Guide to Spring Security

1. Introduction to Spring Security

Spring Security is a powerful and customizable authentication and access-control framework for Java
applications. It is part of the Spring Framework ecosystem and provides comprehensive security services
for Java EE-based enterprise software applications.
2. Why Use Spring Security?
Security is a critical aspect of any application. Spring Security addresses common security vulnerabilities
and threats such as:
• Authentication: Verifies the identity of users.
• Authorization: Controls access to resources based on user roles and permissions.
• Protection Against Common Attacks: Prevents cross-site scripting (XSS), cross-site request
forgery (CSRF), session fixation, and more.
• Integration with Standards: Supports OAuth2, OpenID Connect, and LDAP.
• Flexible and Extensible: Customizable to meet specific security requirements.

3. Key Features of Spring Security

• Declarative Security: Security configurations can be applied through annotations or XML
configurations.
• Comprehensive Protection: Covers both authentication and authorization.
• Session Management: Handles session fixation and concurrent session control.
• Security Context Management: Maintains the security context across application layers.
• Method-Level Security: Secures individual methods through annotations like @PreAuthorize
and @PostAuthorize.
4. How Spring Security Works (Flow Overview)
1. Authentication:
o Users submit credentials (username/password).
o Spring Security intercepts the request.
o Authentication Manager delegates to Provider Manager.
o Provider Manager uses one or more Authentication Providers to verify credentials.
o UserDetailsService loads user information from a database or in-memory store.
o On success, the Authentication object is stored in the SecurityContext.
2. Authorization:
o After authentication, the user attempts to access resources.
o Spring Security checks the user's roles and permissions.
o If the user has the required authority, access is granted; otherwise, access is denied.
3. Filters:
o Spring Security applies filters like UsernamePasswordAuthenticationFilter to process
security logic.
 o Filters ensure that unauthorized requests are blocked before reaching the application.
4. Exception Handling:
o If any authentication/authorization error occurs, Spring Security redirects the user to an
error page.
5. Types of Authentication Providers
• DaoAuthenticationProvider: Uses UserDetailsService to load user data.
• LdapAuthenticationProvider: Authenticates users against an LDAP server.
• OAuth2AuthenticationProvider: Handles OAuth2 authentication.
• JwtAuthenticationProvider: Authenticates users based on JWT tokens.

6. Major Companies Using Spring Security

• Netflix: Uses Spring Security for microservices authentication and authorization.
• Alibaba: Relies on Spring Security for securing cloud applications.
• Amazon: Implements Spring Security for managing identity and access across services.
• LinkedIn: Secures APIs and services using Spring Security.
7. Advantages of Spring Security
• Ease of Integration: Works seamlessly with Spring Boot and other Spring components.
• Highly Customizable: Can be tailored for simple to complex security needs.
• Robust Community Support: Extensive documentation and community contributions.
• Enterprise-Grade Security: Trusted by large organizations for mission-critical applications.

8. Common Use Cases

• Web Application Security: Protects web endpoints and APIs.
• Microservices Security: Secures communication between microservices.
• OAuth2 and JWT Implementation: Provides easy integration with modern authentication
mechanisms.
• Role-Based Access Control: Enforces access policies based on user roles.
9. Spring Security Flow Diagram
10. Project
10.1 Project Structure

10.2 Pom.xml
Dependencies installed:-

list of the dependencies and their usage:

1. spring-boot-starter-security

o Provides security features for a Spring Boot application (authentication, authorization).

2. spring-boot-starter-web

o Adds support for building web applications (RESTful services, etc.) in Spring Boot.

3. spring-boot-devtools

o Enhances the development experience with automatic restarts and live reload features (used during development
only).

4. spring-boot-starter-test

o Provides testing libraries like JUnit, Mockito, and Spring Test for writing tests in Spring Boot applications.

5. spring-security-test

o Provides support for testing Spring Security configurations in unit and integration tests.

6. lombok

o A utility library to reduce boilerplate code in Java (e.g., generating getters/setters, constructors, etc.).

7. spring-boot-starter-data-jpa

o Provides support for JPA (Java Persistence API) to simplify database access and management with Spring Data.

8. mysql-connector-j

o MySQL JDBC driver for connecting and interacting with MySQL databases.

9. spring-boot-starter-thymeleaf

o Integrates the Thymeleaf template engine with Spring Boot for rendering dynamic HTML views.

