100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace

Java Spring Security Cheat Sheet

Java Spring Security Cheat Sheet

Covers Spring Security filter chain configuration, password encoding, method-level authorization, and JWT resource server setup for securing APIs.

3 PagesAdvancedMar 30, 2026

Security Filter Chain Configuration

Define HTTP security rules using the Spring Security 6 lambda DSL.

java
@Configuration@EnableWebSecuritypublic class SecurityConfig {    @Bean    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {        http            .authorizeHttpRequests(auth -> auth                .requestMatchers("/public/**").permitAll()                .requestMatchers("/admin/**").hasRole("ADMIN")                .anyRequest().authenticated())            .formLogin(Customizer.withDefaults())            .csrf(csrf -> csrf.ignoringRequestMatchers("/api/**"))            .sessionManagement(sm -> sm                .sessionCreationPolicy(SessionCreationPolicy.STATELESS));        return http.build();    }}

Password Encoding & UserDetailsService

Authenticate users against a custom source with a secure hash.

java
@Beanpublic PasswordEncoder passwordEncoder() {    return new BCryptPasswordEncoder();     // never store plaintext passwords}@Beanpublic UserDetailsService userDetailsService(PasswordEncoder encoder) {    UserDetails user = User.withUsername("alice")            .password(encoder.encode("s3cret"))            .roles("USER")            .build();    return new InMemoryUserDetailsManager(user);}

Method-Level Security

Secure service methods directly with annotations.

java
@Configuration@EnableMethodSecurity  // enables @PreAuthorize/@PostAuthorize/@Securedpublic class MethodSecurityConfig {}@Servicepublic class AccountService {    @PreAuthorize("hasRole('ADMIN')")    public void deleteAccount(Long id) { /* ... */ }    @PreAuthorize("#username == authentication.name")    public Account getOwnAccount(String username) { /* ... */ }    @PostAuthorize("returnObject.owner == authentication.name")    public Account getAccount(Long id) { /* ... */ }}

JWT Resource Server

Validate bearer JWTs for stateless API authentication.

java
@Beanpublic SecurityFilterChain apiFilterChain(HttpSecurity http) throws Exception {    http        .authorizeHttpRequests(auth -> auth            .requestMatchers("/api/**").authenticated())        .oauth2ResourceServer(oauth2 -> oauth2.jwt(Customizer.withDefaults()));    return http.build();}// application.yml// spring://   security://     oauth2://       resourceserver://         jwt://           issuer-uri: https://auth.example.com/

Core Concepts

Building blocks of the Spring Security architecture.

  • SecurityFilterChain- Ordered chain of servlet filters that intercept requests to enforce authentication and authorization.
  • AuthenticationManager- Central interface that processes an Authentication request and returns a fully authenticated token.
  • UserDetailsService- Loads user-specific data (username, password, authorities) for authentication.
  • SecurityContextHolder- Thread-bound holder for the current Authentication, accessible anywhere via SecurityContextHolder.getContext().
  • GrantedAuthority- Represents a permission granted to the principal, e.g. ROLE_ADMIN or SCOPE_read.
  • CSRF Protection- Enabled by default for browser sessions; typically disabled for stateless token-based APIs.
Pro Tip

Never disable CSRF protection globally just to make a form-based endpoint work - scope csrf.ignoringRequestMatchers() to stateless API paths only, since browser-session endpoints with cookies remain vulnerable to CSRF.

Was this cheat sheet helpful?

Explore Topics

#JavaSpringSecurity#JavaSpringSecurityCheatSheet#Programming#Advanced#Security#Filter#Chain#Configuration#Functions#APIs#CheatSheet#SkillVeris
Advertisement
Sri Hayavadhana Info-Tech

Professional Web Designing Services

  • Responsive Websites
  • E-commerce Solutions
  • SEO Friendly Design
  • Fast & Secure
  • Support & Maintenance
Get a Free Quote

Share this Cheat Sheet