๐ฅ Spring Security: Authentication & Authorization Simplified ๐ฅ
Shubham Raiyani๐ 1. Authentication Components
๐น 1.1 Authentication (Interface)
๐น Purpose: Represents the current logged-in user.
๐น Where to use: When you need to get user details inside your app.
๐น Best Practice: Always fetch authentication using SecurityContextHolder.
๐
Spring Security is a framework that helps secure your web applications by handling authentication (who you are) and authorization (what you can do).
This guide breaks down all key components, explaining:
โ
What they do
โ
Where and when to use them
โ
Best practices in real-world applications
๐ 1. Authentication Basics
Authentication is the process of verifying who you are when accessing an application. In Spring Security, this is handled by different components that work together.
๐น 1.1 Authentication (Interface)
๐น What it does: Stores user details after login.
๐น Where to use it: When you need to know who is logged in.
๐น Best practice: Always fetch from SecurityContextHolder.
๐ Example:
javaCopyEditAuthentication authentication = SecurityContextHolder.getContext().getAuthentication();
System.out.println(authentication.getName()); // Logged-in username
This ensures only authenticated users access specific resources.
๐น 1.2 AuthenticationManager (Interface)
๐น What it does: Validates login credentials.
๐น Where to use it: When a user submits their username and password.
๐น Best practice: Use it inside a service instead of directly in controllers.
๐ Example Implementation:
javaCopyEdit@Bean
public AuthenticationManager authenticationManager(UserDetailsService userDetailsService) {
DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
provider.setUserDetailsService(userDetailsService);
provider.setPasswordEncoder(new BCryptPasswordEncoder());
return new ProviderManager(provider);
}
This ensures secure authentication logic.
๐น 1.3 AuthenticationProvider (Interface)
๐น What it does: Checks credentials against a database.
๐น Where to use it: Inside authentication logic (e.g., JWT, OAuth2).
๐น Best practice: Use DaoAuthenticationProvider for database-based login.
๐ Example:
javaCopyEdit@Bean
public AuthenticationProvider authenticationProvider(){
DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
provider.setPasswordEncoder(new BCryptPasswordEncoder());
provider.setUserDetailsService(userDetailsService);
return provider;
}
This provides a secure way to verify users.
๐ 2. Managing Users in Spring Security
To authenticate users, Spring Security needs a way to load user details.
๐น 2.1 UserDetails (Interface)
๐น What it does: Represents a user in the system.
๐น Where to use it: Used by UserDetailsService to load users from DB.
๐น Best practice: Implement in a separate class to avoid exposing sensitive data.
๐ Example Implementation:
javaCopyEditpublic class CustomUserDetails implements UserDetails {
private User user;
public CustomUserDetails(User user) {
this.user = user;
}
@Override
public String getUsername() {
return user.getUsername();
}
@Override
public String getPassword() {
return user.getPassword();
}
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
return Collections.singleton(new SimpleGrantedAuthority(user.getRole()));
}
}
This keeps user management flexible and secure.
๐น 2.2 UserDetailsService (Interface)
๐น What it does: Fetches user details from a database.
๐น Where to use it: Inside authentication providers (DaoAuthenticationProvider).
๐น Best practice: Fetch only necessary user details for better performance.
๐ Example Implementation:
javaCopyEdit@Service
public class UserDetailsServiceImpl implements UserDetailsService {
private final UserRepository userRepository;
public UserDetailsServiceImpl(UserRepository userRepository) {
this.userRepository = userRepository;
}
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
User user = userRepository.findByUsername(username)
.orElseThrow(() -> new UsernameNotFoundException("User not found"));
return new CustomUserDetails(user);
}
}
This ensures users are securely retrieved from the database.
๐ 3. Securing Endpoints in Spring Security
After authenticating users, we need to control what they can access.
๐น 3.1 SecurityFilterChain (Interface)
๐น What it does: Defines security rules (who can access what).
๐น Where to use it: In the @Configuration class.
๐น Best practice: Keep rules modular and well-organized.
๐ Example Implementation:
javaCopyEdit@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests()
.antMatchers("/api/auth/**").permitAll() // Public endpoints
.anyRequest().authenticated() // Secure all other endpoints
.and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
return http.build();
}
This ensures unauthenticated users cannot access protected resources.
๐น 3.2 HttpSecurity (Class)
๐น What it does: Configures authentication, session management, CORS, CSRF, etc.
๐น Where to use it: Inside SecurityFilterChain.
๐น Best practice: Disable CSRF for APIs but enable it for web forms.
๐ Example:
javaCopyEdit@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests()
.antMatchers("/public/**").permitAll()
.antMatchers("/admin/**").hasRole("ADMIN")
.anyRequest().authenticated()
.and()
.httpBasic();
return http.build();
}
This controls who can access what parts of the application.
๐ 4. Token-Based Authentication (JWT)
Instead of using sessions, modern applications use JWT tokens for authentication.
๐น 4.1 OncePerRequestFilter (Abstract Class)
๐น What it does: Ensures JWT validation happens only once per request.
๐น Where to use it: Before UsernamePasswordAuthenticationFilter.
๐น Best practice: Keep it lightweight to avoid performance issues.
๐ Example:
javaCopyEdit@Component
public class JwtRequestFilter extends OncePerRequestFilter {
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,
FilterChain chain) throws ServletException, IOException {
String token = extractJwtFromRequest(request);
// Validate token and set authentication in SecurityContextHolder
chain.doFilter(request, response);
}
}
This ensures JWT authentication is properly enforced.
๐ 5. Handling Errors in Security
To provide a better user experience, Spring Security allows custom error handling.
๐น 5.1 AuthenticationEntryPoint (Interface)
๐น What it does: Handles 401 Unauthorized errors.
๐น Where to use it: Inside SecurityFilterChain.
๐น Best practice: Return meaningful error messages.
๐ Example:
javaCopyEdit@Component
public class JwtAuthenticationEntryPoint implements AuthenticationEntryPoint {
@Override
public void commence(HttpServletRequest request, HttpServletResponse response,
AuthenticationException authException) throws IOException {
response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Unauthorized access");
}
}
๐น 5.2 AccessDeniedHandler (Interface)
๐น What it does: Handles 403 Forbidden errors.
๐น Where to use it: Inside SecurityFilterChain.
๐น Best practice: Log security violations.
๐ Example:
javaCopyEdit@Component
public class CustomAccessDeniedHandler implements AccessDeniedHandler {
@Override
public void handle(HttpServletRequest request, HttpServletResponse response,
AccessDeniedException accessDeniedException) throws IOException {
response.sendError(HttpServletResponse.SC_FORBIDDEN, "Access Denied");
}
}
โ Conclusion
Spring Security is flexible and powerful. Follow these best practices:
โ Use UserDetailsService for database authentication.
โ Use JWT for secure token-based authentication.
โ Define clear access rules using SecurityFilterChain.
Let me know if you need more details! ๐
Subscribe to my newsletter
Read articles from Shubham Raiyani directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by