10. thymeleaf-extras-springsecurity6

o Provides Spring Security integration for Thymeleaf templates, enabling features like security tags and
authentication checks in views.

10.3 Config/SecurityConfig

• @Configuration: Marks the class as a configuration class, indicating that it contains Spring bean definitions
(like a Java-based alternative to XML configuration).
• @EnableWebSecurity: Enables Spring Security's web security features, allowing you to configure
authentication, authorization, and security settings for a web application.
• @Autowired: This annotation is used for automatic dependency injection in Spring. It allows Spring to
automatically wire the customUserDetailsService bean into the class.
• customUserDetailsService: A reference to a custom service (likely implementing UserDetailsService) used for
loading user-specific data during authentication. It is typically used to fetch user information from a database or
other source during the authentication process.

• @Bean: This annotation is used to define a bean in the Spring context. It marks a method as producing a bean
to be managed by the Spring container.
• BCryptPasswordEncoder passwordEncoder(): This method creates and returns a
BCryptPasswordEncoder bean, which is used for encoding passwords using the BCrypt hashing algorithm.
The number 12 represents the strength factor (higher values increase computation time, improving security).
This encoder is typically used to hash and verify user passwords.

SecurityFilterChain securityFilterChain(HttpSecurity http): This method defines the security filter chain for a
Spring Security configuration. The HttpSecurity object is used to customize the security settings (e.g., setting up
authentication, authorization, and configuring which requests are permitted or denied). The SecurityFilterChain bean
ensures that the defined security filters are applied to the application.
1. CSRF Protection:

o csrf(csrf -> csrf.disable()): Disables Cross-Site Request Forgery (CSRF) protection

2. Authorization Rules:

o authorizeHttpRequests(request -> request):

▪ requestMatchers("/css/**").permitAll(): Allows unauthenticated access to static

resources (like CSS files).

▪ requestMatchers("/login", "/register", "/perform_register").permitAll(): Allows

unauthenticated access to login, register, and registration submission pages.

▪ anyRequest().authenticated(): Requires authentication for all other requests.

3. Form Login Configuration:

o formLogin(form -> form):

▪ loginPage("/login"): Specifies a custom login page URL.

▪ loginProcessingUrl("/perform_login"): Defines the URL to handle the login form

submission.

▪ defaultSuccessUrl("/success", true): Redirects the user to /success on successful

login and ensures it's the default page.

▪ permitAll(): Allows unauthenticated users to access the login page.

4. Logout Configuration:

o logout(logout -> logout):

▪ logoutUrl("/perform_logout"): Specifies the logout URL.

▪ deleteCookies("JSESSIONID"): Deletes the session cookie after logout to clear

session data.

▪ addLogoutHandler(...): Customizes the logout process by adding a handler that clears

site data (like cached content or cookies).

▪ logoutSuccessUrl("/login"): Redirects the user to the login page after logout.

5. HTTP Basic Authentication:

o httpBasic(Customizer.withDefaults()): Enables HTTP Basic authentication for the application

(useful for API-based authentication).

6. Session Management:

o sessionManagement(session -> session):

▪ sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED): Configures the

session creation policy, where a session is created only if required. This is often used to
avoid unnecessary session creation, especially in stateless scenarios like REST APIs.

7. .build(): Finally, the SecurityFilterChain is built and returned, applying all the above security settings to the
application.
• authenticationManager(HttpSecurity http): This method customizes the AuthenticationManager,
which is used by Spring Security to authenticate users. It configures a DaoAuthenticationProvider for
authenticating users with a database.
• DaoAuthenticationProvider authenticationProvider:

• setUserDetailsService(customUserDetailsService): Sets the UserDetailsService to a custom

implementation (customUserDetailsService) that loads user details from a data source (e.g., a
database).

• setPasswordEncoder(passwordEncoder()): Configures the password encoder (in this case,

BCryptPasswordEncoder) for password validation.

• http.getSharedObject(AuthenticationManagerBuilder.class): This retrieves the

AuthenticationManagerBuilder object from the HttpSecurity object to configure it with the custom
authentication provider.
• authenticationProvider(authenticationProvider): Registers the DaoAuthenticationProvider as the
authentication provider for Spring Security.
• build(): Builds and returns the AuthenticationManager instance that is configured with the custom
authentication provider and password encoder.

10.4 P4-SecurityApplication.java

• @SpringBootApplication: Combines @Configuration, @EnableAutoConfiguration, and @ComponentScan

to set up the application.
 • P4SecurityApplication: Main class that starts the Spring Boot application.
• main method: Launches the application by calling SpringApplication.run().

