Spring Security is a powerful and highly customizable authentication and access-control framework for Java applications. It is the de-facto standard for securing Spring-based applications. In this section, we will cover the basics of Spring Security, its core concepts, and how to integrate it into a Spring Boot application.

1. Authentication: The process of verifying the identity of a user or system.
2. Authorization: The process of determining whether an authenticated user has the necessary permissions to perform a specific action.
3. Principal: The currently authenticated user.
4. Granted Authority: A permission or role assigned to a principal.
5. Security Context: Holds the security information of the current user, including authentication and granted authorities.

• Comprehensive Security: Provides a wide range of security features, including authentication, authorization, and protection against common attacks (e.g., CSRF, XSS).
• Integration: Seamlessly integrates with Spring applications.
• Customization: Highly customizable to meet specific security requirements.
• Community Support: Backed by a large community and extensive documentation.

First, add the Spring Security dependency to your pom.xml file:

Create a configuration class to set up Spring Security. This class should extend WebSecurityConfigurerAdapter and override the necessary methods.

• @Configuration: Indicates that this class contains Spring configuration.
• @EnableWebSecurity: Enables Spring Security’s web security support.
• authorizeRequests(): Configures authorization for HTTP requests.
• anyRequest().authenticated(): Requires authentication for any request.
• formLogin(): Enables form-based login.
• httpBasic(): Enables HTTP Basic authentication.

Run your Spring Boot application. By default, Spring Security will secure all endpoints and provide a default login page. The default username is user, and the password is generated at runtime and printed in the console.

Let's create a simple Spring Boot application with a secured endpoint.

Use Spring Initializr to create a new Spring Boot project with the following dependencies:

• Spring Web
• Spring Security

Create a simple REST controller with a secured endpoint.

Create the SecurityConfig class as shown earlier.

Run the application and navigate to http://localhost:8080/hello. You will be prompted to log in. Use the default credentials (user and the generated password) to access the endpoint.

Modify the SecurityConfig class to use a custom login page.

Create a simple login page (src/main/resources/templates/login.html):

• Update the SecurityConfig class as shown above.
• Create the login.html file in the templates directory.

Modify the SecurityConfig class to restrict access to the /admin endpoint to users with the ADMIN role.

Create a new controller with an /admin endpoint.

• Update the SecurityConfig class as shown above.
• Create the AdminController class with the /admin endpoint.

In this section, we introduced Spring Security and its core concepts. We demonstrated how to set up Spring Security in a Spring Boot application, configure basic authentication, and create a custom login page. We also provided practical exercises to reinforce the learned concepts. In the next section, we will delve deeper into configuring Spring Security and implementing user authentication and authorization.