Computer scienceBackendSpring BootSpring Security

Getting started with Spring Security

Provided by: JetBrains Academy
7 minutes read

Access to web pages, files, or other resources of a web application is often restricted to authorized users only. Spring Security is a module of the Spring framework that deals with authentication and authorization (or access control). This module stands between the client and the application, intercepts all requests, and allows configuring what functionalities and data are available to which users. It also helps secure your app against common security vulnerabilities and attacks.

Some of the features of this framework are the following:

  • Easily configurable and extensible to meet the needs of a specific application.

  • Protection against common attacks: session fixation, clickjacking, CSRF, etc.

  • Open source and regularly updated.

  • Supports integration with HTTP basic access authentication, form-based authentication, LDAP, and many more.

  • Provides a secure and flexible set of tools for managing user passwords.

In this topic, you'll learn how to start working with Spring Security, and we'll create a secured single-page app.

Dependency

The first step in securing a Spring app is to add the Spring Boot Security starter dependency:

Gradle Groovy DSL
dependencies {
   // ...
   implementation 'org.springframework.boot:spring-boot-starter-security'
   // ...
}
Gradle Kotlin DSL
dependencies {
    // ...
    implementation("org.springframework.boot:spring-boot-starter-security")
    // ...
}
Maven
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>

This dependency includes autoconfiguration and enables security-related features like HTTP basic authentication, form-based authentication, protection against CSRF, etc. Getting acquainted with Spring Security will be easier by looking at some examples first. So let's create a simple app, run it, and see what happens!

Preparation

Let's assume we started a new Spring Boot project, added the web and security starter dependencies, and created a simple index.html file in the src/main/resources/static folder.

Here's the content of the file:

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Security Test</title>
</head>
<body>
    <h1>Access granted!</h1>
</body>
</html>

Now let's run the app and try to access the file.

Secured app

If we try to access the above file by navigating to http://localhost:8080/, we will not see the expected "Access granted!" message. Instead, we'll be redirected to http://localhost:8080/login and shown the following form:

Spring security authentication form

But wait a minute. We haven't implemented any login forms or created any users... And what are the username and password?

Our app is secured once we have added the Spring Boot security dependency. The form we encountered is provided by autoconfiguration, and Spring Security also generated a default user. To access our app, we need to enter the correct username and password. The default username is "user", and we can find the password in the console log. The log entry will look something like this:

Using generated security password: acfa1db0-9ecf-4edf-b0a6-33d5199a8091

The default username is "user" (case-insensitive), but a new password is generated every time we run the app. So, your password will be different every time.

If we enter the username and the generated password, we'll be redirected from http://localhost:8080/login to the URL that we were trying to access, http://localhost:8080/, and we'll see our page:

successful authenticated page

Autoconfiguration also adds a default logout page.

If we navigate to http://localhost:8080/logout, we'll see the following page:

log out confirmation page

Isn't that a lot of functionality for just one dependency without any added code? You'll learn more about this in the upcoming topics. For now, let's see how we can set our own username and password.

Configuration

We can change the username and password in the application.properties file.

Here's how you can specify the username:

spring.security.user.name=someone

You can set the password as follows:

spring.security.user.password=123

No default password will be generated if we set the password and reload the server. The console will not show the password either.

Conclusion

In this topic, you've got acquainted with Spring Security, and we've created a simple secured app. We've seen that the Spring security starter dependency enables authentication for our page, adds login and logout pages, and creates a default user. You've also learned to change your username and password using the application.properties file.

Spring Boot Security autoconfiguration is a great way to get started with security, but most applications will demand explicit configuration to meet their unique security requirements. In the upcoming topics, you'll learn how to add multi-user support to an application, secure specific URLs, create custom login and logout procedures, and other interesting features of this framework.

Now, let's solve some tasks!

196 learners liked this piece of theory. 3 didn't like it. What about you?
Report a typo