Our Blogpress application has a login functionality to access certain pages and functionalities that are not accessible by a normal (anonymous) user. It requires a good amount of effort to incorporate it if we build authentication and authorization on our own from scratch. Spring provides a feature called Spring Security, which does exactly what we need here.
Spring Security is an open source, highly comprehensive, powerful, and customizable framework used to implement authentication and authorization in J2EE-based web applications. It is a sub-project (module) of the Spring Framework.
Before talking further, it is important to understand the difference between authentication and authorization.
Authentication is the process of validating or determining someone or something in what it claims to be. There are several mechanisms to perform authentication. The most straightforward way of performing authentication is to provide a username and password. Other ways include through LDAP, single sign-on, OpenId, and OAuth.
On the other hand, authorization is more related to the permission of the actions you are allowed to do. In short, authentication means who you are and authorization means what can you do in the system.
Spring Security provides many features out of the box, including authentication, authorization, protection against CSRF attack, servlet API integration support, Spring MVC integration, remember-me features, SSO implementation support, LDAP authentication support, OpenID integration, web service security support, WebSocket security support, Spring Data integration, and many more.
Though the latest version (at the time of writing this is 5.1.0) of Spring Security supports both XML and annotation support, you still need to do a good amount of configuration if you set it on your own. But you don’t have to worry, as Spring Boot is with you.
Spring Boot also supports Spring Security integration. Just like integration with other modules, you need to add a required starter for Spring Security to work with Spring Boot. Add the following dependency in the pom.xml file:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
As soon as you put the previously mentioned configuration in place, Spring Security becomes active and will not allow accessing even public pages of the application without valid credentials. When you hit http://localhost:8080/blogpress, you will see a login screen.
Spring Security with its default (auto) configuration, allows you to log in with a specific credential. The username will be user and password will be generated randomly by Spring Security and printed in the server log like this:
Using generated security password: 89ca7b55-6a5d-4dd9-9d02-ae462e21df81.
You can override the username and password in a property file. In the project structure, you will see the application.properties file in the src/main/resources folder. Just add following two properties to it:
spring.security.user.name=nilang
spring.security.user.password=password
Now you can access the application with the previously mentioned credentials, but you still need authentication for accessing even public pages. By default, Spring Security is activated with the default (or auto-) configuration, which secures all the endpoints. This is not we want. So we need to instruct Spring Security which endpoints (URLs) we want to make secure and which we do not.
For this, first, we need to disable the default security (auto-) configuration. There are two possible options here.