Scribd
Upload
194 views2 pages

Spring Security 6 Notes

Spring Security 6 introduces significant changes, including the transition to Jakarta EE namespaces and enhanced support for OAuth2, JWT, and method-level security, requiring Java 17+ and Spring Framework 6+. Key concepts include authentication, authorization, and the use of a SecurityFilterChain for configuration, alongside various authentication methods like form login and JWT. Best practices emphasize using BCryptPasswordEncoder for password hashing, maintaining security in production, and properly managing roles and authorities.

Uploaded by

newsletter
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
194 views2 pages

Spring Security 6 Notes

Spring Security 6 introduces significant changes, including the transition to Jakarta EE namespaces and enhanced support for OAuth2, JWT, and method-level security, requiring Java 17+ and Spring Framework 6+. Key concepts include authentication, authorization, and the use of a SecurityFilterChain for configuration, alongside various authentication methods like form login and JWT. Best practices emphasize using BCryptPasswordEncoder for password hashing, maintaining security in production, and properly managing roles and authorities.

Uploaded by

newsletter
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd

Spring Security 6 – Key Concepts & Features

1. Major Changes in Spring Security 6


 Jakarta EE namespaces: javax.* is now jakarta.*
 Requires Java 17+ and Spring Framework 6+
 Enhanced support for OAuth2, JWT, CORS, CSRF, and method-level security
 Improved declarative configuration with lambda-based SecurityFilterChain

2. Core Security Concepts


 Authentication – Verifying the identity of a user
 Authorization – Determining access rights (who can do what)
 Principal – The currently authenticated user
 GrantedAuthority – Represents a role or permission (e.g., ROLE_ADMIN)

3. Configuration Style
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception
{
http
.authorizeHttpRequests(auth -> auth
.requestMatchers("/public/**").permitAll()
.anyRequest().authenticated()
)
.formLogin([Link]());
return [Link]();
}

4. Authentication Methods
 Form Login – [Link]();
 HTTP Basic – [Link]();
 JWT (Stateless) – Used with a custom OncePerRequestFilter

5. Authorization – Role-Based Access


.authorizeHttpRequests(auth -> auth
.requestMatchers("/admin/**").hasRole("ADMIN")
.requestMatchers("/user/**").hasAnyRole("USER", "ADMIN")
)

 @EnableMethodSecurity
 @PreAuthorize("hasRole('ADMIN')")
 @Secured("ROLE_USER")

6. Password Encoding
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
7. UserDetailsService & AuthenticationManager
@Service
public class MyUserDetailsService implements UserDetailsService {
@Override
public UserDetails loadUserByUsername(String username) {
// Load user from DB
}
}

@Bean
public AuthenticationManager authenticationManager(AuthenticationConfiguration
config) throws Exception {
return [Link]();
}

8. Stateless APIs (JWT Security Flow)


 Login Endpoint → Returns JWT
 JWT Filter → Validates JWT and sets authentication
 Secured Endpoints → Accessed with Authorization header

9. CSRF, CORS, Sessions


[Link]().disable(); // For REST APIs
[Link](); // Enable CORS
[Link]()
.sessionCreationPolicy([Link]); // Stateless sessions

10. Useful Annotations


 @EnableWebSecurity – Enables Spring Security config
 @EnableMethodSecurity – Enables method-level security
 @PreAuthorize(...) – Pre-invocation access check
 @Secured(...) – Role-based access (older)

11. Testing with Spring Security


 Use @WithMockUser, @WithUserDetails for testing secured endpoints
 Customize SecurityMockMvcRequestPostProcessors for advanced scenarios

12. Best Practices


 Use BCryptPasswordEncoder for hashing passwords
 Never disable security in production
 Use JWT for RESTful stateless authentication
 Use Roles and Authorities properly and consistently
 Store secret keys in secure environments (not in source code)

You might also like