Spring Security with Maven

2021 VietMX JAVA 0

1. Overview

In this article, we’ll explain how to setup Spring Security with Maven and go over specific use-cases of using Spring Security dependencies. You can find the latest Spring Security releases on Maven Central.

This is a followup to the previous Spring with Maven article, so for non-security Spring dependencies, that’s the place to start.

2. Spring Security With Maven

2.1. spring-security-core

The Core Spring Security support – spring-security-core – contains authentication and access control functionality. This dependency is mandatory to include for all projects using Spring Security.

Additionally, spring-security-core supports the standalone (non-web) applications, method level security and JDBC:

<properties>
    <spring-security.version>5.3.4.RELEASE</spring-security.version>
    <spring.version>5.2.8.RELEASE</spring.version>
</properties>
<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-core</artifactId>
    <version>${spring-security.version}</version>
</dependency>

Note that Spring and Spring Security are on different release schedules, so there isn’t always a 1:1 match between the version numbers.

If you’re working with older versions of Spring – also very important to understand is the fact that, unintuitively, Spring Security 4.1.x do not depend on Spring 4.1.x releases! For example, when Spring Security 4.1.0 was released, Spring core framework was already at 4.2.x and hence includes that version as its compile dependency. The plan is to align these dependencies more closely in future releases – see this JIRA for more details – but for the time being, this has practical implications that we’ll look at next.

2.2. spring-security-web

To add Web support for Spring Security, we need the spring-security-web dependency:

<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-web</artifactId>
    <version>${spring-security.version}</version>
</dependency>

This contains filters and related web security infrastructure that enables URL access control in a Servlet environment.

2.3. Spring Security and Older Spring Core Dependencies Problem

This new dependency also exhibits a problem for the Maven dependency graph. As mentioned above, Spring Security jars do not depend on the latest Spring core jars (but on the previous version). This may lead to these older dependencies making their way on top the classpath instead of the newer 5.x Spring artifacts.

To understand why this is happening, we need to look at how Maven resolves conflicts. In case of a version conflict, Maven will pick the jar that is closest to the root of the tree. For example, spring-core is defined by both spring-orm (with the 5.0.0.RELEASE version) but also by spring-security-core (with the 5.0.2.RELEASE version). So in both cases, spring-jdbc is defined at a depth of 1 from the root pom of our project. Because of that, it will actually matter in which order spring-orm and spring-security-core are defined in our own pom. The first one will take priority so we may end up with either version on our classpath.

To address this problem, we’ll have to explicitly define some of the Spring dependencies in our own pom and not rely on the implicit Maven dependency resolution mechanism. Doing this will put that particular dependency at depth 0 from our pom (as it’s defined in the pom itself) so it will take priority. All of the following fall into the same category and all need to be explicitly defined, either directly or, for multi-module projects, in the dependencyManagement element of the parent:

<dependency>
    <groupId>org.springframework</groupId>
    <artifactId>spring-core</artifactId>
    <version>${spring-version}</version>
</dependency>
<dependency>
    <groupId>org.springframework</groupId>
    <artifactId>spring-context</artifactId>
    <version>${spring-version}</version>
</dependency>
<dependency>
    <groupId>org.springframework</groupId>
    <artifactId>spring-jdbc</artifactId>
    <version>${spring-version}</version>
</dependency>
<dependency>
    <groupId>org.springframework</groupId>
    <artifactId>spring-beans</artifactId>
    <version>${spring-version}</version>
</dependency>
<dependency>
    <groupId>org.springframework</groupId>
    <artifactId>spring-aop</artifactId>
    <version>${spring-version}</version>
</dependency>
<dependency>
    <groupId>org.springframework</groupId>
    <artifactId>spring-tx</artifactId>
    <version>${spring-version}</version>
</dependency>
<dependency>
    <groupId>org.springframework</groupId>
    <artifactId>spring-expression</artifactId>
    <version>${spring-version}</version>
</dependency>
<dependency>
    <groupId>org.springframework</groupId>
    <artifactId>spring-web</artifactId>
    <version>${spring-version}</version>
</dependency>

2.4. spring-security-config and Others

To use the rich Spring Security XML namespace and annotations, we’ll need the spring-security-config dependency:

<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-config</artifactId>
    <version>${spring-security.version}</version>
</dependency>

Finally, LDAP, ACL, CAS, OAuth and OpenID support have their own dependencies in Spring Security: spring-security-ldapspring-security-aclspring-security-cas, spring-security-oauth and spring-security-openid.

2.5. spring-boot-starter-security

When working with Spring Boot, the spring-boot-starter-security starter will automatically include all dependencies such as spring-security-corespring-security-web and spring-security-config among others:

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
    <version>2.3.3.RELEASE</version>
</dependency>

Since Spring Boot will be managing all the dependencies automatically for us, this will also get rid of the spring security and older core dependencies problem mentioned previously.

3. Using Snapshots and Milestones

Spring Security milestones, as well as snapshots, are available in the custom Maven repositories provided by Spring. For additional details about how to configure these, see how to use Snapshots and Milestones.

4. Conclusion

In this quick tutorial, we discussed the practical details of using Spring Security with Maven. The Maven dependencies presented here are of course some of the major ones, and there are several others that may be worth mentioning and haven’t yet made the cut. Nevertheless, this should be a good starting point for using Spring in a Maven enabled project.

Related posts:

Spring REST API with Protocol Buffers
Redirect to Different Pages after Login with Spring Security
Introduction to Spliterator in Java
Java Program for Topological Sorting in Graphs
Java Program to Perform Partial Key Search in a K-D Tree
Lớp Arrarys trong Java (Arrays Utility Class)
Hướng dẫn Java Design Pattern – Null Object
An Example of Load Balancing with Zuul and Eureka
Java Program to Implement LinkedTransferQueue API
Java Program to Use the Bellman-Ford Algorithm to Find the Shortest Path
Java Program to Check Cycle in a Graph using Graph traversal
Java – File to Reader
Java Program to Implement Bellman-Ford Algorithm
HttpClient 4 – Follow Redirects for POST
DynamoDB in a Spring Boot Application Using Spring Data
Java Program to Perform Preorder Non-Recursive Traversal of a Given Binary Tree
Java Program to Implement SimpeBindings API
Java Program to Implement Fisher-Yates Algorithm for Array Shuffling
Using the Not Operator in If Conditions in Java
Spring Boot - Runners
Guide to the Synchronized Keyword in Java
Java Program to Perform Insertion in a BST
Lập trình đa luồng với CompletableFuture trong Java 8
Generate Spring Boot REST Client with Swagger
HTTP Authentification and CGI/Servlet
OAuth2 for a Spring REST API – Handle the Refresh Token in Angular
Java Program to Implement Vector API
Java Program to Perform Addition Operation Using Bitwise Operators
How To Serialize and Deserialize Enums with Jackson
Java Program to find the maximum subarray sum O(n^2) time(naive method)
Guide to Apache Commons CircularFifoQueue
Java Program to Generate All Pairs of Subsets Whose Union Make the Set