Getting-started with Spring 5 security

Following my previous post about how to get started with Spring 5, in this post I will outline the ways to get started with Spring 5’s security.

Spring security

Spring security is an authentication and authorisation framework. It is intended to provide security features to applications. Amongst its features you’ll find:

  • Authentication
  • Authorization
  • Protection from different attacks (e.g. CSRF)
  • Servlet and Web MVC protection

Getting started

To recap my previous post, to configure our Spring application to work with WebFlux, we added to our configuration the annotation @EnableWebFlux.

This added the auto-configuration Spring-boot provides for our HTTP application.

Up until Spring 5, we normally added the annotation @EnableWebSecurity to add auto-configuration and defaults to secure the application, but now we are in reactive land so lets get started with @EnableWebFluxSecurity.

This requires adding the following dependency to your project: org.springframework.boot:spring-boot-starter-security.

Why is it a different set?

Let us remember that Spring Security is based on filters that are embedded into the chain of handling web requests, when we configure the security feature in our application we are in fact picking the filters to use and configuring them.

Spring Security up until reactive-Spring was introduced implemented the Filter interface.

Reactive-Spring introduced a new interface WebFilter.

Let us look at the only method in this interface:

Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain);

Other then the understandable name and parameter types, the function returns a Mono, inticating to us it is appropriate for reactive Servlets and web servers.

All this means that if we will setup defences such as CSRF, CORS and others, a different set of filter classes will be embedded into our application instead of the filters we were familiar with.

Users management

To demonstrate features requiring a bit more coding let us look at users management:

Up until now for users management we implemented the interface UserDetailsService, Reactive-Spring introduces to us: ReactiveUserDetailsService, meaning we would need to implement:

Mono<UserDetails> findByUsername(String username)

The way this is internally implemented is up to us, as long as we return a Mono instance of UserDetails.

To summarize

Reactive Spring security is still similar enough to the Spring security we were familiar with up until now.

When adding more advanced features or your own filters, make sure you are implementing the correct interfaces and that you are implementing these features in a manner that makes sense in reactive applications.

But before we part

I did want to mention other new features presented in Spring Security 5:

oAuth 2.0 login

You can add to your application the capability to login an oAuth 2.0 or OpenID account with the respective service.

Password encoding modernization

Having a good hash function to protect your passwords is not easy, it is very resource intensive to encode a password well and would potentially slow your system down. In addition, the encoding recommendations change, and there are applications which use old encoding methods. Spring Security 5 intorudes DelegatingPasswordEncoder to allow:

  • Ensure passwords encoding in the recommended way
  • Allow password validations for modern and legacy systems
  • Provide room for future methods

In addition the PasswordEncoder added the

 boolean upgradeEncoding(java.lang.String encodedPassword)

method, to let you know whether a password’s hash needs to be upgraded.

I hope this post helps list the benefits of transitioning to Spring 5 and reactive Spring.

Senior Java Developer

Backend Group
Thank you for your interest!

We will contact you as soon as possible.

Send us a message

Oops, something went wrong
Please try again or contact us by email at info@tikalk.com