Java Spring Security Cheat Sheet
Covers Spring Security filter chain configuration, password encoding, method-level authorization, and JWT resource server setup for securing APIs.
3 PagesAdvancedMar 30, 2026
Security Filter Chain Configuration
Define HTTP security rules using the Spring Security 6 lambda DSL.
java
@Configuration@EnableWebSecuritypublic class SecurityConfig { @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http .authorizeHttpRequests(auth -> auth .requestMatchers("/public/**").permitAll() .requestMatchers("/admin/**").hasRole("ADMIN") .anyRequest().authenticated()) .formLogin(Customizer.withDefaults()) .csrf(csrf -> csrf.ignoringRequestMatchers("/api/**")) .sessionManagement(sm -> sm .sessionCreationPolicy(SessionCreationPolicy.STATELESS)); return http.build(); }}
Password Encoding & UserDetailsService
Authenticate users against a custom source with a secure hash.
java
@Beanpublic PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); // never store plaintext passwords}@Beanpublic UserDetailsService userDetailsService(PasswordEncoder encoder) { UserDetails user = User.withUsername("alice") .password(encoder.encode("s3cret")) .roles("USER") .build(); return new InMemoryUserDetailsManager(user);}
Method-Level Security
Secure service methods directly with annotations.
java
@Configuration@EnableMethodSecurity // enables @PreAuthorize/@PostAuthorize/@Securedpublic class MethodSecurityConfig {}@Servicepublic class AccountService { @PreAuthorize("hasRole('ADMIN')") public void deleteAccount(Long id) { /* ... */ } @PreAuthorize("#username == authentication.name") public Account getOwnAccount(String username) { /* ... */ } @PostAuthorize("returnObject.owner == authentication.name") public Account getAccount(Long id) { /* ... */ }}
JWT Resource Server
Validate bearer JWTs for stateless API authentication.
java
@Beanpublic SecurityFilterChain apiFilterChain(HttpSecurity http) throws Exception { http .authorizeHttpRequests(auth -> auth .requestMatchers("/api/**").authenticated()) .oauth2ResourceServer(oauth2 -> oauth2.jwt(Customizer.withDefaults())); return http.build();}// application.yml// spring:// security:// oauth2:// resourceserver:// jwt:// issuer-uri: https://auth.example.com/
Core Concepts
Building blocks of the Spring Security architecture.
- SecurityFilterChain- Ordered chain of servlet filters that intercept requests to enforce authentication and authorization.
- AuthenticationManager- Central interface that processes an Authentication request and returns a fully authenticated token.
- UserDetailsService- Loads user-specific data (username, password, authorities) for authentication.
- SecurityContextHolder- Thread-bound holder for the current Authentication, accessible anywhere via SecurityContextHolder.getContext().
- GrantedAuthority- Represents a permission granted to the principal, e.g. ROLE_ADMIN or SCOPE_read.
- CSRF Protection- Enabled by default for browser sessions; typically disabled for stateless token-based APIs.
Pro Tip
Never disable CSRF protection globally just to make a form-based endpoint work - scope csrf.ignoringRequestMatchers() to stateless API paths only, since browser-session endpoints with cookies remain vulnerable to CSRF.
Was this cheat sheet helpful?
Explore Topics
#JavaSpringSecurity#JavaSpringSecurityCheatSheet#Programming#Advanced#Security#Filter#Chain#Configuration#Functions#APIs#CheatSheet#SkillVeris
Advertisement
Sri Hayavadhana Info-Tech
Professional Web Designing Services
- Responsive Websites
- E-commerce Solutions
- SEO Friendly Design
- Fast & Secure
- Support & Maintenance