Spring Security Explained

Spring Security
Developer:4
Latest Release Version:6.3.1
Latest Release Date: [1]
Operating System:Cross-platform
Programming Language:Java
Genre:web application framework security
License:Apache License 2.0

Spring Security is a Java/Java EE framework that provides authentication, authorization and other security features for enterprise applications. The project was started in late 2003 as 'Acegi Security' (pronounced Ah-see-gee, whose letters are the first, third, fifth, seventh, and ninth characters from the English alphabet, in order to prevent name conflicts[2]) by Ben Alex, with it being publicly released under the Apache License in March 2004. Subsequently, Acegi was incorporated into the Spring portfolio as Spring Security, an official Spring sub-project. The first public release under the new name was Spring Security 2.0.0 in April 2008, with commercial support and training available from SpringSource.

Authentication flow

Diagram 1 shows the basic flow of an authentication request using the Spring Security system. It shows the different filters and how they interact from the initial browser request, to either a successful authentication or an HTTP 403 error.

Browser submits "authentication credentials"
"Authentication mechanism" collects the details
An "authentication request" object is built
Authentication request sent to an AuthenticationManager
AuthenticationManager (this is responsible for passing requests through a chain of AuthenticationProviders)
"Authentication provider" will ask a UserDetailsService to provide a UserDetails object
The resultant UserDetails object (which also contains the GrantedAuthority[]s) will be used to build the fully populated Authentication object.
If "Authentication mechanism" receives back the fully populated Authentication object, it will deem the request valid, put the Authentication into the SecurityContextHolder; and cause the original request to be retried.
If, on the other hand, the AuthenticationProvider rejected the request, the authentication mechanism will ask the user agent to retry.
AbstractSecurityInterceptor authorizes the regenerated request and throws Java exceptions. (Asks AccessDecisionManager for decision.)
ExceptionTranslationFilter translates the exceptions thrown by AbstractSecurityInterceptor into HTTP related error codes
Error code 403 – if the principal has been authenticated and therefore simply lacks sufficient access
Launch an AuthenticationEntryPoint – if the principal has not been authenticated which is an authentication mechanism

Key authentication features

Key authorization features

Instance-based security features

Other features

Releases

References

Notes and References

  1. Web site: Spring Security 5.8.13, 6.2.5, and 6.3.1 are available now. spring.io. August 18, 2024.
  2. Web site: Why the name Acegi?. spring.io.
  3. Web site: Spring Security 5.0.8 and 4.2.8 Released. spring.io. 2019-06-09.
  4. Web site: Spring Security 5.1 goes GA. spring.io. 2019-06-09.
  5. Web site: Spring Security 5.1.1, 5.0.9, and 4.2.9 Released. spring.io. 2019-06-09.
  6. Web site: Spring Security 5.1.2, 5.0.10, 4.2.10 Released. spring.io. 2019-06-09.
  7. Web site: Spring Security 5.1.3, 5.0.11, 4.2.11 Released. spring.io. 2019-06-09.
  8. Web site: Spring Security 5.1.4 Released. spring.io. 2019-06-09.
  9. Web site: Spring Security 5.1.5, 5.0.12, 4.2.12 Released. spring.io. 2019-06-09.