- Powerful and highly customizable authentication and access-control framework.
- de-facto standard for securing Spring-based applications.
Features
- Comprehensive and extensible support for both Authentication and Authorization
- Protection against attacks like session fixation, clickjacking, cross site request forgery etc.
- Servlet API integration
- Optional integration with Spring web MVC
What can Spring Security do?
- Username/password authentication
- SSO / Okta / LDAP
- App level authorization
- Intra App authorization like OAuth
- Microservice security (using tokens, JWT)
- Method level security
Spring Security Concepts §
- Authentication - who are you
- Authorization - what do you want
- Principal - currently logged-in account
- Granted Authority - what can this guy do, fine-grained access
- Roles - what sorts of things this guy can do, coarse-grained access