UPDATE NOTE This blog post is no longer maintained. Refer to the Headers documentation for up to date information about Spring Security's Headers. Original Article @Override protected void configure(HttpSecurity http) throws Exception { http .headers().disable() ...; } }

[callout title=Update] On Monday I announced the release of Spring Security 3.2.0.RC1. This is the first of a two part blog series going over the new features found in Spring Security 3.2.0.RC1. In this first entry, I will go over Spring Security's CSRF support. In the next post, I will go over the various security headers that have been added. CSRF Attacks Spring Security has added protection against Cross Site Request Forgery (CSRF) attacks. Great, but what is a CSRF attack and how can Spring Security protect me against it? Let's take a look at a concrete example to get a better…

In this post, I will discuss how to make your Spring Security Java configuration more readable. The post is intended to elaborate on a point from Spring Security Java Config Preview: Web Security where I stated: By formatting our Java configuration code it is much easier to read. It can be read similar to the XML namespace equivalent where "and()" represents optionally closing an XML element. Indentation The indentation of Spring Security's Java configuration really impacts its readability. In general, indentation like a bullet list should be preferred. For a more concrete example, take a look…

This is the fourth post in my five part blog series that introduces Spring Security Java configuration. In this post, we will discuss how Spring Security Java configuration can be extended by walking through Spring Security OAuth Java configuration support. Proof of Concept While the Spring Security Java configuration works well for very basic configuration, it is just a proof of concept. We have not ensured that all the functionality available in the XML namespace is present within its Java configuration support. It was important to ensure that Spring Security's Java configuration would work…

Update Users should refer to the Spring Security Reference which contains more up to date information. Original Blog Post This is the third installment of a four part blog series. In my first post, I introduced Spring Security Java configuration and discussed some of the logistics of the project. In my previous post, we walked through a few examples of configuring web based security. In this post, I will discuss how to configure method based security using Spring Security Java configuration. Like our previous post, we will start off with a very basic example and follow it up with an example…

Update Users should refer to the Spring Security Reference which contains more up to date information. Original Blog Post In my previous post, I introduced Spring Security Java configuration and discussed some of the logistics of the project. In this post, we will start off by walking through a very simple web security configuration. We will then spice things up a bit with configuration that has been customized some. Hello Web Security In this section we go through the most basic configuration for web based security. It can be broken into four steps: Updating your dependencies - we…

[callout title="Required Versions"]Regardless of how you decide to integrate with Spring Security, it is important to ensure you are using Spring 3.2.3.RELEASE+ to ensure that you avoid SPR-10546.[/callout] Before we get started, I'd like to talk about the two modules that Spring Security's Java Configuration can be found. Spring Security Java Configuration has been copied into the Spring Security 3.2.0.M2+ code base. This means if you are using Spring Security 3.2.0.M2+ you should ensure to have the spring-security-config jar on your classpath. For example, you might have the following…

I'd like to extend a special thanks to all those that contributed to this release by submitting bugs, pull requests, and feedback. The highlights of this release include: