Understanding Spring Security: Authentication and Authorization

3 min readApr 14, 2025

Photo by Christina @ wocintechchat.com on Unsplash

Spring Security is a powerful and customizable authentication and access control framework for Java applications, particularly those built using the Spring framework. It provides comprehensive security services for Java applications, ensuring that only authorized users can access certain resources. In this article, we will explore the core concepts of Spring Security, focusing on authentication and authorization.

What is Spring Security?

Spring Security is a highly customizable framework that focuses on providing security features for Java applications. It integrates seamlessly with Spring applications and provides a wide range of security features, including:

Authentication and authorization
Protection against common security vulnerabilities (e.g., CSRF, XSS)
Secure session management
Role-based access control
Integration with various authentication mechanisms (e.g., LDAP, OAuth2)

Core Concepts

Authentication

Authentication is the process of verifying the identity of a user or system. In Spring Security, authentication involves checking the credentials provided by a user against stored credentials to confirm their identity.

How Authentication Works in Spring Security

User Credentials: A user provides their credentials (e.g., username and password) through a login form.
Authentication Manager: Spring Security uses an AuthenticationManager to process the authentication request.
UserDetailsService: This component loads user-specific data. It retrieves user details from a database or another source.
Authentication Token: If the credentials are valid, Spring Security creates an Authentication object holding the user's details and roles.

Authorization

Authorization is the process of determining whether an authenticated user has permission to access a specific resource or perform a particular action. In Spring Security, authorization is managed through roles and permissions.

How Authorization Works in Spring Security

Role-based Access Control (RBAC): Users are assigned roles, and each role has specific permissions associated with it.
Method Security: You can secure methods using annotations like @PreAuthorize, @Secured, and @RolesAllowed. This allows fine-grained control over access to methods based on user roles.
URL Security: Spring Security can restrict access to certain URLs based on user roles configured in the security configuration.

Configuring Spring Security

Step 1: Add Dependencies

To use Spring Security, you need to add the necessary dependencies to your pom.xml if you're using Maven:

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>

Step 2: Create a Security Configuration Class

You need to create a security configuration class that extends WebSecurityConfigurerAdapter. In this class, you can define authentication and authorization rules.

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
            .withUser("user").password("{noop}password").roles("USER")
            .and()
            .withUser("admin").password("{noop}admin").roles("ADMIN");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
            .antMatchers("/admin/**").hasRole("ADMIN")
            .antMatchers("/user/**").hasRole("USER")
            .antMatchers("/", "/public/**").permitAll()
            .and()
            .formLogin();
    }
}

Step 3: Create a Login Form

You can create a simple HTML login form that users will use to authenticate.

<form method="post" action="/login">
    <input type="text" name="username" placeholder="Username" required />
    <input type="password" name="password" placeholder="Password" required />
    <button type="submit">Login</button>
</form>

Step 4: Securing Methods with Annotations

You can use method-level security by adding the @EnableGlobalMethodSecurity annotation to your security configuration class.

import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;

@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    // existing configuration
}

Now you can secure methods in your services:

import org.springframework.security.access.prepost.PreAuthorize;

public class UserService {

    @PreAuthorize("hasRole('ADMIN')")
    public void adminMethod() {
        // Admin-only method
    }

    @PreAuthorize("hasRole('USER')")
    public void userMethod() {
        // User-only method
    }
}

Conclusion

Spring Security provides a robust framework for handling authentication and authorization in Java applications. By leveraging its powerful features, developers can secure their applications against unauthorized access and ensure that only authenticated users can perform specific actions. With customizable configurations, Spring Security is an essential tool for building secure Spring applications. Implementing strong authentication and authorization practices helps to protect sensitive data and maintain user trust.