This article explains the classic HttpBasic authentication mode in Spring Security, its limited use cases, how to integrate it with a Spring Boot project by adding Maven dependencies and configuration code, and details the underlying Base64‑based mechanism with step‑by‑step illustrations.
This article explains how to customize the login, authorization, and error pages of the OAuth2 authorization‑code flow in a Spring Cloud Alibaba project, providing step‑by‑step instructions, code examples, and configuration details for Spring Security integration.
This article explains how to override Spring Security OAuth2's default /oauth/token endpoint to return a unified response structure by redefining the TokenEndpoint and optionally the CheckTokenEndpoint, providing complete Java code examples and implementation details.
This guide walks through configuring Enterprise WeChat QR code authentication in a Spring Security OAuth2 application, covering environment setup, application registration, custom OAuth2 request handling, token exchange, user‑info retrieval, and final authentication handling while highlighting common pitfalls and required code snippets.
This article walks through the complete OAuth2 token generation process, covering gateway pre‑processing, client authentication, request handling, authentication object assembly, password validation, token creation, storage options, and response handling with code examples and diagrams.
Spring Security OAuth has reached end‑of‑life, with its documentation removed and code moved to a read‑only Spring attic repository; this guide explains how to detect deprecated dependencies, replace them with Spring Security 5.7’s OAuth2 Client, Resource Server, and the new Spring Authorization Server, ensuring a smooth migration to modern, supported authentication solutions.
This guide walks you through upgrading to Spring Boot 2.7.0 and Spring Security 5.7.1, showing the deprecated WebSecurityConfigurerAdapter removal, the new SecurityFilterChain approach, and advanced dynamic permission techniques with complete code examples.
This article explains how to separate backend admin users using stateful Session authentication from front‑end app users using stateless JWT in a Spring Security‑based system, covering path‑interception strategies, session key isolation, custom UserDetailsService implementations, and complete configuration examples for an Id Server authorization server.
This article explains how to replace the deprecated Spring Security OAuth2 with a modern Spring Authorization Server solution, detailing the authentication flow, required components, configuration examples for Spring Cloud Gateway, Resource Server, and Id Server, and provides step‑by‑step demo instructions.
This article provides a detailed, step‑by‑step tutorial on building a Spring Security‑based Single Sign‑On solution using JWT, covering SSO concepts, JWT structure, RSA encryption, custom authentication filters, Maven project setup, configuration files, and full code examples for both authentication and resource services.
This article provides a comprehensive 20,000‑word guide on building a Spring Security‑based single sign‑on solution using JWT, covering the SSO concept, token structure, RSA encryption, Maven project setup, configuration files, custom authentication and verification filters, and end‑to‑end testing with Postman.
This article explains how to create a custom @IgnoreAuth annotation and integrate it with Spring Security to automatically whitelist controller methods, comparing the two standard ways of permitting requests—configure(WebSecurity) for static resources and configure(HttpSecurity) for filter‑chain‑aware endpoints—while providing full source code examples.
This article explains the classification of OAuth2 clients, details multiple authentication methods—including client_secret_jwt, private_key_jwt, TLS‑based approaches—and provides code examples and best‑practice recommendations for securely authenticating clients in modern OAuth2 deployments.
This article explains two Spring Security configuration approaches, introduces a custom @IgnoreAuth annotation, and shows how to automatically whitelist annotated endpoints by scanning RequestMappingHandlerMapping, complete with code examples and workflow details.
Spring Security's WebSecurityConfigurerAdapter is deprecated in version 5.7, and this article explains the migration path by comparing the old and new ways to configure HttpSecurity, WebSecurity, and AuthenticationManager with practical code examples.
This article explains why and how to extend Spring Security with custom OAuth2 grant types, using a mobile‑password example that demonstrates creating a custom UserDetailService, AuthenticationToken, TokenGranter, AuthenticationProvider, and the necessary Spring Cloud configuration steps.
This article explains how Spring Security’s HttpSecurity class maintains the order of its built‑in filters using FilterOrderRegistration, demonstrates the registration and retrieval logic with code examples, and clarifies how duplicate orders are resolved during filter sorting.
This article explains how to redesign Spring Security's captcha authentication by creating a custom filter configurer, detailing the inheritance hierarchy, code implementation, and integration into a SecurityFilterChain for clean, reusable authentication handling.
