Spring Study Notes - Copyright © 2010 Gavin Lasnitzki Index   Notes   Objectives

1.1. What is Spring Security?

Spring Security provides comprehensive security services for J2EE-based enterprise software applications.

Security features of J2EE's Servlet Specification or EJB Specification lack the depth required for typical enterprise application scenarios. They are also not portable at a WAR or EAR level.

Security comprises two major operations:

  • Authentication - the process of establishing a principal is who they claim to be.
    A "principal" generally means a user, device or some other system which can perform an action in your application.
  • Authorization - the process of deciding whether a principal is allowed to perform an action in your application.
    To arrive at the point where an authorization decision is needed, the identity of the principal has already been established by the authentication process.

At an authentication level, Spring Security supports a wide range of authentication models.
Most of these authentication models are either provided by third parties, or are developed by relevant standards bodies such as the Internet Engineering Task Force.
Spring Security is an open platform and it is quite simple to write your own authentication mechanism.

Spring Security fully supports automatic "channel security", together with JCaptcha integration for human user detection.

Spring Security provides a deep set of authorization capabilities.
There are three main areas of interest in respect of authorization, these being:

  • authorizing web requests
  • authorizing methods can be invoked
  • authorizing access to individual domain object instances.