Guide to Spring Security

1. Introduction to Spring Security

Spring Security is a powerful and customizable authentication and access-
control framework for Java applications. It is part of the Spring Framework
ecosystem and provides comprehensive security services for Java EE-based
enterprise software applications.

2. Why Use Spring Security?

Security is a critical aspect of any application. Spring Security addresses
common security vulnerabilities and threats such as:
 Authentication: Verifies the identity of users.
 Authorization: Controls access to resources based on user roles and
permissions.
 Protection Against Common Attacks: Prevents cross-site scripting
(XSS), cross-site request forgery (CSRF), session fixation, and more.
 Integration with Standards: Supports OAuth2, OpenID Connect, and
LDAP.
 Flexible and Extensible: Customizable to meet specific security
requirements.

3. Key Features of Spring Security

 Declarative Security: Security configurations can be applied through
annotations or XML configurations.
 Comprehensive Protection: Covers both authentication and
authorization.
 Session Management: Handles session fixation and concurrent session
control.
 Security Context Management: Maintains the security context across
application layers.
 Method-Level Security: Secures individual methods through
annotations like @PreAuthorize and @PostAuthorize.

4. How Spring Security Works (Flow Overview)

1. Authentication:
o Users submit credentials (username/password).
o Spring Security intercepts the request.
o Authentication Manager delegates to Provider Manager.
o Provider Manager uses one or more Authentication Providers
to verify credentials.
o UserDetailsService loads user information from a database or in-
memory store.
 o On success, the Authentication object is stored in the
SecurityContext.
2. Authorization:
o After authentication, the user attempts to access resources.
o Spring Security checks the user's roles and permissions.
o If the user has the required authority, access is granted; otherwise,
access is denied.
3. Filters:
o Spring Security applies filters like
UsernamePasswordAuthenticationFilter to process security logic.
o Filters ensure that unauthorized requests are blocked before
reaching the application.
4. Exception Handling:
o If any authentication/authorization error occurs, Spring Security
redirects the user to an error page.

5. Types of Authentication Providers

 DaoAuthenticationProvider: Uses UserDetailsService to load user data.
 LdapAuthenticationProvider: Authenticates users against an LDAP
server.
 OAuth2AuthenticationProvider: Handles OAuth2 authentication.
 JwtAuthenticationProvider: Authenticates users based on JWT tokens.

6. Major Companies Using Spring Security

 Netflix: Uses Spring Security for microservices authentication and
authorization.
 Alibaba: Relies on Spring Security for securing cloud applications.
 Amazon: Implements Spring Security for managing identity and access
across services.
 LinkedIn: Secures APIs and services using Spring Security.

7. Advantages of Spring Security

 Ease of Integration: Works seamlessly with Spring Boot and other
Spring components.
 Highly Customizable: Can be tailored for simple to complex security
needs.
 Robust Community Support: Extensive documentation and community
contributions.
 Enterprise-Grade Security: Trusted by large organizations for mission-
critical applications.

8. Common Use Cases

 Web Application Security: Protects web endpoints and APIs.
  Microservices Security: Secures communication between microservices.
 OAuth2 and JWT Implementation: Provides easy integration with
modern authentication mechanisms.
 Role-Based Access Control: Enforces access policies based on user
roles.

9. Spring Security Flow Diagram

10. Project
10.1 Project Structure

10.2 Pom.xml
Dependencies installed:-
list of the dependencies and their usage:

1. spring-boot-starter-security

o Provides security features for a Spring Boot application (authentication,

authorization).

2. spring-boot-starter-web

o Adds support for building web applications (RESTful services, etc.) in Spring Boot.

3. spring-boot-devtools

o Enhances the development experience with automatic restarts and live reload
features (used during development only).

4. spring-boot-starter-test

o Provides testing libraries like JUnit, Mockito, and Spring Test for writing tests in
Spring Boot applications.

5. spring-security-test

o Provides support for testing Spring Security configurations in unit and integration
tests.

6. lombok

o A utility library to reduce boilerplate code in Java (e.g., generating getters/setters,

constructors, etc.).

7. spring-boot-starter-data-jpa

o Provides support for JPA (Java Persistence API) to simplify database access and
management with Spring Data.

8. mysql-connector-j

o MySQL JDBC driver for connecting and interacting with MySQL databases.

9. spring-boot-starter-thymeleaf
o Integrates the Thymeleaf template engine with Spring Boot for rendering dynamic
HTML views.