This article provides an in‑depth tutorial on Spring Security, covering its core concepts, authentication flow, project setup, dependency imports, custom UserDetailsService, password encoding, login handling, role‑based access control, CSRF protection, and integration with Thymeleaf, complete with practical code examples.
This article compares Apache Shiro and Spring Security, outlining each framework's core features, execution workflow, and strengths, and provides guidance on selecting the appropriate solution based on project size, Spring adoption, and development timeline.
This article explains how to customize authentication and resource server exception messages in Spring Security OAuth2, covering the creation of custom translators, entry points, and filters, with step‑by‑step code examples and testing procedures for handling username/password errors, grant type errors, client credential errors, token expiration, and insufficient permissions.
This article explains how to integrate OAuth2.0 with JWT token issuance in Spring Security, covering transparent vs opaque tokens, server‑side configuration, resource‑server validation, testing with Postman, and key source‑code snippets for a complete end‑to‑end authentication solution.
This article explains why OAuth2.0 is needed, clarifies the differences between tokens and passwords, describes the OAuth2.0 protocol and its four grant types, and provides a step‑by‑step Spring Boot + Spring Cloud Alibaba implementation of an authorization server and a resource server with full code examples.
This article explains how to use Spring Security together with JWT to build a stateless authentication system for front‑end/back‑end separated applications, covering token issuance, refresh logic, custom filters, handlers, UserDetailsService implementation, global security configuration, and testing procedures.
This article compares Apache Shiro and Spring Security, outlining their core concepts, execution flows, key features, and practical guidance to help developers choose the most suitable Java security framework based on project requirements and team expertise.
This article explains how Spring Security 5.6 simplifies dynamic permission control using annotation, SpEL‑based beans, and the new AuthorizationManager API, providing step‑by‑step code examples and configuration tips for developers seeking flexible, low‑overhead security solutions.
After adopting OAuth2.0, the added concept of scope often confuses developers; this article clarifies the differences between scope and role, explains how each controls access, shows Spring Security code examples, and highlights their complementary relationship in securing APIs.
This article explains the modular configuration of Spring Security's OAuth2 components, showcases the core config classes for client, resource, and authorization servers, and details the default filter chain and customizable filter configurers used by Spring Authorization Server.
This tutorial walks through converting a monolithic Spring application into a Spring Cloud microservice by implementing a JWT‑based OAuth2 resource server, covering required dependencies, custom JWT decoding, key separation, security filter configuration, and token parsing customization.
This article explains what an OAuth2 Resource Server is, why traditional monolithic security models become cumbersome in microservice architectures, and how decoupling authentication from authorization using JWTs simplifies token validation across distributed services.
This tutorial walks through the concepts of Single Sign‑On (SSO) and JSON Web Tokens (JWT), then provides a complete Spring Security integration with JWT—including project structure, RSA key handling, utility classes, custom authentication and verification filters, and step‑by‑step testing using Postman.
GrowingIO’s server-side solution integrates three distinct authentication protocols—OAuth2, LDAP, and CAS—into a unified SSO flow, detailing each protocol’s process, the overall architecture, role of the IAM and Gateway components, and providing configuration and code examples for implementation.
This article examines how Keycloak integrates with Spring Security in a Spring Boot application, detailing the custom security filters added to the standard chain, the handling of authentication and authorization for the /admin/foo endpoint, and practical steps to enable detailed logging for deeper insight.
This guide walks through setting up WeChat web authorization, customizing Spring Security's OAuth2 flow, handling token exchange, and retrieving user info, providing a complete backend solution for secure WeChat-enabled applications.
This article outlines the most commonly used Keycloak adapter configuration properties for Spring Security integration, explaining each setting such as realm, resource, auth-server-url, SSL requirements, CORS, bearer-only mode, and client credentials, and provides guidance on when and how to apply them.
This tutorial explains step‑by‑step how to add Keycloak authentication to a Spring Boot application using the Spring Security adapter, covering Maven dependencies, configuration files, custom resolvers, role mapping, session strategies, and the typical authorization code flow.
This article walks through the Spring Security authentication flow in a Spring Boot 2.2.11 application, detailing filter execution, token creation, provider selection, custom DaoAuthenticationProvider configuration, and session management, complemented by code snippets and diagrams for each step.
Keycloak, Red Hat’s open‑source identity and access management platform, offers a comprehensive SSO solution with extensive protocols, admin UI, Spring Security integration, and customizable features, but its complexity and steep learning curve may pose challenges for smaller projects.
