated.
  • FilterSecurityInterceptor, to protect web URIs and raise exceptions when access is denied.

Spring Security Architecture

Security & Compliance

Spring Security Integration

Below are some of the popular tools that integrate with Spring Security

  • Spring Boot
  • Spring MVC
  • OpenID Connect
  • ZK
  • FF4J


About the Author –

Dhivya Muthuraj

Dhivya is a security analyst at GAVS. She is experienced in security and infrastructure compliance audit for various clients involving SOC and SOAR implementation.

Back to blogs