Convert Figma logo to code with AI

spring-projects logospring-security

Spring Security

8,711
5,855
8,711
964
View on GitHub

Top Related Projects

octokit's avatar

octokit.js

6,927

The all-batteries-included GitHub SDK for Browsers, Node.js, and Deno.

auth0's avatar

node-jsonwebtoken

17,611

JsonWebToken implementation for node.js http://self-issued.info/docs/draft-ietf-oauth-json-web-token.html

shieldfy's avatar

API-Security-Checklist

22,336

Checklist of the most important security countermeasures when designing, testing, and releasing your API

OWASP's avatar

CheatSheetSeries

27,554

The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.

keycloak's avatar

keycloak

22,126

Open Source Identity and Access Management For Modern Applications and Services

apereo's avatar

cas

10,852

Apereo CAS - Identity & Single Sign On for all earthlings and beyond.

Quick Overview

Spring Security is a powerful and highly customizable authentication and access-control framework for Java applications. It is the de-facto standard for securing Spring-based applications, providing comprehensive security services for Java EE-based enterprise software applications.

Pros

  • Highly flexible and customizable to fit various security requirements
  • Seamless integration with Spring Framework and other Spring projects
  • Robust support for both authentication and authorization
  • Active community and regular updates

Cons

  • Steep learning curve for beginners
  • Complex configuration for advanced use cases
  • Can be overkill for simple applications
  • Performance overhead in some scenarios

Code Examples

  1. Basic HTTP Security Configuration:
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/", "/home").permitAll()
                .anyRequest().authenticated()
                .and()
            .formLogin()
                .loginPage("/login")
                .permitAll()
                .and()
            .logout()
                .permitAll();
    }
}

This example configures basic HTTP security, allowing public access to home pages and requiring authentication for other requests.

  1. Custom UserDetailsService:
@Service
public class CustomUserDetailsService implements UserDetailsService {

    @Autowired
    private UserRepository userRepository;

    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        User user = userRepository.findByUsername(username)
            .orElseThrow(() -> new UsernameNotFoundException("User not found"));
        
        return new org.springframework.security.core.userdetails.User(
            user.getUsername(),
            user.getPassword(),
            user.getRoles().stream()
                .map(role -> new SimpleGrantedAuthority(role.getName()))
                .collect(Collectors.toList())
        );
    }
}

This example demonstrates a custom UserDetailsService implementation for loading user-specific data.

  1. Method-level Security:
@Service
public class UserService {

    @PreAuthorize("hasRole('ADMIN')")
    public void deleteUser(Long userId) {
        // Delete user logic
    }

    @PostAuthorize("returnObject.username == authentication.name")
    public User getCurrentUserDetails() {
        // Fetch and return user details
    }
}

This example shows how to use method-level security annotations to restrict access based on roles and post-authorize results.

Getting Started

To get started with Spring Security, add the following dependency to your Maven pom.xml:

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>

For Gradle, add this to your build.gradle:

implementation 'org.springframework.boot:spring-boot-starter-security'

After adding the dependency, Spring Security will automatically secure your application with HTTP Basic authentication. You can then customize the security configuration by creating a class that extends WebSecurityConfigurerAdapter as shown in the first code example.

Competitor Comparisons

octokit logo

octokit.js

6,927

The all-batteries-included GitHub SDK for Browsers, Node.js, and Deno.

Pros of Octokit.js

  • Lightweight and focused on GitHub API interactions
  • Easier to integrate into JavaScript/Node.js projects
  • More suitable for frontend applications and scripting

Cons of Octokit.js

  • Limited to GitHub-specific functionality
  • Less comprehensive security features for general web applications
  • Smaller community and ecosystem compared to Spring Security

Code Comparison

Spring Security (Java):

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().antMatchers("/").permitAll();
    }
}

Octokit.js (JavaScript):

const octokit = new Octokit({ auth: 'token' });
const { data: user } = await octokit.rest.users.getAuthenticated();
console.log(`Authenticated as ${user.login}`);

Summary

Spring Security is a comprehensive security framework for Java applications, offering robust features for authentication, authorization, and protection against various web vulnerabilities. Octokit.js, on the other hand, is a specialized library for interacting with the GitHub API, making it ideal for GitHub-centric projects and automation tasks. While Spring Security provides a wide range of security controls for enterprise applications, Octokit.js excels in simplifying GitHub-related operations in JavaScript environments.