This article demonstrates how to implement a unified authentication system in Spring Security that supports traditional username/password login, SMS-based captcha login, and WeChat Mini‑Program login, detailing the required components, custom filters, provider configurations, and code examples for a production‑ready solution.
This tutorial explains how to protect a Spring Boot web application by integrating Spring Security and JSON Web Tokens (JWT), covering project setup, dependency configuration, custom authentication components, security filters, token generation, role‑based access control, and testing with curl commands.
This article explains the core roles of HttpSecurity and WebSecurity in Spring Security, how they build and manage SecurityFilterChain objects, the purpose of FilterChainProxy, and why WebSecurity serves as the framework’s external entry point while HttpSecurity defines internal security policies.
This article compares Apache Shiro and Spring Security, outlining each framework's features, execution flow, and strengths, and provides guidance on when to choose Shiro for lightweight, framework-agnostic projects versus Spring Security for deeper Spring integration and broader community support.
In this exclusive interview, Huawei Cloud MVP Jiangnan Yidiayu shares his journey from a management student to a Java development expert, offering career advice, discussing the evolution of Java in the cloud‑native era, and revealing the motivations behind his popular Spring Security book and upcoming tutorials.
This tutorial walks through building a single sign‑on (SSO) system using OAuth2, Spring Security, and JWT, covering preparation, core concepts, Maven dependencies, configuration files, custom login pages, client setup, logout handling, project structure, and a full demonstration.
This article explains the role of OAuth2AuthorizationCodeAuthenticationProvider in Spring Security, details how OAuth2AccessTokenResponseClient obtains access tokens, shows how to customize the token endpoint, and walks through the complete token‑retrieval flow with code examples and step‑by‑step analysis.
This tutorial explains the concept of Single Sign‑On, demonstrates a simple ticket‑based analogy, introduces JWT structure and RSA signing, and walks through a complete Spring Boot implementation—including project layout, Maven dependencies, configuration files, utility classes, custom authentication and verification filters, security configuration, and Postman testing—so readers can build a secure SSO service from scratch.
This article explores how Spring Security processes OAuth2 login callbacks, detailing the role of AuthenticationManager, the creation of OAuth2LoginAuthenticationToken, the selection of appropriate AuthenticationProvider such as OAuth2LoginAuthenticationProvider and OidcAuthorizationCodeAuthenticationProvider, and the subsequent generation of OAuth2User and token objects.
This guide explains how to use Spring Security 5 to integrate Gitee's OAuth2.0 login, covering the registration of client credentials, the meaning of each OAuth2.0 field, and a step‑by‑step demo that you can run locally via a simple authorization URL.
This guide shows how to replace the old springfox-swagger jars with the new Springfox 3.0.0 starter, configure Swagger UI in a Spring Boot project, compare version differences, and integrate Swagger with Spring Security for protected API endpoints.
This comprehensive Spring Security guide explains core concepts of authentication and access control, details the AuthenticationManager and ProviderManager interfaces, shows how to customize authentication managers, configure authorization with AccessDecisionManager, secure web requests with filter chains, and apply method-level security, including asynchronous contexts.
This article answers common questions about permission management in the Mall and Mall‑Swarm projects, covering deprecated tables, required SQL scripts, front‑end menu visibility, differences between Spring Security and OAuth2‑Gateway implementations, configuration fixes, token usage, and a tiny demo project for learning.
This tutorial walks you through building a complete SMS‑based captcha authentication flow in Spring Security, covering cache lifecycle, service implementation, custom authentication token, provider, filter, and configuration, and shows how to integrate it without affecting existing login methods.
This guide walks through building a unified microservice authentication and authorization solution using Spring Boot 2.2+, Spring Cloud Hoxton, Nacos, Spring Cloud Gateway, and JWT, detailing the architecture, service division, and step‑by‑step implementation of auth, gateway, and API services with code examples.
This article explains the fundamentals of OAuth2, its four grant types and roles, and provides step‑by‑step Spring Boot and Spring Cloud configurations—including authorization and resource server setup, custom token filters, and Zuul gateway integration—to secure microservice APIs.
Learn how to retrieve OAuth 2.0 tokens using the password grant, customize the default token endpoint with Spring Security OAuth2, and understand the underlying source code that maps the new endpoint, complete with practical curl commands and Java configuration examples.