10.thymeleaf-extras-springsecurity6

o Provides Spring Security integration for Thymeleaf templates, enabling features like
security tags and authentication checks in views.

10.3 Config/SecurityConfig

 @Configuration: Marks the class as a configuration class, indicating that it

contains Spring bean definitions (like a Java-based alternative to XML
configuration).
 @EnableWebSecurity: Enables Spring Security's web security features, allowing
you to configure authentication, authorization, and security settings for a web
application.

 @Autowired: This annotation is used for automatic dependency injection in Spring.

It allows Spring to automatically wire the customUserDetailsService bean into the
class.
 customUserDetailsService: A reference to a custom service (likely implementing
UserDetailsService) used for loading user-specific data during authentication. It is
typically used to fetch user information from a database or other source during the
authentication process.

 @Bean: This annotation is used to define a bean in the Spring context. It marks a
method as producing a bean to be managed by the Spring container.
 BCryptPasswordEncoder passwordEncoder(): This method creates and returns
a BCryptPasswordEncoder bean, which is used for encoding passwords using the
BCrypt hashing algorithm. The number 12 represents the strength factor (higher
 values increase computation time, improving security). This encoder is typically
used to hash and verify user passwords.

SecurityFilterChain securityFilterChain(HttpSecurity http): This method defines

the security filter chain for a Spring Security configuration. The HttpSecurity object is
used to customize the security settings (e.g., setting up authentication, authorization,
and configuring which requests are permitted or denied). The SecurityFilterChain bean
ensures that the defined security filters are applied to the application.

1. CSRF Protection:

o csrf(csrf -> csrf.disable()): Disables Cross-Site Request Forgery (CSRF)

protection

2. Authorization Rules:

o authorizeHttpRequests(request -> request):

 requestMatchers("/css/**").permitAll(): Allows unauthenticated

access to static resources (like CSS files).

 requestMatchers("/login", "/register",
"/perform_register").permitAll(): Allows unauthenticated access
to login, register, and registration submission pages.

 anyRequest().authenticated(): Requires authentication for all

other requests.

3. Form Login Configuration:

o formLogin(form -> form):

 loginPage("/login"): Specifies a custom login page URL.

  loginProcessingUrl("/perform_login"): Defines the URL to
handle the login form submission.

 defaultSuccessUrl("/success", true): Redirects the user to

/success on successful login and ensures it's the default page.

 permitAll(): Allows unauthenticated users to access the login

page.

4. Logout Configuration:

o logout(logout -> logout):

 logoutUrl("/perform_logout"): Specifies the logout URL.

 deleteCookies("JSESSIONID"): Deletes the session cookie after

logout to clear session data.

 addLogoutHandler(...): Customizes the logout process by adding

a handler that clears site data (like cached content or cookies).

 logoutSuccessUrl("/login"): Redirects the user to the login page

after logout.

5. HTTP Basic Authentication:

o httpBasic(Customizer.withDefaults()): Enables HTTP Basic

authentication for the application (useful for API-based authentication).

6. Session Management:

o sessionManagement(session -> session):

 sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED):
Configures the session creation policy, where a session is created
only if required. This is often used to avoid unnecessary session
creation, especially in stateless scenarios like REST APIs.

7. .build(): Finally, the SecurityFilterChain is built and returned, applying all the
above security settings to the application.

 authenticationManager(HttpSecurity http): This method customizes the

AuthenticationManager, which is used by Spring Security to authenticate
users. It configures a DaoAuthenticationProvider for authenticating users
with a database.
 DaoAuthenticationProvider authenticationProvider:
 setUserDetailsService(customUserDetailsService): Sets the
UserDetailsService to a custom implementation (customUserDetailsService)
that loads user details from a data source (e.g., a database).

 setPasswordEncoder(passwordEncoder()): Configures the password

encoder (in this case, BCryptPasswordEncoder) for password validation.

 http.getSharedObject(AuthenticationManagerBuilder.class): This
retrieves the AuthenticationManagerBuilder object from the HttpSecurity
object to configure it with the custom authentication provider.
 authenticationProvider(authenticationProvider): Registers the
DaoAuthenticationProvider as the authentication provider for Spring
Security.
 build(): Builds and returns the AuthenticationManager instance that is
configured with the custom authentication provider and password encoder.