auth0 logo

node-jsonwebtoken

17,611

JsonWebToken implementation for node.js http://self-issued.info/docs/draft-ietf-oauth-json-web-token.html

Pros of node-jsonwebtoken

  • Lightweight and focused specifically on JWT handling
  • Easy to integrate into Node.js applications
  • Simpler learning curve for developers familiar with JavaScript

Cons of node-jsonwebtoken

  • Limited to JWT authentication, lacking comprehensive security features
  • Requires additional libraries for complete authentication and authorization solutions
  • Less suitable for large-scale enterprise applications with complex security requirements

Code Comparison

node-jsonwebtoken:

const jwt = require('jsonwebtoken');
const token = jwt.sign({ userId: 123 }, 'secret_key', { expiresIn: '1h' });

Spring Security:

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().anyRequest().authenticated().and().oauth2ResourceServer().jwt();
    }
}

Summary

node-jsonwebtoken is a focused library for JWT handling in Node.js applications, offering simplicity and ease of use. Spring Security, on the other hand, provides a comprehensive security framework for Java applications, including OAuth2 and JWT support among many other features. While node-jsonwebtoken is ideal for smaller projects or microservices requiring JWT authentication, Spring Security is better suited for large-scale enterprise applications with complex security needs.

shieldfy logo

API-Security-Checklist

22,336

Checklist of the most important security countermeasures when designing, testing, and releasing your API

Pros of API-Security-Checklist

  • Lightweight and easy to understand for developers of all levels
  • Provides a quick reference for API security best practices
  • Language-agnostic, applicable to various tech stacks

Cons of API-Security-Checklist

  • Not an actual implementation, just a guideline
  • Lacks detailed explanations or code examples
  • Requires manual implementation of security measures

Code Comparison

API-Security-Checklist doesn't provide code examples, as it's a checklist. Spring Security, on the other hand, offers robust implementation:

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
            .antMatchers("/public/**").permitAll()
            .anyRequest().authenticated()
            .and().formLogin();
    }
}

Summary

API-Security-Checklist is a concise, easy-to-follow guide for API security best practices, suitable for quick reference across various technologies. However, it lacks implementation details and code examples. Spring Security, while more complex, provides a comprehensive security framework with ready-to-use implementations for Java applications, offering more robust and integrated security solutions.

OWASP logo

CheatSheetSeries

27,554

The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.

Pros of CheatSheetSeries

  • Comprehensive security guidance covering a wide range of topics
  • Regularly updated with community contributions
  • Language-agnostic, applicable to various frameworks and technologies

Cons of CheatSheetSeries

  • Not a directly implementable security solution
  • Requires manual interpretation and implementation of best practices
  • May lack specific integration examples for certain frameworks

Code Comparison

Spring Security:

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().antMatchers("/admin/**").hasRole("ADMIN");
    }
}

CheatSheetSeries (example from Authentication Cheat Sheet):

String password = getPassword();
String salt = getSalt();
int iterations = 10000;
int keyLength = 256;
byte[] hash = pbkdf2(password, salt, iterations, keyLength);

Spring Security is a full-fledged security framework for Java applications, providing ready-to-use implementations of security features. CheatSheetSeries, on the other hand, offers guidance and best practices for implementing security across various technologies. While Spring Security provides concrete implementations, CheatSheetSeries requires developers to implement the recommended practices manually. The code examples illustrate this difference, with Spring Security showing configuration code and CheatSheetSeries demonstrating a conceptual implementation of password hashing.

keycloak logo

keycloak

22,126

Open Source Identity and Access Management For Modern Applications and Services

Pros of Keycloak

  • Comprehensive identity and access management solution with built-in features like user federation, identity brokering, and social login
  • Provides a user-friendly admin console for easy management of users, roles, and client applications
  • Offers out-of-the-box support for various protocols like OpenID Connect, OAuth 2.0, and SAML 2.0

Cons of Keycloak

  • Steeper learning curve and more complex setup compared to Spring Security
  • Requires additional infrastructure and resources to run as a separate service
  • May be overkill for smaller applications with simpler authentication needs

Code Comparison

Spring Security configuration:

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().anyRequest().authenticated().and().formLogin();
    }
}

Keycloak configuration (in application.properties):

keycloak.auth-server-url=http://localhost:8080/auth
keycloak.realm=myrealm
keycloak.resource=myapp
keycloak.public-client=true
keycloak.security-constraints[0].authRoles[0]=user
keycloak.security-constraints[0].securityCollections[0].patterns[0]=/secured/*

Both Spring Security and Keycloak offer robust security solutions, but they cater to different use cases. Spring Security is more lightweight and integrates seamlessly with Spring applications, while Keycloak provides a full-featured IAM solution with additional capabilities beyond basic authentication and authorization.

apereo logo

cas

10,852

Apereo CAS - Identity & Single Sign On for all earthlings and beyond.