This article explains how to modify Spring Security OAuth2's token service to enforce a single-device login by customizing token creation and key generation logic, removing existing tokens for the same user and ignoring client identifiers, with code examples and deployment steps.
This article explains how Spring Security integrates with Servlet‑based Java web applications by detailing the servlet filter chain, DelegatingFilterProxy, FilterChainProxy, SecurityFilterChain, and providing code examples to help readers grasp authentication and authorization mechanisms.
This article explains how to extend the default OAuth2 token response by embedding business-related fields such as tenant_id, user_id, and username, and walks through the underlying Spring Security code—including the password grant flow, token creation, and enhancement process—illustrated with code snippets and diagrams.
The article examines why the demo environment of pig4cloud returns an OAuth2 access token without the expires_in field, contrasts it with a local deployment, analyzes the Spring Security OAuth2 token generation code, and explains that according to the OAuth2 specification the expires_in parameter should be returned even for permanently valid tokens.
This article walks through the complete SSO login flow—from the browser request to the SSO server, code exchange, token generation, and front‑end redirection—while detailing front‑end and back‑end code modifications needed for password‑less authentication.
This tutorial shows how to integrate Spring Security into a Spring Boot project that already uses Swagger2, configuring dependencies, application properties, Swagger and security classes so that the generated API documentation is protected by a login page without affecting other business endpoints.
This article explains the OAuth 2.0 authorization framework, describes its four core roles and various grant types, and demonstrates how to configure a Spring Security OAuth2 client for GitHub login, including endpoint details, request parameters, and code examples.
This guide introduces Spring Security fundamentals, explaining authentication and authorization concepts, the core interfaces such as AuthenticationManager and AccessDecisionManager, how to configure them with Spring Boot, customize filter chains, apply method‑level security, and handle thread‑bound security contexts for asynchronous processing.
This article explains how to implement role‑based access control in Spring Security by embedding roles into UserDetails, configuring HttpSecurity with hasRole/hasAnyRole/hasAuthority, handling anonymous users, and using permitAll, providing code examples and detailed explanations for each approach.
This article explains why Role‑Based Access Control (RBAC) is essential for modern applications, outlines the four RBAC model variants (RBAC0‑RBAC3), clarifies core concepts such as users, roles, sessions and permissions, and shows how RBAC improves scalability and security in Spring Security projects.
This article explains the different exception types in Spring Security, how HTTP status codes map to authentication and authorization failures, and provides concrete implementations of AuthenticationEntryPoint and AccessDeniedHandler that return JSON responses, along with configuration tips for integrating them into a Spring Boot application.
This article walks through the inner workings of Spring Security after login, explains session and token based authentication, and provides step‑by‑step guidance on customizing logout logic with LogoutFilter, LogoutConfigurer, and custom LogoutHandler and LogoutSuccessHandler implementations in Java.
This article explains Spring Security 5.2's Lambda DSL enhancements, compares lambda‑based and traditional configurations for HttpSecurity and ServerHttpSecurity, shows equivalent code samples, highlights default behaviors, and demonstrates the same approach for Spring Security WebFlux.
This article walks through customizing Spring Security in a Spring Boot application by creating a custom security configuration class, overriding authentication manager, web security, and HttpSecurity methods, and explains the default and common HttpSecurity settings with code examples.
This article explains the Ant‑style path matching syntax, its wildcards ?, *, **, the longest‑match rule, and demonstrates how to apply these patterns in Spring MVC controller mappings and Spring Security antMatchers for precise URI access control.
This article explores how Spring Security is automatically configured in Spring Boot, detailing key auto‑configuration classes such as SecurityAutoConfiguration, SpringBootWebSecurityConfiguration, WebSecurityEnablerConfiguration, and the @EnableWebSecurity annotation, while providing code snippets and explanations of their roles in the security filter chain.
This tutorial explains how to integrate JWT with Spring Security so that a successful login returns a JWT token instead of a page redirect, covering the authentication flow, custom success and failure handlers, configuration steps, and verification of the returned JSON responses.
This guide walks through integrating Spring Security with Spring Boot, explains the UserDetailsServiceAutoConfiguration, demonstrates how to customize UserDetailsManager using in‑memory storage, and shows how to extend it for database‑backed user management, providing complete code examples and practical insights.
This article compares Spring Security and Apache Shiro, explaining their authentication and authorization features, filter‑chain mechanisms, RBAC model, and related security concepts to help Java developers choose the right framework for production‑grade web applications.
