I have written another post listing how to construct your login and logout pages to work with spring-security. It’s important that you read this post first if you’re new to spring-security.
Security in web applications is a big concern. More often than not developers miss securing a few pages here and there. These pages aren’t a huge concern till someone finds them and starts to mess with your system using them. Then the scramble to fix and re-evaluate your security starts. So, why don’t we secure ALL our pages instead of most of them? And why don’t we allow access to only those which we define and block access to everything else? This inverted model of security is what has been implemented in spring security. It’s a beautiful and powerful solution to securing web apps. Yes, i’m a spring fanboi but you’ll love spring security too once you love it.
As with anything else related to spring the learning curve on spring-security is just as steep. But once you get the hang of it, it’s easy peasy and you can use the same configuration over and over again in your web apps. It’s also worthwhile to mention that spring-security’s documentation could be a LOT better in terms of content not to mention better laid out. (more…)