Why Spring Security May Be My Favorite Spring Project
--
Spring Security is a powerful, flexible, and extensible security framework for Java applications that is part of the larger Spring ecosystem.
It is my go-to solution for securing Java-based applications, and I will share with you the reasons it JUST MIGHT be my favorite Spring project.
1 — Sensible Defaults
One of the key reasons why Spring Security stands out is its sensible default configurations. The framework is designed to ensure that your app is protected against a wide range of security threats. And one thing I’ve learned from listening to Rob Winch’s many security talks (lead for Spring Security) is that I don’t know 1% of what this guy knows.
In fact, there’s a common expression amongst security geeks:
Don’t implement security on your own.
You and I, mere mortals in application development, don’t grok enough to guard against the many vectors of attacks. We NEED toolkits like Spring Security to apply good, standardized protections.
For example, if you create a Spring MVC application and hook up a templating engine like Thymeleaf, Spring Security will insert additional HTML directives that are aimed at protecting you. The simplest being that the browser is instructing, when logged-in users are accessing the system, to not hold into cached assets.
Essentially, when users log out, the browser shouldn’t be holding on to what that user accessed in the sense of images, JavaScript, or HTML. Any of this could be used to gain insight and attack the system. When a user logs out, the browser needs to REALLY log them out.
Betcha didn’t even KNOW that one. Well gear up…there a whole bunch of actions just like that that Spring Security stuffs into web pages to ALSO protect you.
Simply put, neither you nor I have the chops to understand all these attack vectors. But Spring Security DOES. Do you know about the following?
- CSRF?
- Session Fixation?
- Clickjacking?
Even if you’ve HEARD of them, could you explain them in detail to your manager?
Integrate Spring Security into your application and you already have a strong foundation for a secure application without needing to be an expert in security.