Pros of CAS

  • Designed specifically for Single Sign-On (SSO) and centralized authentication
  • Supports a wide range of authentication protocols and integrations
  • Highly customizable and extensible architecture

Cons of CAS

  • Steeper learning curve compared to Spring Security
  • Requires more configuration and setup for basic use cases
  • Less comprehensive documentation and community support

Code Comparison

Spring Security configuration:

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().anyRequest().authenticated().and().formLogin();
    }
}

CAS configuration:

@Configuration
@EnableCasClient
public class CasSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().anyRequest().authenticated().and().exceptionHandling().authenticationEntryPoint(casAuthenticationEntryPoint());
    }
}

Both frameworks offer robust security solutions, but CAS is more focused on SSO scenarios, while Spring Security provides a broader set of security features for various application types. Spring Security is generally easier to set up for simple use cases, while CAS excels in complex, distributed authentication scenarios.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

image::https://badges.gitter.im/Join%20Chat.svg[Gitter,link=https://gitter.im/spring-projects/spring-security?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge]

image:https://github.com/spring-projects/spring-security/actions/workflows/continuous-integration-workflow.yml/badge.svg?branch=main["Build Status", link="https://github.com/spring-projects/spring-security/actions/workflows/continuous-integration-workflow.yml"]

image:https://img.shields.io/badge/Revved%20up%20by-Develocity-06A0CE?logo=Gradle&labelColor=02303A["Revved up by Develocity", link="https://ge.spring.io/scans?search.rootProjectNames=spring-security"]

= Spring Security

Spring Security provides security services for the https://docs.spring.io[Spring IO Platform]. Spring Security 6.0 requires Spring 6.0 as a minimum and also requires Java 17.

For a detailed list of features and access to the latest release, please visit https://spring.io/projects[Spring projects].

== Code of Conduct Please see our https://github.com/spring-projects/.github/blob/main/CODE_OF_CONDUCT.md[code of conduct]

== Downloading Artifacts See https://docs.spring.io/spring-security/reference/getting-spring-security.html[Getting Spring Security] for how to obtain Spring Security.

== Documentation Be sure to read the https://docs.spring.io/spring-security/reference/[Spring Security Reference]. Extensive JavaDoc for the Spring Security code is also available in the https://docs.spring.io/spring-security/site/docs/current/api/[Spring Security API Documentation].

== Quick Start See https://docs.spring.io/spring-security/reference/servlet/getting-started.html[Hello Spring Security] to get started with a "Hello, World" application.

== Building from Source Spring Security uses a https://gradle.org[Gradle]-based build system. In the instructions below, https://vimeo.com/34436402[`./gradlew`] is invoked from the root of the source tree and serves as a cross-platform, self-contained bootstrap mechanism for the build.

=== Prerequisites https://docs.github.com/en/get-started/quickstart/set-up-git[Git] and the https://www.oracle.com/java/technologies/downloads/#java17[JDK17 build].

Be sure that your JAVA_HOME environment variable points to the jdk-17 folder extracted from the JDK download.

=== Check out sources [indent=0]

git clone git@github.com:spring-projects/spring-security.git

=== Install all spring-*.jar into your local Maven repository.

[indent=0]

./gradlew publishToMavenLocal

=== Compile and test; build all JARs, distribution zips, and docs

[indent=0]

./gradlew build

The reference docs are not currently included in the distribution zip. You can build the reference docs for this branch by running the following command:

./gradlew :spring-security-docs:antora

That command publishes the docs site to the _docs/build/site_ directory. The https://github.com/spring-projects/spring-security/tree/docs-build[playbook branch] describes how to build the reference docs in detail.

Discover more commands with ./gradlew tasks.

== Getting Support Check out the https://stackoverflow.com/questions/tagged/spring-security[Spring Security tags on Stack Overflow]. https://spring.io/support[Commercial support] is available too.

== Contributing https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request[Pull requests] are welcome; see the https://github.com/spring-projects/spring-security/blob/main/CONTRIBUTING.adoc[contributor guidelines] for details.

== License Spring Security is Open Source software released under the https://www.apache.org/licenses/LICENSE-2.0.html[Apache 2.0 license].