This article explains how to achieve consistent OAuth2 token handling across multiple clients and tenants by customizing the token key generation, overriding DefaultTokenServices logic, and configuring a RedisTokenStore with a custom AuthenticationKeyGenerator in a Spring Boot application.
This tutorial walks through setting up Spring Boot Admin as a monitoring server and client, integrating it with Eureka for service discovery, adding Spring Security for authentication, and configuring email and custom notifications, complete with Maven and YAML configurations and Java code examples.
This tutorial walks you through building a lightweight OAuth2 authentication server using Spring Cloud Hoxton, covering required dependencies, web security configuration, client details, grant types, testing with the password flow, and key insights on Spring Security password handling.
Learn how to quickly set up an OAuth2 authentication server using Spring Cloud Hoxton, including Maven dependencies, web security configuration, client details, and password‑grant testing, while also covering Spring Security’s {noop} password handling and providing useful code snippets for developers.
This tutorial shows how to integrate Spring Security and JWT into a Spring Boot backend to implement user login and authorization, configure Swagger‑UI to automatically include the token, and provides all necessary code snippets, configuration files, and utility classes for a complete authentication solution.
This article walks through Spring Security OAuth's core classes, explaining how the TokenEndpoint processes /oauth/token requests, validates client details, builds TokenRequests, delegates to TokenGranters, and ultimately generates and returns an OAuth2 access token.
This article explains how to customize the default OAuth2 check‑token flow in Spring Cloud by extending the token converter to assemble complete user information—including IDs, department and tenant data—directly into the security context, eliminating extra database queries and improving performance.
This article explains how to protect Spring Cloud microservices using OAuth2 by configuring an API gateway, an authorization server, and a simple account service, providing a complete token‑based security solution with code examples and testing instructions.
This tutorial walks through a complete Spring Boot demo that sets up Maven dependencies, creates Thymeleaf front‑end pages (home, login, hello), implements a main Application class, a HomeController, and a WebSecurityConfig to secure the application with in‑memory authentication, illustrating how to protect URLs, configure a custom login page, and enable logout functionality.
This guide explains how to create a custom Spring Security filter, extend GenericFilterBean, and precisely position it within the default filter chain using HttpSecurity’s addFilterBefore, addFilterAfter, or addFilterAt methods, complete with code examples and configuration steps.
This guide shows how to combine Spring Security and MyBatis to implement username‑password authentication backed by a MariaDB database, covering repository cloning, database setup, Maven execution, and a deep dive into the underlying authentication filter and provider classes with code examples.
This tutorial walks you through setting up a Spring Boot project with Spring Security, explains the @EnableWebSecurity annotation, shows how to extend WebSecurityConfigurerAdapter, demonstrates overriding configure(AuthenticationManagerBuilder) and configure(HttpSecurity) methods with concrete code examples, and provides a concise reference table of common HttpSecurity methods.
This guide provides a deep dive into Spring Security's architecture, explaining how authentication and authorization are separated, how the AuthenticationManager and AccessDecisionManager work, how web filter chains are organized, and how to apply method‑level security and thread‑local context handling in Java applications.
This weekend roundup compiles essential Spring Boot, Spring Cloud, and Spring Security articles—including quick starts, deep‑dive tutorials, microservice patterns, API‑gateway tips, and OAuth2 guides—providing developers a convenient reference list to enhance their Java backend expertise.
This article presents a collection of straightforward, developer‑friendly techniques for enhancing Java API security and performance, covering API key protection, TLS adoption, Spring Boot web service creation, application monitoring, and safeguarding sensitive configuration files.
This article breaks down Spring Security’s three core Java configuration components—@EnableWebSecurity, WebSecurityConfiguration, and AuthenticationConfiguration—explaining how they replace XML setup, register the security filter chain, build the AuthenticationManager, and enable fine‑grained HttpSecurity rules such as path protection, form login, logout, CSRF, and security headers.
This article breaks down the internal workflow of Spring Security’s @EnableResourceServer, explaining how OAuth2 tokens are extracted, validated, and turned into authentication objects through ResourceServerSecurityConfigurer, OAuth2AuthenticationProcessingFilter, OAuth2AuthenticationManager, and related components.
This article walks through building a Spring Boot application that protects HTTP endpoints using OAuth2, covering password and client‑credentials flows, Maven setup, resource and authorization server configuration, in‑memory users, token retrieval, and accessing secured resources with detailed code examples.
