# Spring Security — Comprehensive Authentication & Authorization for Java

> Spring Security is the standard security framework for Spring-based applications, providing authentication, authorization, OAuth2, SAML, and protection against common web attacks.

## Install

Save in your project root:

# Spring Security — Comprehensive Authentication & Authorization for Java

## Quick Use
```xml
<!-- Add to pom.xml (Maven) -->
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>
```
```java
// Basic security config (Spring Boot 3+)
@Configuration
@EnableWebSecurity
public class SecurityConfig {
    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http.authorizeHttpRequests(auth -> auth
            .requestMatchers("/public/**").permitAll()
            .anyRequest().authenticated()
        ).formLogin(Customizer.withDefaults());
        return http.build();
    }
}
```

## Introduction
Spring Security is the de facto security framework for Java applications built on the Spring ecosystem. It provides a highly customizable authentication and access-control framework that integrates seamlessly with Spring Boot, Spring MVC, and Spring WebFlux, covering everything from form-based login to OAuth2 resource servers and SAML federation.

## What Spring Security Does
- Authenticates users via form login, HTTP Basic, OAuth2, OpenID Connect, LDAP, or custom providers
- Authorizes access at the URL level, method level, and domain object level with fine-grained expressions
- Protects against CSRF, session fixation, clickjacking, and other OWASP Top 10 vulnerabilities
- Integrates with OAuth2 as both client and resource server for API security
- Supports reactive security for Spring WebFlux non-blocking applications

## Architecture Overview
Spring Security operates through a chain of servlet filters (or WebFilter for reactive). The SecurityFilterChain intercepts requests and delegates to an AuthenticationManager that coordinates AuthenticationProviders. Successful authentication produces a SecurityContext stored in a thread-local holder, making the authenticated principal available throughout the request. Authorization decisions are handled by AccessDecisionManagers or the newer AuthorizationManager interface using voters or SpEL expressions.

## Self-Hosting & Configuration
- Add spring-boot-starter-security to your Spring Boot project to auto-configure defaults
- Customize the SecurityFilterChain bean to define URL patterns and access rules
- Configure user stores via in-memory, JDBC, LDAP, or custom UserDetailsService implementations
- Set up OAuth2 login by adding client registration properties in application.yml
- Enable method-level security with @EnableMethodSecurity and use @PreAuthorize annotations

## Key Features
- Auto-configuration in Spring Boot with secure defaults and minimal boilerplate
- Comprehensive OAuth2 support covering authorization code, client credentials, and PKCE flows
- Method-level security annotations for declarative access control on service methods
- Password encoding with BCrypt, SCrypt, Argon2, and delegating encoder for migration
- Built-in protection against CSRF, CORS misconfiguration, and session attacks

## Comparison with Similar Tools
- **Apache Shiro** — simpler Java security framework with less Spring integration and fewer OAuth2 features
- **Keycloak** — standalone identity provider; Spring Security acts as a framework-level integration layer
- **Auth0/Okta** — managed identity services; Spring Security is a local framework that can integrate with these providers
- **Jakarta Security (EE)** — standard Java EE security API; Spring Security offers richer features and a larger ecosystem
- **Passport.js** — Node.js authentication middleware; Spring Security covers the equivalent for the Java ecosystem

## FAQ
**Q: Does Spring Security work with Spring WebFlux?**
A: Yes. Spring Security provides a reactive security module that integrates with WebFlux using WebFilter instead of servlet filters.

**Q: How do I implement JWT-based authentication?**
A: Configure Spring Security as an OAuth2 resource server with spring-boot-starter-oauth2-resource-server, which handles JWT validation, or use a custom filter with a JWT library.

**Q: Can I use multiple authentication providers?**
A: Yes. Spring Security supports chaining multiple AuthenticationProviders so you can combine LDAP, database, and OAuth2 authentication in one application.

**Q: Is Spring Security tied to Spring Boot?**
A: No. It works with any Spring application, but Spring Boot auto-configuration simplifies setup significantly.

## Sources
- https://github.com/spring-projects/spring-security
- https://docs.spring.io/spring-security/reference/

---
Source: https://tokrepo.com/en/workflows/asset-d4478ae8
Author: AI Open Source