10.4 P4-SecurityApplication.java

 @SpringBootApplication: Combines @Configuration, @EnableAutoConfiguration,

and @ComponentScan to set up the application.
 P4SecurityApplication: Main class that starts the Spring Boot application.
 main method: Launches the application by calling SpringApplication.run().
10.5 Entity/Users

 @Entity: Marks the class as a JPA entity, meaning it is mapped to a database table.
 private int id: Represents the primary key of the entity. The field is mapped to a
column in the database table.
 @Id: Marks the id field as the primary key for the entity.
 private String username: Represents a column for the user's username.
 private String password: Represents a column for the user's password.
 Getters,Setters,NoArgCountructors,AllArgCunstructrs,ToStringMthod ara
also included in the code.

10.6 Repo/UsersRepository

 @Repository: Marks the interface as a Spring Data repository for database

interaction.
 UsersRepository extends JpaRepository<Users, Integer>: Provides built-in
CRUD operations for the Users entity with Integer as the primary key.
 findByUsername(String username): A derived query method automatically
implemented by Spring Data JPA to find a user by their username.
 @Query(...): A custom native SQL query to retrieve a user by their username.
10.7 Service/UserService

 @Service: Marks the class as a Spring service, making it a candidate for dependency
injection and indicating it contains business logic.
 @Transactional: Ensures that all methods in the class are executed within a
transaction context, providing atomicity.
 @Autowired: Injects the UsersRepository bean into the service to interact with the
database so that it can use the methods implemented by the Repo file.
 BCryptPasswordEncoder: Used for encoding the user's password before storing it
in the database.
 register(Users user):
 Checks if a user with the same username already exists using
findBytheUsername.
 If the user exists, it returns "User Already Available".
 If not, it encrypts the password and saves the new user to the repository,
returning "User Registered Successfully".
10.8 Servises/CustomUserDetailsService

loadUserByUsername(String username):

 usersRepository.findByUsername(username): This method attempts to find a

user in the repository by their username. It returns an Optional<Users> to
handle the case where the user might not be found.

 userOptional.orElseThrow(() -> new UsernameNotFoundException("User

not found")): If the Optional is empty (meaning no user was found with the
provided username), it throws a UsernameNotFoundException. This is a common
exception used in Spring Security to indicate that the username does not exist in
the database.

 userOptional.get(): If the user is found, it retrieves the Users object from the
Optional.

 User.builder(): This is a Spring Security User object (which implements

UserDetails). The builder pattern is used to construct a User instance with the
following:

o username: Set from the Users entity's username.

o password: Set from the Users entity's password (which should be already
encoded).

o roles("USER"): Here, a fixed role ("USER") is assigned to the user. In a

real-world application, roles would typically be fetched from the database,
but in this case, a default role is used.

 The User object constructed with these details is then returned, which will be
used by Spring Security for authentication and authorization.
  The CustomUserDetailsService class loads user details (username,
password, and roles) from the database using the UsersRepository. It
throws an exception if the user is not found and constructs a
UserDetails object for authentication with Spring Security.

10.9 Controller/UsersController

 @RestController: This annotation combines @Controller and

@ResponseBody, indicating that the class is a web controller that will
return data directly (usually in JSON format) rather than rendering views.
 @PostMapping("/register"): This annotation maps HTTP POST
requests to the /register endpoint. When the client sends a POST request
to /register, this method will be invoked.

 register(@RequestBody Users user):

o Binds the request body (JSON) to the Users object.
o Prints the username and password for debugging.
o Calls userService.register(user) to register the user and returns
the result message.

This controller processes user registration by receiving user data,

delegating registration to the service, and returning a status message.
10.10 Controller/SignUpController

 @Controller: Marks the class as a Spring MVC controller that handles web
requests and returns views (typically HTML).
 @GetMapping("/register"): Maps HTTP GET requests to the /register URL and
invokes the register() method.
 register(): Returns the name of the view ("register") to be rendered, typically a
registration form page.

10.11 Controller/LoginController
 @Controller: Marks the class as a Spring MVC controller that handles
web requests and returns view names.
 @GetMapping("/login"): Maps HTTP GET requests to the /login URL,
returning the "login" view (usually a login form).
 @GetMapping("/success"): Maps HTTP GET requests to the /success
URL, returning the "success" view (usually a success page after login).

11. Conclusion
Spring Security is essential for building secure Java applications. Its flexibility,
wide range of features, and seamless integration with Spring Boot make it the
go-to solution for securing enterprise applications. Understanding and
implementing Spring Security ensures robust protection against common
threats while allowing for scalable and maintainable security configurations.