I'm making an Spring MVC application, with some users but only ONE role for all (user_role). Do you think is necessary to implement Spring Security even taking only one role in my application?
Thanks,
Asked
Active
Viewed 632 times
1 Answers
1
Security is more than simply authorization (given I know how the user is, are they allowed to access the resource). Fortunately, Spring Security provides an easy means to do more than authorization:
Security is also about authentication. Authentication is securely identifying who the user is (i.e. comparing a username/password). This may seem trivial, but keep in mind you should store passwords securely (i.e. using BCrypt), ensure you protect against session fixation attacks, protect against timing attacks, etc. All of these Spring Security provides for you out of the box.
There are all sorts of attack vectors that Spring Security helps protect against (i.e. CSRF, XSS, Content Sniffing, Click Jacking, etc). You can implement all of these protections yourself, but first you need to know the attack exists (many of these are protected without any additional work on your side), then you need to understand how to secure your application from the attack (and keep this information up to date), the list goes on.
Providing defense in depth is critical to security. Spring Security allows you to easily add method based security as well as URL based security.
Rob Winch
- 21,440
- 2
- 59
- 76