Spring Security is not just for security practitioners. No Java developer's skill set is complete without a comprehensive understanding of the Spring Security architecture's capabilities and implementation.
In his book Spring Security in Action, author and development consultant Laurentiu Spilca presents an accessible reference on the authentication and access control framework to help developers build more resilient applications.
The problem, Spilca said, is that "developers don't know what they don't know." Thus, the same implementation mistakes keep happening, and the same vulnerabilities are being discovered -- or exploited -- as a result.
"That's the reason why I wrote this book: to give the developers the knowledge they need to properly apply the framework," he said.
The following excerpt from Chapter 1 of Spring Security in Action published by Manning Publications serves as a roadmap to the what, why and how of Spring Security.
If you go to the official website, https://spring.io/projects/spring-security, they describe Spring Security as a powerful and highly customizable framework for authentication and access control. I'd say it's a framework that enormously simplifies baking security for Spring applications.
Spring Security is the primary choice for implementing application-level security in Spring applications. Generally, its purpose is to offer you a highly customizable way of implementing authentication, authorization, and protection against common attacks. Spring Security is open-source software released under the Apache 2.0 license. You can access the source code of the project on GitHub at https://github.com/spring-projects/spring-security/, and I highly recommend that you contribute to the project as well.
You can use Spring Security for both standard web servlets as well as reactive applications. To use it, you need at least Java 8, although the examples in this book use Java 11, which is the latest long term supported version.
I can guess that if you opened this book, you work on Spring applications, and you're interested in securing them. Spring Security is probably the best choice for your cases. It became the de-facto choice in implementing the application-level security for Spring applications. Spring Security, however, doesn't automatically secure your application. It's not a kind of magic that guarantees a vulnerability-free app. Developers need to understand how to configure and customize Spring Security around the needs of the application. How to do this depends on many factors, from the functional requirements to the architecture.
Technically applying security with Spring Security in Spring applications is simple. You already implement Spring applications so you know that the framework's philosophy starts with the management of the Spring context. You define beans in the Spring context to allow the framework to manage them based on configurations you specify. And let me refer only to using annotations to make these configurations and leave behind the old-fashioned XML configuration style!
You can use annotations to instruct Spring what to do: expose endpoints, wrap methods in transactions, intercept methods in aspects, and so on. Also, you'd like to apply security configurations. This is where Spring Security comes into action. What you want is to use annotations, beans, and in general Spring-fashioned configuration style to define your application-level security. If you think of a Spring application, the behavior that you need to protect is defined by methods.
To think about application-level security, you can consider your home and the way you allow access to it. Do you place the key under the entrance rug? Do you even have a key for your front door? The same concept applies to applications, and Spring Security helps you develop this functionality. It's a puzzle that offers plenty of choices for building the exact image that describes your system. You can choose to leave it completely unsecured. Or you can decide not to allow everyone to enter your home.
The way you configure security could be simple, such as hiding your key under the rug, or it could be more complicated, such as choosing a variety of alarm systems, video cameras, and locks. In your applications, you have the option of doing the same. But as in real life, the more complexity you add, the more expensive it gets. In an application, this cost refers to the way security affects maintainability and performance.
But how do you use Spring Security with Spring applications? Generally, at the application level, one of the most encountered use cases refers to deciding whether an entity is allowed to perform an action or use a piece of data. Based on configurations you write, Spring Security components intercept the requests and make sure that who makes the requests has the permissions to access specific resources. The developer has to configure them in a way that they do precisely what's desired. If you mount an alarm system, it's you who should make sure it's also set up for the windows as well as for the doors. If you forget to set it up for the windows, it's not a fault of the alarm system that it didn't trigger when someone forced a window.
Other responsibilities that these components have also relate to the storing of data as well as transiting data between different parts of the systems. By intercepting the calls to these different parts, the components can act on the data. When the data is stored, these may apply encryption or hashing algorithms. The data encodings keep the data accessible only to privileged entities. In the Spring application, the developer has to add and configure a component to do this part of the job wherever it's needed. Spring Security provides a contract through which we know what the framework requires to be implemented, and we write the implementation according to the design of the application. We can say the same thing about transiting data.
Cases exist in which two components, communicating one with the other, can't trust themselves. How could the first know that the second one sent a specific message, and it wasn't someone else? Imagine you have a phone call with somebody to whom you have to give private information. How do you make sure that on the other side is indeed a valid individual with the right to get that data and not somebody else? For your application, this situation applies as well. Spring Security helps again with components and contracts that allow you to solve this in several ways. You have to know the part to configure and set it up in your system. This way, Spring Security intercepts the messages and makes sure to validate the communication before the application uses any kind of data sent or received.
As any part of a framework, one of its primary purposes is to allow you to write less code to implement the desired functionality. And this is also what Spring Security does. It completes Spring as a framework with helping us write less code to perform one of the most critical aspects of an application -- security. Spring Security provides predefined functionality to help you avoid writing boilerplate code or repeatedly writing the same logic from application to application. But it, as well, allows you to configure any of its components, providing great flexibility.
Short recap on this discussion:
- You use Spring Security to bake application-level security in your applications in the "Spring way". By this I mean, you'll use annotations, beans, Spring Expression Language (SpEL), and so on.
- Spring Security is a framework that allows you to build application-level security, not only a dependency you add such that your applications become magically secured.
- You have to know where, what and why to apply from Spring Security so protected your Spring applications. You'll learn all you need related to this aspect in this book.
- Spring Security is the leading choice for securing Spring applications. It offers a significant number of alternatives that apply to different styles and architectures.
- You should apply security in layers for your system, and for each layer, you should use different practices.
- Spring Security is a project related to application-level security.
- Security is a cross-cutting concern, and you should consider it from the beginning of a software project.
- Usually, the cost of an attack is higher than the investment in avoiding vulnerabilities.
- The Open Web Application Security Project (OWASP) is an excellent place to start, then always refer to that when it comes to vulnerabilities and security concerns.
- Sometimes the smallest mistakes can cause significant harm. For example, exposing sensitive data through logs or error messages is a common way to introduce vulnerabilities in your application.
About the author
Laurentiu Spilca is a dedicated development lead and trainer at Endava, where he directs financial market project development in Nordic European countries. In his work as a development consultant, he collaborates with automation testing teams to develop frameworks for web applications using Spring, Hibernate, Selenium, Gauge and JAXB technologies. He has over 10 years of experience as a Java developer and technology educator.