Spring IO team has announced the Spring Security 3.2 release. There are couple of notable changes in this release are Java Configuration support, Improving security on CSRF attacks and click jacking and Servlet 3+ API support. As the list grows, there are plenty of minor API changes listed in their change notes. There are more than 150+ issues fixed in this release. Here I list down the important features added in this release with brief description. For more details on each features, please look at their
documentation.
1. Java Configuration Support
Java configuration is supported from Spring Security 3.1. With the 3.2 release, you can configure without XML configuration files. There is no need for any XML configurations and everything can be done only through Java configuration.
2. Cross Site Request Forgery (CSRF) Protection
CSRF attacks are very common in the banking attacks. Theser are happening because there is no different in the bank’s website request and hacker’s website. Spring security 3.2 adds Synchronizer Token Pattern to ensure that it is verified before giving access to the request. Hacker’s website can not generate these tokens.
3. Click Jacking Protection
Allowing your website to be added to a frame can be a security issue. For example, using clever CSS styling users could be tricked into clicking on something that they were not intending. Spring security 3.2 adds X-Frame-Options and X-XSS-Protection to protect from the click jacking.
4. Security HTTP Response Headers
Spring Security has mechanisms to make it convenient to add the more common security headers to your application. However, it also provides hooks to enable adding custom headers. The new release adds some more common headers to improve the security.
5. Spring MVC Integration
Spring security provides number of configurations to integrate to the Spring MVC. One can use @EnableWebMvcSecurity for enabling the spring MVC.The example code would look like this:
@Configuration @EnableWebMvcSecurity public class SecurityConfig { // ... }
6. Concurrency Support
From this release, sepring security supports the multi-threaded environment and giving access to the variables which is running outside the same thread.
7. Servlet 3.0+ Integration
There is list of methods in Servlet 3 is integrated to the latest release of spring security.
- HttpServletRequest.authenticate(HttpServletRequest,HttpServletResponse)
- HttpServletRequest.login(String,String)
- HttpServletRequest.logout()
- AsyncContext.start(Runnable)
- Async Servlet Support
8. Servlet 3.1+ Integration
Also it supports the servlet 3.1 methods.
- HttpServletRequest#changeSessionId()