Spring Security 3.2 Released

Spring IO team has announced the Spring Security 3.2 release. There are couple of notable changes in this release are Java Configuration support, Improving security on CSRF attacks and click jacking and Servlet 3+ API support. As the list grows, there are plenty of minor API changes listed in their change notes. There are more than 150+ issues fixed in this release. Here I list down the important features added in this release with brief description. For more details on each features, please look at their
documentation.

1. Java Configuration Support

Java configuration is supported from Spring Security 3.1. With the 3.2 release, you can configure without XML configuration files. There is no need for any XML configurations and everything can be done only through Java configuration.

2. Cross Site Request Forgery (CSRF) Protection

CSRF attacks are very common in the banking attacks. Theser are happening because there is no different in the bank’s website request and hacker’s website. Spring security 3.2 adds Synchronizer Token Pattern to ensure that it is verified before giving access to the request. Hacker’s website can not generate these tokens.

3. Click Jacking Protection

Allowing your website to be added to a frame can be a security issue. For example, using clever CSS styling users could be tricked into clicking on something that they were not intending. Spring security 3.2 adds X-Frame-Options and X-XSS-Protection to protect from the click jacking.

4. Security HTTP Response Headers

Spring Security has mechanisms to make it convenient to add the more common security headers to your application. However, it also provides hooks to enable adding custom headers. The new release adds some more common headers to improve the security.

5. Spring MVC Integration

Spring security provides number of configurations to integrate to the Spring MVC. One can use @EnableWebMvcSecurity for enabling the spring MVC.The example code would look like this:

@Configuration
@EnableWebMvcSecurity
public class SecurityConfig {
    // ...
}

6. Concurrency Support

From this release, sepring security supports the multi-threaded environment and giving access to the variables which is running outside the same thread.

7. Servlet 3.0+ Integration

There is list of methods in Servlet 3 is integrated to the latest release of spring security.

  • HttpServletRequest.authenticate(HttpServletRequest,HttpServletResponse)
  • HttpServletRequest.login(String,String)
  • HttpServletRequest.logout()
  • AsyncContext.start(Runnable)
  • Async Servlet Support

8. Servlet 3.1+ Integration

Also it supports the servlet 3.1 methods.

  • HttpServletRequest#changeSessionId()

Comments

comments

About Krishna Srinivasan

He is Founder and Chief Editor of JavaBeat. He has more than 8+ years of experience on developing Web applications. He writes about Spring, DOJO, JSF, Hibernate and many other emerging technologies in this blog.

Speak Your Mind

*