Security is one of the most critical aspects of any modern web application. Thankfully, Spring Boot offers a seamless way to integrate Spring Security — a powerful and highly customizable authentication and authorization framework for Java applications.
Whether you're building a simple login form or implementing JWT-based APIs, Spring Security is your go-to solution.
📌 What is Spring Security?
Spring Security is a powerful security framework for Java applications, providing both authentication (who are you?) and authorization (what are you allowed to do?).
It's part of the larger Spring ecosystem and works flawlessly with Spring Boot, allowing you to:
-
Protect endpoints
-
Handle user login/logout
-
Manage roles and permissions
-
Implement JWT (JSON Web Token)
-
Secure REST APIs
-
Prevent CSRF, session hijacking, etc.
🚀 Getting Started with Spring Security + Spring Boot
🧰 Step 1: Add Dependency
If you're using Maven, add the following to your pom.xml:
💡 Spring Boot auto-configures basic security once this starter is added.
🔐 Step 2: Default Security Behavior
Once you add the dependency and run your app:
-
A default login form is automatically generated.
-
A default user is created with username
user. -
A random password is printed in the console.
➡️ Try accessing any endpoint (like /home) — you'll be prompted for login.
👨💻 Customizing Spring Security
Let's go beyond the default.
🛠️ Step 3: Create a Security Configuration Class
✅ What’s Happening Here?
-
/public/**→ accessible to everyone -
All other endpoints → require authentication
-
Uses built-in login form
-
Enables logout with redirect
👥 Step 4: In-Memory User Configuration
You can create a simple user using the following:
⚠️
withDefaultPasswordEncoder()is great for learning — but never use in production!
🔐 Securing REST APIs (Stateless)
For REST APIs, you'll want:
-
No sessions
-
Token-based authentication (like JWT)
-
CSRF disabled
Example:
🔑 Spring Security Core Concepts
| Concept | Description |
|---|---|
| Authentication | Verifying identity (username/password) |
| Authorization | Granting access based on roles/permissions |
| UserDetailsService | Interface to fetch user info |
| SecurityFilterChain | Customizes HTTP security rules |
| PasswordEncoder | Securely hashes passwords |
| CSRF | Cross-Site Request Forgery protection |
| CORS | Cross-Origin Resource Sharing (frontend/backend communication) |
🔄 Common Use Cases
| Use Case | Spring Security Feature |
|---|---|
| Login page | formLogin() |
| Protect endpoints | authorizeHttpRequests() |
| Public vs Private URLs | permitAll(), authenticated() |
| REST API security | Disable CSRF, use JWT |
| Role-based access | .hasRole("ADMIN"), .hasAnyRole() |
| Logout handling | logout() config |
🛡️ Add Role-Based Authorization
💡 Best Practices
-
🔐 Always hash passwords (use
BCryptPasswordEncoder) -
❌ Avoid using default encoders in production
-
✅ Use JWT or OAuth2 for APIs
-
🚫 Disable CSRF only if you're building stateless APIs
-
✅ Separate security config for Web and REST APIs
✅ Summary
Spring Security + Spring Boot makes securing your application easy and robust. You get:
-
🔐 Built-in authentication & authorization
-
🧩 Configurable login/logout mechanisms
-
🧱 Easy endpoint protection
-
🧠 Support for advanced use cases like JWT, OAuth2, LDAP, etc.
📚 Resources
