Spring Security is a comprehensive framework that provides authentication, authorization, and protection against common security threats in Java-based web applications. It integrates seamlessly with Spring Boot and supports modern security standards such as OAuth2, JWT, and passwordless authentication mechanisms.
With the latest updates in Spring Security 6.4, developers gain enhanced features such as passkey support, one-time token authentication, improved method security, and modernized filter management. This article explains key terminologies that form the foundation of Spring Security.
Important Terminologies in Spring Security
Some important terminologies in Spring Security are as follows:
- Authentication
- Authorization
- Filter
1. Authentication
Authentication is the process of verifying the identity of a user attempting to access the application. It ensures that only legitimate users are allowed to interact with secured resources. When authentication succeeds, Spring Security generates a valid security context for that user.
Common Authentication Methods:
- Form-Based Authentication: A login page where users provide a username and password to access secured endpoints.
- HTTP Basic Authentication: The client sends credentials through HTTP headers, commonly used for REST APIs.
- Custom Authentication: Implemented using AuthenticationProvider and UserDetailsService to define custom logic.
- Passkeys (New in Spring Security 6.4): Enables passwordless authentication using cryptographic credentials instead of passwords.
- One-Time Token Authentication (New in Spring Security 6.4): Provides temporary authentication tokens for sensitive or time-bound operations.
2. Authorization
Authorization determines what actions an authenticated user is permitted to perform. Once a user is authenticated, authorization ensures they have the appropriate roles or privileges to access specific resources.
Key Authorization Mechanisms:
- URL-Based Access Control: Configured using requestMatchers() in the security filter chain to restrict access based on user roles.
- Method-Level Security: Uses annotations such as @PreAuthorize, @PostAuthorize, and @Secured to enforce access control at the service layer.
- Access Control Lists (ACLs): Provides fine-grained control by defining permissions for specific users or roles on individual domain objects.
- Simplified OAuth2 Configuration (Updated in Spring Security 6.4): Enhances integration with third-party identity providers such as Google, GitHub, and Microsoft.
- New Method Security Annotations (Updated in Spring Security 6.4): Introduces improved annotation-based configuration for role and policy enforcement.
3. Filter
Filters are the backbone of Spring Security’s architecture. Each incoming request passes through a chain of filters that perform security checks before reaching the application’s controller.
Common Spring Security Filters:
- Authentication Filter: Validates user credentials and establishes an authenticated session.
- Authorization Filter: Checks user permissions before granting access to a protected resource.
- CSRF Protection Filter: Safeguards applications against Cross-Site Request Forgery attacks by validating CSRF tokens.
- Session Management Filter: Manages and protects session data, preventing session fixation attacks.
- Refreshable SAML 2.0 Asserting Parties (New in Spring Security 6.4): Supports dynamic metadata updates for SAML 2.0 authentication.
- Security Observation for Filter Chain (New in Spring Security 6.4): Provides enhanced monitoring and diagnostics for security filter execution.