01 The Top Framework What Kind of Security Framework is Spring Security #

In the opening words, we described the security requirements of web applications and introduced the Spring Security framework specifically designed to meet these requirements. Spring Security is a long-standing framework in the Spring family with a complete and powerful feature system. From today onwards, we will formally study Spring Security and discuss its feature system.

Introduction to Spring Security #

In fact, Spring Security existed for many years before the emergence of Spring Boot. However, the development of Spring Security has not been very smooth, mainly due to the complexity of integrating and configuring the framework in application programs. But with the rise of Spring Boot and its automatic configuration solution for Spring Security, developers can use Spring Security with zero configuration. To use Spring Security in a Spring Boot application, you just need to add the following dependency in the pom file of the Maven project:

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>

Next, let’s build a simple HTTP endpoint as shown below:

@RestController
public class DemoController {

   @GetMapping("/hello")
   public String hello() {
       return "Hello World!";
   }
}

Now, start this Spring Boot application and access the “/hello” endpoint through a browser. You might expect to see the output “Hello World!”, but in fact, the browser will redirect to a login page as shown below:

Default login page built into Spring Security

So why does this login page pop up? The reason is that after adding the spring-boot-starter-security dependency, Spring Security automatically embeds the user authentication mechanism into the application.

Next, let’s analyze how to get the username and password required for login based on this login scenario. We noticed a log message in the Spring Boot console startup log as shown below:

Using generated security password: 707d7469-631f-4d92-ab71-3809620fe0dc

This log message is a password generated by Spring Security, and the default username is “user”. By entering the correct username and password, the browser will output the response “Hello World!”. You can try it out.

The above process demonstrates the authentication feature provided by Spring Security, which is also one of the basic features among the many features of Spring Security. Next, let’s explore the complete feature system of Spring Security together.

Feature System of Spring Security #

Spring Security provides a complete set of security solutions. It provides security features corresponding to different business requirements and application scenarios. In the following content, we will discuss these features from the perspectives of monolithic applications, microservices architecture, and reactive systems.

Spring Security and Monolithic Applications #

In a software system, the content to be accessed can be defined as a resource, and the core goal of security design is to protect these resources and ensure that access to them is secure and controllable. For example, in a web application, the HTTP endpoints exposed externally can be understood as resources. There are also some commonly used technology systems in the industry for securing resource access. Before explaining these technology systems, let’s first understand two very common and easily confused concepts in the security domain: authentication and authorization.

First, we need to clarify that authentication is about answering the question “Who are you?” In other words, for each access request, the system can determine whether the visitor has a valid identity.

Once it is clear " who you are “, the next step is to determine " what you can do “, which is authorization. Common authorization models are mostly based on permission management systems, which are a combination of resources, permissions, roles, and users. If we combine authentication and authorization, we have the most common solution for managing security of resources in a system. This solution involves first determining the valid identity of the resource requester, and then determining if they have the necessary permissions to access that resource, as shown in the following diagram:

Diagram of resource access security based on authentication and authorization mechanisms

This diagram represents a general approach, and specific implementation strategies can be derived based on different application scenarios and technological systems. The authentication and authorization models in web application systems are similar to the diagram above, but they also have their own specific characteristics in terms of design and implementation.

For authentication, the requirements are relatively clear. Obviously, we need to build a complete storage system to store and maintain user information, and ensure that this information is used appropriately during request processing.

On the other hand, authorization can be more complex. For a specific web application, the first challenge we face is how to determine if an HTTP request has the necessary permissions to access it. Furthermore, even if a request has the necessary permissions to access the application, it does not necessarily mean that it can access all the HTTP endpoints of the application. Some core functionalities may require higher permissions, while others may not. This leads us to the second challenge: how to manage access permissions with precision? The following diagram illustrates this:

Illustration of web application access authorization

In the diagram above, we assume that the request has access permissions to endpoints 2, 3, and 4, but not to endpoint 1. To achieve this, the common approach is to introduce a role system. Different users are assigned different levels of roles, and different roles have different access permissions. Each request can be associated with a specific role, granting it the corresponding access permissions.

Next, let’s combine authentication and authorization to outline a security implementation plan for web application access scenarios, as shown in the following diagram:

Integration of authentication and authorization in a monolithic service

From the diagram, we can see that user authentication is achieved by passing user credentials in the request, and then access permissions are obtained based on the role information in the user data. Finally, access authorization to the HTTP endpoints is granted.

Around authentication and authorization, we also need a series of additional functionalities to ensure the entire process can be implemented. These functionalities include encryption and decryption mechanisms for password protection, implementation of method-level security access, support for cross-origin resource sharing (CORS), etc. These functionalities will be discussed in detail in the upcoming articles in our column.

Spring Security and Microservices Architecture #

Microservices architecture is more complex compared to monolithic applications because it involves service-to-service communication. Let us continue using the concept of “resources”. In a microservices system, the service providers act as the servers for resources, while the service consumers act as the clients. So, each service can be a client, a resource server, or both.

Next, let’s combine authentication and authorization to outline a security implementation plan for microservices access scenarios, as shown in the following diagram:

Authentication and Authorization Integration Diagram in Microservices Architecture

As can be seen, compared to monolithic applications, the authentication and authorization processes need to be centrally managed in a microservices architecture. Therefore, an authorization center appears in the diagram. The authorization center obtains the identity credential information carried in the client request and generates a token based on the credential information. This token contains permission scope and validity period.

After obtaining the token, the client can access the microservices based on this token. At this time, the service provider needs to authenticate the token and obtain the specific resource that the request can access from the authorization center based on the token’s permission scope and validity period. In the microservices system, the external resources can also be understood as HTTP endpoints.

The key point in the diagram is to build an authorization center that can generate and validate tokens. To do this, we need to introduce the OAuth2 protocol. The OAuth2 protocol sets up an authorization layer between the client program and the resource server, and ensures that the token can be effectively transmitted among various microservices, as shown in the following diagram:

Application of the OAuth2 protocol in service access scenarios

OAuth2 is a relatively complex protocol that combines digest authentication, signature authentication, HTTPS, and other security measures. It needs to provide functions such as token generation, verification, and public-private key management, as well as permissions granularity control. Generally, we should avoid implementing such complex protocols ourselves and prefer to use specific tools to avoid reinventing the wheel. Spring Security provides a complete solution to implement this protocol, allowing us to complete the authentication and authorization mechanism suitable for microservices systems.

Spring Security and Reactive Systems #

With the release of Spring 5, we ushered in a new era of reactive programming. Reactive programming is the most important new feature of Spring 5 and is currently being actively promoted by the Spring family. The reactive programming model of Spring 5 is based on the Project Reactor library, which implements the reactive stream specification.

In fact, Spring Boot has also fully relied on Spring 5 since version 2.x. Similarly, in Spring Security, there are corresponding reactive versions for the security features that exist in traditional development models, such as the establishment of user account systems, user authentication and authorization, secure access at the method level, and the OAuth2 protocol.

Summary and Preview #

This is the first lecture of the entire column. We introduced the Spring Security framework through a simple example and analyzed the functional system provided by the Spring Security framework based on the security requirements of daily development. Different functionalities correspond to different application scenarios and can be used to ensure the security of systems in ordinary monolithic applications, microservices architectures, and reactive systems.

The summary of this lecture is as follows:

Here is a question for you to consider: Can you describe the authentication and authorization mechanisms required for monolithic applications and microservices architectures respectively?

Next, we will officially enter the learning process of various functionalities of the Spring Security framework. The first thing we will discuss is the user authentication functionality based on Spring Security. In the next lecture, we will discuss how to effectively authenticate users based on Spring Security.