Spring Security with Maven

1. Overview

This article will explain how to setup Spring Security with Maven and will go over specific use-cases of using Spring Security dependencies. The latest Spring Security releases can be found on Maven Central.

This is a followup to the previous Spring with Maven article, so for non-security Spring dependencies, that’s the place to start.
 
 
 

2. Spring Security with Maven

2.1. spring-security-core

The Core Spring Security support – spring-security-core – contains authentication and access control functionality, and has support for standalone (non-web) applications, method level security and JDBC:

<properties>
    <org.springframework.security.version>3.1.4.RELEASE</org.springframework.security.version>
    <org.springframework.version>3.2.4.RELEASE</org.springframework.version>
</properties>
<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-core</artifactId>
    <version>${org.springframework.security.version}</version>
</dependency>

Notice that we’re using the 3.1.4.RELEASE version of Spring Security – Spring and Spring Security are on different release schedules, so there isn’t a 1:1 match between the version numbers.

Also very important to understand is the fact that, unintuitively, Spring Security 3.1.x do not depend on Spring 3.1.x releases – this is because Spring Security 3.1.x was released before Spring 3.1. The plan is to align these dependencies more closely in future releases – see this JIRA for more details – but for the time being, this has practical implications that we will look at next.

2.2. spring-security-web

To add Web support for Spring Security, the spring-security-web dependency is required:

<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-web</artifactId>
    <version>${org.springframework.security.version}</version>
</dependency>

This contains filters and related web security infrastructure enabling URL access control in a Servlet environment.

2.3. Spring Security and older Spring Core dependencies problem

This new dependency also exhibits a problem for the Maven dependency graph – as mentioned above, Spring Security may depend on 3.0.x Spring dependencies – which may lead to these older dependencies making their way on top the classpath instead of the newer 3.2.x Spring artifacts.

To understand why this is happening, we need to look at how Maven resolves conficts – in case of a version conflict, Maven will pick the jar that is closest to the root of the tree. In our case, spring-jdbc is defined by both spring-orm (with the 3.2.2.RELEASE version) but also by spring-security-web (with the 3.0.7.RELEASE version) – so in both cases, spring-jdbc is defined at a depth of 1 from the root pom of our project. Because of that, it will actually matter in which order spring-orm and spring-security-web are defined in our own pom – the first one will take priority so we may end up with either version on our classpath.

To address this problem, we will have to explicitly define some of the Spring dependencies in our own pom and not rely on the implicit Maven dependency resolution mechanism – doing this will put that particular dependency at depth 0 from our pom (as it’s defined in the pom itself) so it will take priority. All of the following fall into the same category and all need to be explicitly defined, either directly or, for multi-module projects, in the dependencyManagement element of the parent:

<dependency>
    <groupId>org.springframework</groupId>
    <artifactId>spring-core</artifactId>
    <version>${org.springframework.version}</version>
</dependency>
<dependency>
    <groupId>org.springframework</groupId>
    <artifactId>spring-context</artifactId>
    <version>${org.springframework.version}</version>
</dependency>
<dependency>
    <groupId>org.springframework</groupId>
    <artifactId>spring-jdbc</artifactId>
    <version>${org.springframework.version}</version>
</dependency>
<dependency>
    <groupId>org.springframework</groupId>
    <artifactId>spring-beans</artifactId>
    <version>${org.springframework.version}</version>
</dependency>
<dependency>
    <groupId>org.springframework</groupId>
    <artifactId>spring-aop</artifactId>
    <version>${org.springframework.version}</version>
</dependency>
<dependency>
    <groupId>org.springframework</groupId>
    <artifactId>spring-tx</artifactId>
    <version>${org.springframework.version}</version>
</dependency>
<dependency>
    <groupId>org.springframework</groupId>
    <artifactId>spring-expression</artifactId>
    <version>${org.springframework.version}</version>
</dependency>
<dependency>
    <groupId>org.springframework</groupId>
    <artifactId>spring-web</artifactId>
    <version>${org.springframework.version}</version>
</dependency>

2.4. spring-security-config and others

To use the rich Spring Security XML namespace, the spring-security-config dependency will be required:

<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-config</artifactId>
    <version>${org.springframework.security.version}</version>
    <scope>runtime</scope>
</dependency>

No application code should compile against this dependency, so it should be scoped as runtime.

Finally, LDAP, ACL, CAS and OpenID support have their own dependencies in Spring Security: spring-security-ldap, spring-security-acl, spring-security-cas and spring-security-openid.

3. Using Snapshots and Milestones

Spring Security milestones as well as snapshots are available in the custom Maven repositories provided by Spring – for additional details about how to configure these, see how to use Snapshots and Milestones.

4. Conclusion

This article discusses the practical details of using Spring Security with Maven. The Maven dependencies presented here are of course some of the major ones, and there are several others that may be worth mentioning and have not yet made the cut. Nevertheless this should be a good starting point for using Spring in a Maven enabled project.
 

Reference: Spring Security with Maven from our JCG partner Eugen Paraschiv at the baeldung blog.
Related Whitepaper:

Functional Programming in Java: Harnessing the Power of Java 8 Lambda Expressions

Get ready to program in a whole new way!

Functional Programming in Java will help you quickly get on top of the new, essential Java 8 language features and the functional style that will change and improve your code. This short, targeted book will help you make the paradigm shift from the old imperative way to a less error-prone, more elegant, and concise coding style that’s also a breeze to parallelize. You’ll explore the syntax and semantics of lambda expressions, method and constructor references, and functional interfaces. You’ll design and write applications better using the new standards in Java 8 and the JDK.

Get it Now!  

Leave a Reply


7 − six =



Java Code Geeks and all content copyright © 2010-2014, Exelixis Media Ltd | Terms of Use | Privacy Policy
All trademarks and registered trademarks appearing on Java Code Geeks are the property of their respective owners.
Java is a trademark or registered trademark of Oracle Corporation in the United States and other countries.
Java Code Geeks is not connected to Oracle Corporation and is not sponsored by Oracle Corporation.

Sign up for our Newsletter

20,709 insiders are already enjoying weekly updates and complimentary whitepapers! Join them now to gain exclusive access to the latest news in the Java world, as well as insights about Android, Scala, Groovy and other related technologies.

As an extra bonus, by joining you will get our brand new e-books, published by Java Code Geeks and their JCG partners for your reading pleasure! Enter your info and stay on top of things,

  • Fresh trends
  • Cases and examples
  • Research and insights
  • Two complimentary e-books