Spring Boot Security is a module in the Spring Boot framework that handles authentication, authorization, and other security aspects in web applications.
It provides features like user management, CSRF protection, and security filters to ensure robust application security with minimal configuration and coding effort.
The key components of Spring Boot Security include:
- Authentication: Handles user identity verification using form-based login, HTTP Basic, and OAuth.
- Authorization: Defines access control rules based on roles and permissions to restrict user actions.
- Security Filters: Intercept and enforce security rules for incoming requests.
- User Management: Provides options to manage user details and passwords.
- CSRF Protection: Prevents Cross-Site Request Forgery attacks.
- Session Management: Handles user sessions and concurrent session control.
- Event Logging: Logs security-related events for auditing and monitoring.
Project Explorer
TestController.java
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 | package com.example.demo.controller; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RestController; @RestController public class TestController { @RequestMapping("/info") public String info() { return "This is a info page"; } @RequestMapping("/") public String user() { return "This is a home page"; } @RequestMapping("/teacher") public String teacher() { return "This is a teacher page"; } @RequestMapping("/admin") public String home() { return "This is a admin page"; } } |
The @RequestMapping("/info") annotation is used to map the info() method to handle HTTP requests with the URL path “/info”.
Similarly, there are other methods like user(), teacher(), and home() which are also annotated with @RequestMapping and mapped to different URL paths (“/”, “/teacher”, and “/admin” respectively).
SecurityConfiguration.java
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 | package com.example.demo.configuration; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.crypto.password.PasswordEncoder; import org.springframework.security.provisioning.InMemoryUserDetailsManager; import org.springframework.security.web.SecurityFilterChain; @Configuration @EnableWebSecurity public class SecurityConfiguration { @Bean public SecurityFilterChain filterChain(HttpSecurity httpSecurity) throws Exception { httpSecurity.csrf().disable().authorizeHttpRequests() .requestMatchers("/info").permitAll() .requestMatchers("/teacher").hasRole("TEACHER") .requestMatchers("/admin").hasRole("ADMIN") .anyRequest().authenticated().and().formLogin(); return httpSecurity.build(); } @Bean public InMemoryUserDetailsManager userDetailsService() { // InMemoryUserDetailsManager (see below) UserDetails user1 = User.withUsername("user1").password(passwordEncoder().encode("password")).roles("USER") .build(); UserDetails user2 = User.withUsername("user2").password(passwordEncoder().encode("password")).roles("TEACHER") .build(); UserDetails user3 = User.withUsername("user3").password(passwordEncoder().encode("password")).roles("ADMIN") .build(); return new InMemoryUserDetailsManager(user1, user2, user3); } @Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); } } |
The class is annotated with @Configuration, indicating that it is a configuration class that will define Spring beans and their dependencies.
“/info” URL allows all users access without authentication or authorization, providing unrestricted access to the page.
“/teacher” URL is limited to authenticated users with the “TEACHER” role, granting access only to those with appropriate authorization.
“/admin” URL is restricted to authenticated users having an “ADMIN” role, ensuring only authorized users can access this page.
Any URL requests except “/info”, “/teacher”, and “/admin” require authentication; users must log in to access other parts.
DemoApplication.java
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | package com.example.demo; import org.springframework.boot.SpringApplication; import org.springframework.boot.autoconfigure.SpringBootApplication; @SpringBootApplication public class DemoApplication { public static void main(String[] args) { SpringApplication.run(DemoApplication.class, args); } } |
POM.xml
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 | <?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd"> <modelVersion>4.0.0</modelVersion> <parent> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-parent</artifactId> <version>3.1.1</version> <relativePath /> <!-- lookup parent from repository --> </parent> <groupId>com.example</groupId> <artifactId>demo</artifactId> <version>0.0.1-SNAPSHOT</version> <name>demo</name> <description>Demo project for Spring Boot</description> <properties> <java.version>17</java.version> </properties> <dependencies> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-test</artifactId> <scope>test</scope> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-test</artifactId> <scope>test</scope> </dependency> </dependencies> <build> <plugins> <plugin> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-maven-plugin</artifactId> </plugin> </plugins> </build> </project> |
Result
