Spring Security provides a number of security features for your application. The two main features for which Spring Security is well-known are it's support for a variety of authentication and authorization methodologies. In this section, we will delve deeply into these core features in more detail.
Spring Security's core features
Authentication
Spring Security provides a number of approaches by which your application can authenticate. It also allows you to write a custom authentication mechanism if these provided default approaches don't fit your requirements. Because of this extensibility, you can even use the legacy application against which authentication can be done. The book has a dedicated chapters (Chapter 3, Authentication Using SAML, LDAP, and OAuth/OIDC and Chapter 4, Authentication Using CAS and JAAS) where we will cover various authentications mechanisms, such as OAuth, LDAP, and SAML, in more detail.
Authorization
Spring Security allows you, as an application developer, many choices by which you can authorize user's access to various parts of your application. Here are some of the approaches:
- Web URL: Based on a URL or URL pattern, you can control access
- Method invocation: Even a method in a Java Bean can be access-controlled if needs be
- Domain instance: One of the very cool features is to control access to specific data by having access control of certain needed domain objects within your application
- Web service: Allows you to secure exposed web services in your application
In the next chapter, we will get into these aspects in a bit more detail with more code snippets.