Security is a critical component of every application. Authentication is the process of establishing a user's identity. Authentication involves verifying that the user is who they claim to be. Typically, a user ID/password combination is used for authentication.
Authorization is the act of checking whether the user has access to perform a specific action.
- Can the user view a page?
- Can the user edit a page?
- Can the user delete a page?
A best practice is to enforce authentication and authorization on every page in the application. User credentials and their authorizations should be verified before executing any request on a web application.
Spring Security provides a comprehensive security solution for Java EE enterprise applications. While providing great support to Spring-based (and Spring MVC-based) applications, it can be integrated with other frameworks as well.
The following list highlights some of the vast range of authentication mechanisms that Spring Security supports:
- Form-based authentication: Simple integration for basic applications
- LDAP: Typically used in most Enterprise applications
- Java Authentication and Authorization Service (JAAS): Authentication and authorization standard; part of Java EE standard specification
- Container-managed authentication
- Custom authentication systems
In this chapter, we will focus on Spring Security from the perspective of a web application.
Let's consider a simple example to enable Spring Security on the simple web application. We will use an in-memory configuration.
The steps involved are as follows:
- Add the Spring Security dependency.
- Configure the interception of all requests.
- Configure Spring Security.
- Add the logout functionality.