Spring Security

A critical part of web applications is authentication and authorization. Authentication is the process of establishing a user's identity, verifying that the user is who he/she claims to be. Authorization is checking whether the user has access to perform a specific action. Authorization specifies the access a user has. Can the user view a page? Can the user edit a page? Can the user delete a page?

A best practice is to enforce authentication and authorization on every page in the application. User credentials and authorization should be verified before executing any request to a web application.

Spring Security provides a comprehensive security solution for Java EE enterprise applications. While providing great support to Spring-based (and Spring MVC-based) applications, it can be integrated with other frameworks as well.

The following list highlights some of vast range of authentication mechanisms that Spring Security supports:

• Form-based authentication: Simple integration for basic applications
• LDAP: Typically used in most Enterprise applications
• Java Authentication and Authorization Service (JAAS): Authentication and authorization standard; part of Java EE standard specification
• Container managed authentication
• Custom authentication systems

Let's consider a simple example to enable Spring Security on simple web application. We will use an in-memory configuration.

The steps involved are as follows:

1. Add Spring Security dependency.
2. Configure the interception of all requests.
3. Configure Spring Security.
4. Add the logout functionality.