Spring Security 6 – Key Concepts & Features

1. Major Changes in Spring Security 6

 Jakarta EE namespaces: javax.* is now jakarta.*
 Requires Java 17+ and Spring Framework 6+
 Enhanced support for OAuth2, JWT, CORS, CSRF, and method-level security
 Improved declarative configuration with lambda-based SecurityFilterChain

2. Core Security Concepts

 Authentication – Verifying the identity of a user
 Authorization – Determining access rights (who can do what)
 Principal – The currently authenticated user
 GrantedAuthority – Represents a role or permission (e.g., ROLE_ADMIN)

3. Configuration Style
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception
{
http
.authorizeHttpRequests(auth -> auth
.requestMatchers("/public/**").permitAll()
.anyRequest().authenticated()
)
.formLogin(Customizer.withDefaults());
return http.build();
}

4. Authentication Methods
 Form Login – http.formLogin();
 HTTP Basic – http.httpBasic();
 JWT (Stateless) – Used with a custom OncePerRequestFilter

5. Authorization – Role-Based Access

.authorizeHttpRequests(auth -> auth
.requestMatchers("/admin/**").hasRole("ADMIN")
.requestMatchers("/user/**").hasAnyRole("USER", "ADMIN")
)

 @EnableMethodSecurity
 @PreAuthorize("hasRole('ADMIN')")
 @Secured("ROLE_USER")

6. Password Encoding
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
7. UserDetailsService & AuthenticationManager
@Service
public class MyUserDetailsService implements UserDetailsService {
@Override
public UserDetails loadUserByUsername(String username) {
// Load user from DB
}
}

@Bean
public AuthenticationManager authenticationManager(AuthenticationConfiguration
config) throws Exception {
return config.getAuthenticationManager();
}

8. Stateless APIs (JWT Security Flow)

 Login Endpoint → Returns JWT
 JWT Filter → Validates JWT and sets authentication
 Secured Endpoints → Accessed with Authorization header

9. CSRF, CORS, Sessions

http.csrf().disable(); // For REST APIs
http.cors(); // Enable CORS
http.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS); // Stateless sessions

10. Useful Annotations

 @EnableWebSecurity – Enables Spring Security config
 @EnableMethodSecurity – Enables method-level security
 @PreAuthorize(...) – Pre-invocation access check
 @Secured(...) – Role-based access (older)

11. Testing with Spring Security

 Use @WithMockUser, @WithUserDetails for testing secured endpoints
 Customize SecurityMockMvcRequestPostProcessors for advanced scenarios

12. Best Practices

 Use BCryptPasswordEncoder for hashing passwords
 Never disable security in production
 Use JWT for RESTful stateless authentication
 Use Roles and Authorities properly and consistently
 Store secret keys in secure environments (not in source code)