Spring Security, short for Spring Security Framework, is a comprehensive Java-based framework for authentication, authorization, and protection of applications built on Spring. It provides mechanisms to secure web applications, REST APIs, and microservices through features like role-based access control, OAuth2 integration, and cryptographic password management. Developers can include Spring Security via Maven or Gradle, or download official starter packages at https://spring.io/projects/spring-security for personal or business use.
Spring Security exists to address the complexity of application security by offering declarative, configurable, and extensible security mechanisms. Its design philosophy emphasizes convention over configuration, modularity, and ease of integration with Java, Spring Boot, and modern authentication protocols. By handling authentication and authorization consistently, Spring Security reduces vulnerabilities and ensures secure, maintainable applications.
Spring Security: Configuring Basic Authentication
A common usage of Spring Security is implementing basic authentication to restrict access to endpoints. This involves creating a security configuration class that extends WebSecurityConfigurerAdapter (or uses SecurityFilterChain in newer versions) and defining user credentials and roles.
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.context.annotation.Bean;
@Configuration
public class SecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.httpBasic();
return http.build();
}
}This configuration restricts all HTTP requests to authenticated users and applies basic HTTP authentication. Integration with Spring Boot ensures minimal boilerplate while maintaining secure access control. JSON payloads and responses work seamlessly alongside this security setup when building APIs with JSON and Java backends.
Spring Security: User Details Service
To manage authentication, Spring Security uses a UserDetailsService interface, which loads user-specific data during login attempts.
import org.springframework.context.annotation.Bean;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
@Bean
public UserDetailsService userDetailsService() {
UserDetails user = User.withDefaultPasswordEncoder()
.username("user")
.password("password")
.roles("USER")
.build();
return new InMemoryUserDetailsManager(user);
}This example defines an in-memory user for testing or small applications. It demonstrates the integration of Spring Security with user credentials, role management, and Java objects. In production, this service can connect to databases or external identity providers for authentication.
Spring Security: Securing REST APIs
Spring Security can secure REST endpoints, ensuring only authorized users can access specific resources. This is commonly done using method-level security annotations like @PreAuthorize.
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class ApiController {
@GetMapping("/admin")
@PreAuthorize("hasRole('ADMIN')")
public String adminEndpoint() {
return "Admin content";
}
@GetMapping("/user")
@PreAuthorize("hasRole('USER')")
public String userEndpoint() {
return "User content";
}
}In this example, method-level annotations restrict access based on roles. Integration with Spring Boot and role-based configurations ensures that security logic remains declarative, predictable, and easy to maintain alongside JSON APIs and Java business logic.
Spring Security: OAuth2 and JWT Integration
Advanced applications use Spring Security to integrate OAuth2 and JWT (JSON Web Token) for stateless, token-based authentication in REST APIs.
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
http
.authorizeRequests(auth -> auth
.anyRequest().authenticated()
)
.oauth2ResourceServer(oauth2 -> oauth2
.jwt(jwt -> jwt.jwtAuthenticationConverter(new JwtAuthenticationConverter()))
);This configuration secures endpoints with JWT tokens issued by an OAuth2 provider. It ensures that APIs built with Spring Boot and data serialized with JSON maintain strong, stateless security while integrating seamlessly with modern Java backend applications.
By offering declarative authentication, role-based access control, token-based security, and deep integration with Spring Boot and Java, Spring Security enables developers to build secure, maintainable, and production-ready applications. Its extensibility and compatibility with JSON APIs, OAuth2 providers, and enterprise identity management ensure robust protection across web applications, microservices, and modern RESTful services.