10.5 Entity/Users

• @Entity: Marks the class as a JPA entity, meaning it is mapped to a database table.
• private int id: Represents the primary key of the entity. The field is mapped to a column in the database table.
• @Id: Marks the id field as the primary key for the entity.
• private String username: Represents a column for the user's username.
• private String password: Represents a column for the user's password.
• Getters,Setters,NoArgCountructors,AllArgCunstructrs,ToStringMthod ara also included in the code.

10.6 Repo/UsersRepository

• @Repository: Marks the interface as a Spring Data repository for database interaction.
• UsersRepository extends JpaRepository<Users, Integer>: Provides built-in CRUD operations for the Users
entity with Integer as the primary key.
• findByUsername(String username): A derived query method automatically implemented by Spring Data JPA
to find a user by their username.
• @Query(...): A custom native SQL query to retrieve a user by their username.
10.7 Service/UserService

• @Service: Marks the class as a Spring service, making it a candidate for dependency injection and indicating it
contains business logic.
• @Transactional: Ensures that all methods in the class are executed within a transaction context, providing
atomicity.
• @Autowired: Injects the UsersRepository bean into the service to interact with the database so that it can use
the methods implemented by the Repo file.
• BCryptPasswordEncoder: Used for encoding the user's password before storing it in the database.
• register(Users user):
• Checks if a user with the same username already exists using findBytheUsername.
• If the user exists, it returns "User Already Available".
• If not, it encrypts the password and saves the new user to the repository, returning "User Registered
Successfully".
10.8 Servises/CustomUserDetailsService

loadUserByUsername(String username):

• usersRepository.findByUsername(username): This method attempts to find a user in the repository by

their username. It returns an Optional<Users> to handle the case where the user might not be found.

• userOptional.orElseThrow(() -> new UsernameNotFoundException("User not found")): If the

Optional is empty (meaning no user was found with the provided username), it throws a
UsernameNotFoundException. This is a common exception used in Spring Security to indicate that the
username does not exist in the database.

• userOptional.get(): If the user is found, it retrieves the Users object from the Optional.

• User.builder(): This is a Spring Security User object (which implements UserDetails). The builder pattern
is used to construct a User instance with the following:

o username: Set from the Users entity's username.

o password: Set from the Users entity's password (which should be already encoded).

o roles("USER"): Here, a fixed role ("USER") is assigned to the user. In a real-world application,
roles would typically be fetched from the database, but in this case, a default role is used.

• The User object constructed with these details is then returned, which will be used by Spring Security for
authentication and authorization.

• The CustomUserDetailsService class loads user details (username, password, and roles) from
the database using the UsersRepository. It throws an exception if the user is not found and
constructs a UserDetails object for authentication with Spring Security.
10.9 Controller/UsersController

• @RestController: This annotation combines @Controller and @ResponseBody, indicating that

the class is a web controller that will return data directly (usually in JSON format) rather than
rendering views.
• @PostMapping("/register"): This annotation maps HTTP POST requests to the /register
endpoint. When the client sends a POST request to /register, this method will be invoked.

• register(@RequestBody Users user):

o Binds the request body (JSON) to the Users object.
o Prints the username and password for debugging.
o Calls userService.register(user) to register the user and returns the result message.

This controller processes user registration by receiving user data, delegating registration to the
service, and returning a status message.
10.10 Controller/SignUpController

• @Controller: Marks the class as a Spring MVC controller that handles web requests and returns views
(typically HTML).
• @GetMapping("/register"): Maps HTTP GET requests to the /register URL and invokes the register()
method.
• register(): Returns the name of the view ("register") to be rendered, typically a registration form page.

10.11 Controller/LoginController
• @Controller: Marks the class as a Spring MVC controller that handles web requests and
returns view names.
• @GetMapping("/login"): Maps HTTP GET requests to the /login URL, returning the
"login" view (usually a login form).
• @GetMapping("/success"): Maps HTTP GET requests to the /success URL, returning the
"success" view (usually a success page after login).

11. Conclusion
Spring Security is essential for building secure Java applications. Its flexibility, wide range of features, and
seamless integration with Spring Boot make it the go-to solution for securing enterprise applications.
Understanding and implementing Spring Security ensures robust protection against common threats
while allowing for scalable and maintainable security configurations.