π announcement - icon
If you're working on a Spring Security (and especially an OAuth) implementation, definitely have a look at the Learn Spring Security course:
>> LEARN SPRING SECURITYeBook β Guide Spring Cloud β NPI EA (cat=Spring Cloud)
eBook β Mockito β NPI EA (tag = Mockito)
π announcement - icon
Mocking is an essential part of unit testing, and the Mockito library makes it easy to write clean and intuitive unit tests for your Java code.
Get started with mocking and improve your application tests using our Mockito guide:
eBook β Java Concurrency β NPI EA (cat=Java Concurrency)
π announcement - icon
Handling concurrency in an application can be a tricky process with many potential pitfalls. A solid grasp of the fundamentals will go a long way to help minimize these issues.
Get started with understanding multi-threaded applications with our Java Concurrency guide:
eBook β Reactive β NPI EA (cat=Reactive)
π announcement - icon
Spring 5 added support for reactive programming with the Spring WebFlux module, which has been improved upon ever since. Get started with the Reactor project basics and reactive programming in Spring Boot:
eBook β Java Streams β NPI EA (cat=Java Streams)
π announcement - icon
Since its introduction in Java 8, the Stream API has become a staple of Java development. The basic operations like iterating, filtering, mapping sequences of elements are deceptively simple to use.
But these can also be overused and fall into some common pitfalls.
To get a better understanding on how Streams work and how to combine them with other language features, check out our guide to Java Streams:
eBook β Jackson β NPI EA (cat=Jackson)
eBook β HTTP Client β NPI EA (cat=Http Client-Side)
eBook β Maven β NPI EA (cat = Maven)
eBook β Persistence β NPI EA (cat=Persistence)
eBook β RwS β NPI EA (cat=Spring MVC)
Course β LS β NPI EA (cat=Jackson)
π announcement - icon
Get started with Spring and Spring Boot, through the Learn Spring course:
>> LEARN SPRINGCourse β RWSB β NPI EA (cat=REST)
π announcement - icon
Explore Spring Boot 3 and Spring 6 in-depth through building a full REST API with the framework:
Course β LSS β NPI EA (cat=Spring Security)
π announcement - icon
Yes, Spring Security can be complex, from the more advanced functionality within the Core to the deep OAuth support in the framework.
I built the security material as two full courses - Core and OAuth, to get practical with these more complex scenarios. We explore when and how to use each feature and code through it on the backing project.
You can explore the course here:
Course β LSD β NPI EA (tag=Spring Data JPA)
π announcement - icon
Spring Data JPA is a great way to handle the complexity of JPA with the powerful simplicity of Spring Boot.
Get started with Spring Data JPA through the guided reference course:
Partner β Moderne β NPI EA (cat=Spring Boot)
π announcement - icon
Refactor Java code safely β and automatically β with OpenRewrite.
Refactoring big codebases by hand is slow, risky, and easy to put off. Thatβs where OpenRewrite comes in. The open-source framework for large-scale, automated code transformations helps teams modernize safely and consistently.
Each month, the creators and maintainers of OpenRewrite at Moderne run live, hands-on training sessions β one for newcomers and one for experienced users. Youβll see how recipes work, how to apply them across projects, and how to modernize code with confidence.
Join the next session, bring your questions, and learn how to automate the kind of work that usually eats your sprint time.
Course β LJB β NPI EA (cat = Core Java)
1. Overview
In this article, weβll explain how to setup Spring Security with Maven and go over specific use-cases of using Spring Security dependencies. You can find the latest Spring Security releases on Maven Central.
This is a followup to the previous Spring with Maven article, so for non-security Spring dependencies, thatβs the place to start.
2. Spring Security With Maven
2.1. spring-security-core
The Core Spring Security support β spring-security-core β contains authentication and access control functionality. This dependency is mandatory to include for all projects using Spring Security.
Additionally, spring-security-core supports the standalone (non-web) applications, method level security and JDBC:
<properties>
<spring-security.version>5.3.4.RELEASE</spring-security.version>
<spring.version>5.2.8.RELEASE</spring.version>
</properties>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>${spring-security.version}</version>
</dependency>Note that Spring and Spring Security are on different release schedules, so there isnβt always a 1:1 match between the version numbers.
If youβre working with older versions of Spring β also very important to understand is the fact that, unintuitively, Spring Security 4.1.x do not depend on Spring 4.1.x releases! For example, when Spring Security 4.1.0 was released, Spring core framework was already at 4.2.x and hence includes that version as its compile dependency. The plan is to align these dependencies more closely in future releases β see this JIRA for more details β but for the time being, this has practical implications that weβll look at next.
2.2. spring-security-web
To add Web support for Spring Security, we need the spring-security-web dependency:
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>${spring-security.version}</version>
</dependency>This contains filters and related web security infrastructure that enables URL access control in a Servlet environment.
2.3. Spring Security and Older Spring Core Dependencies Problem
This new dependency also exhibits a problem for the Maven dependency graph. As mentioned above, Spring Security jars do not depend on the latest Spring core jars (but on the previous version). This may lead to these older dependencies making their way on top the classpath instead of the newer 5.x Spring artifacts.
To understand why this is happening, we need to look at how Maven resolves conflicts. In case of a version conflict, Maven will pick the jar that is closest to the root of the tree. For example, spring-core is defined by both spring-orm (with the 5.0.0.RELEASE version) but also by spring-security-core (with the 5.0.2.RELEASE version). So in both cases, spring-jdbc is defined at a depth of 1 from the root pom of our project. Because of that, it will actually matter in which order spring-orm and spring-security-core are defined in our own pom. The first one will take priority so we may end up with either version on our classpath.
To address this problem, weβll have to explicitly define some of the Spring dependencies in our own pom and not rely on the implicit Maven dependency resolution mechanism. Doing this will put that particular dependency at depth 0 from our pom (as itβs defined in the pom itself) so it will take priority. All of the following fall into the same category and all need to be explicitly defined, either directly or, for multi-module projects, in the dependencyManagement element of the parent:
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId>
<version>${spring-version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
<version>${spring-version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-jdbc</artifactId>
<version>${spring-version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-beans</artifactId>
<version>${spring-version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-aop</artifactId>
<version>${spring-version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-tx</artifactId>
<version>${spring-version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-expression</artifactId>
<version>${spring-version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-web</artifactId>
<version>${spring-version}</version>
</dependency>2.4. spring-security-config and Others
To use the rich Spring Security XML namespace and annotations, weβll need the spring-security-config dependency:
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>${spring-security.version}</version>
</dependency>Finally, LDAP, ACL, CAS, OAuth and OpenID support have their own dependencies in Spring Security: spring-security-ldap, spring-security-acl, spring-security-cas, spring-security-oauth and spring-security-openid.
3. Using Spring Boot
When working with Spring Boot, the spring-boot-starter-security starter will automatically include all dependencies such as spring-security-core, spring-security-web, and spring-security-config among others:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
<version>2.3.3.RELEASE</version>
</dependency>
Since Spring Boot will be managing all the dependencies automatically for us, this will also get rid of the spring security and older core dependencies problem mentioned previously.
4. Using Snapshots and Milestones
Spring Security milestones, as well as snapshots, are available in the custom Maven repositories provided by Spring. For additional details about how to configure these, see how to use Snapshots and Milestones.
5. Conclusion
In this quick tutorial, we discussed the practical details of using Spring Security with Maven. The Maven dependencies presented here are of course some of the major ones, and there are several others that may be worth mentioning and havenβt yet made the cut. Nevertheless, this should be a good starting point for using Spring in a Maven enabled project.
