Spring Security configuration

Through our last articles we could discover that Spring Security can be configured in two ways: the first one using standard Spring beans mechanism. The second one is specific for Spring Security because it uses its own XML schema definition (XSD). In this article we'll focus on the second method.

Data Engineering Design Patterns

Looking for a book that defines and solves most common data engineering problems? I wrote one on that topic! You can read it online on the O'Reilly platform, or get a print copy on Amazon.

I also help solve your data engineering problems 👉 contact@waitingforcode.com 📩

At the begin we'll present a sample configuration based on Spring Security's XSD. We'll describe it shortly. After, we'll analyze each part separately, in more detailed way. Thanks to it we'll understand better how Spring knows which beans must be used for each of <http /> configuration or how it resolves the name of <user-service />.

Spring Security configuration based on XSD

To illustrate Spring Security configuration based on XML schema, we'll use the same sample application as in previous articles. Its configuration looks like:

<security:http authentication-manager-ref="frontend" auto-config="true" use-expressions="true"
    access-denied-page="/access-denied">
  <security:intercept-url pattern="/logout" access="isAuthenticated()" />
  <security:csrf />
  <security:logout logout-url="/logout" logout-success-url="/login" 
    invalidate-session="true" delete-cookies="JSESSIONID" />
  <security:form-login login-page="/login" default-target-url="/secret/data"
    authentication-failure-url="/login?error=true" password-parameter="password"
    username-parameter="login" login-processing-url="/do-login" />
  <security:remember-me data-source-ref="dataSource" 
    key="secret_remember_me" user-service-ref="inMemoryUserService" />
  <security:session-management invalid-session-url="/invalid-session" 
    session-fixation-protection="migrateSession">
      <security:concurrency-control expired-url="/expired-session" 
        max-sessions="1" error-if-maximum-exceeded="true" />
  </security:session-management>
  <security:custom-filter ref="oneShootAuthFilter" after="CONCURRENT_SESSION_FILTER"/>
</security:http>

<security:authentication-manager id="frontend">
  <security:authentication-provider 
    user-service-ref="inMemoryUserService" />
</security:authentication-manager>

<security:user-service id="inMemoryUserService">
  <security:user name="bartosz" password="bartosz" 
    authorities="ROLE_ADMIN,ROLE_USER" />
  <security:user name="admin" password="admin" 
    authorities="ROLE_ADMIN,ROLE_USER" />
  <security:user name="mod" password="mod" 
    authorities="ROLE_USER" />
</security:user-service>

<bean id="oneShootAuthFilter" class="com.waitingforcode.security.filter.OneShotActionFilter">
  <property name="authenticationManager" ref="frontend" />
  <property name="userDetailsService" ref="inMemoryUserService" />
</bean>

You can observe there 3 main parts: http, authentication-manager and user-service. To define them quickly, we can consider the http element as the security context for one application area (for example: frontend, backend, site parts reserved to connected users). As to authentication-manager, it defines the way of handling users authentication. It uses user-service, which is the last component. As you can deduce, it provides the layer thanks to which we can check if one user can be authentified or not. The last bean, oneShootAuthFilter, is defined here only to understand better one of http's components, <custom-filter />.

Spring Security configuration builders

As we could see in this article, underlying process for Spring Security configuration based on namespace is based on BeanDefinitionParser instances. They analyze provided XML configuration and construct appropriate BeanDefinition objects. This process is made by configuration builders which are sometimes coupled, as user-service or authentication and http filters in <http /> tag. In additionally they can take different options which can trigger a lot of different actions. It makes the code more verbose to read and a little bit more complicated to understand. Even, if the main method is still the same as in the rest of Spring projects.

Consulting

With nearly 16 years of experience, including 8 as data engineer, I offer expert consulting to design and optimize scalable data solutions. As an O’Reilly author, Data+AI Summit speaker, and blogger, I bring cutting-edge insights to modernize infrastructure, build robust pipelines, and drive data-driven decision-making. Let's transform your data challenges into opportunities—reach out to elevate your data engineering game today!

👉 contact@waitingforcode.com
đź”— past projects


If you liked it, you should read:

📚 Newsletter Get new posts, recommended reading and other exclusive information every week. SPAM free - no 3rd party ads, only the information about waitingforcode!