Introduction to Spring Security

Photo by Scott Webb on Unsplash


Why Spring Security?

  • Form-based login, logout. By just installing spring security into your spring boot project you can get this functionality.
  • Common vulnerabilities can be handled easily. such as session hijacking, Cross-Site scripting, request forgery, etc.
  • For new hacks, patches come quickly, thanks to diverse community support to the project.
  • Allow or block specific URL or resources to a particular user or role.

There are many others, you can check them out on spring official docs here.

5 core concepts of Spring Security

1. Authentication

Photo by Markus Spiske on Unsplash

Authentication is an identification mechanism to allow the system to understand who the user is. When you log into any application, you provide some information that lets’ system identifies that the person is the same as they are saying. You give some proof for your identification to the system. There are mainly three types of authentications.

  1. Knowledge-based authentication.
    In this, the user provides some information to the system so that it can identify you. Popular Knowledge-based authentication is forex. Username & password login, Pin code, Pattern, Secret question, etc. KBA is good for the basic needs of an application. But the KBA kind of authentication is heavily based on information known to the user. Hence it can be stolen and easily someone else can access the user’s account.
  2. Possession Based Authentication
    In Possession Based Authentication (I’ll be using PBA for short) users are identified based on the things they own forex. ID cards, key cards, OTP based login, etc. PBA is better than the KBA Since the system is identifying the user with the possession and not the information they have, which can be easily stolen.
  3. Multifactor Authentication
    In Multifactor Authentication, both KBA and PBA are used to identify the user. It is also called a two-way authentication since it uses both techniques to identify a user. It’s a more secure and robust way to identify the user.

2. Authorization

3. Principal

4. Granted Authority

5. Roles

Conclusion :

References :



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store