Getting-started with Spring 5 security
Following my previous post about how to get started with Spring 5, in this post I will outline the ways to get started with Spring 5’s security.
Spring security is an authentication and authorisation framework. It is intended to provide security features to applications. Amongst its features you’ll find:
- Protection from different attacks (e.g. CSRF)
- Servlet and Web MVC protection
To recap my previous post, to configure our Spring application to work with WebFlux, we added to our configuration the annotation
This added the auto-configuration Spring-boot provides for our HTTP application.
Up until Spring 5, we normally added the annotation
@EnableWebSecurity to add auto-configuration and defaults to secure the application, but now we are in reactive land so lets get started with
This requires adding the following dependency to your project:
Why is it a different set?
Let us remember that Spring Security is based on filters that are embedded into the chain of handling web requests, when we configure the security feature in our application we are in fact picking the filters to use and configuring them.
Spring Security up until reactive-Spring was introduced implemented the
Reactive-Spring introduced a new interface
Let us look at the only method in this interface:
Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain);
Other then the understandable name and parameter types, the function returns a Mono, inticating to us it is appropriate for reactive Servlets and web servers.
All this means that if we will setup defences such as CSRF, CORS and others, a different set of filter classes will be embedded into our application instead of the filters we were familiar with.
To demonstrate features requiring a bit more coding let us look at users management:
Up until now for users management we implemented the interface
UserDetailsService, Reactive-Spring introduces to us:
ReactiveUserDetailsService, meaning we would need to implement:
Mono<UserDetails> findByUsername(String username)
The way this is internally implemented is up to us, as long as we return a Mono instance of UserDetails.
Reactive Spring security is still similar enough to the Spring security we were familiar with up until now.
When adding more advanced features or your own filters, make sure you are implementing the correct interfaces and that you are implementing these features in a manner that makes sense in reactive applications.
But before we part
I did want to mention other new features presented in Spring Security 5:
oAuth 2.0 login
You can add to your application the capability to login an oAuth 2.0 or OpenID account with the respective service.
Password encoding modernization
Having a good hash function to protect your passwords is not easy, it is very resource intensive to encode a password well and would potentially slow your system down. In addition, the encoding recommendations change, and there are applications which use old encoding methods.
Spring Security 5 intorudes
DelegatingPasswordEncoder to allow:
- Ensure passwords encoding in the recommended way
- Allow password validations for modern and legacy systems
- Provide room for future methods
In addition the
PasswordEncoder added the
boolean upgradeEncoding(java.lang.String encodedPassword)
method, to let you know whether a password’s hash needs to be upgraded.
I hope this post helps list the benefits of transitioning to Spring 5 and reactive Spring.