Spring Security
A critical part of web applications is authentication and authorization. Authentication is the process of establishing a user's identity, verifying that the user is who he/she claims to be. Authorization is checking whether the user has access to perform a specific action. Authorization specifies the access a user has. Can the user view a page? Can the user edit a page? Can the user delete a page?
A best practice is to enforce authentication and authorization on every page in the application. User credentials and authorization should be verified before executing any request to a web application.
Spring Security provides a comprehensive security solution for Java EE enterprise applications. While providing great support to Spring-based (and Spring MVC-based) applications, it can be integrated with other frameworks as well.
The following list highlights some of vast range of authentication mechanisms that Spring Security supports:
- Form-based authentication: Simple integration for basic applications
- LDAP: Typically used in most Enterprise applications
- Java Authentication and Authorization Service (JAAS): Authentication and authorization standard; part of Java EE standard specification
- Container managed authentication
- Custom authentication systems
Let's consider a simple example to enable Spring Security on simple web application. We will use an in-memory configuration.
The steps involved are as follows:
- Add Spring Security dependency.
- Configure the interception of all requests.
- Configure Spring Security.
- Add the logout functionality.