More secure by default

Spring Security 4.0.0 with WebSocket support and Spring Data integration

Natali Vlatko
Handshake image via Shutterstock

Spring Security 4.0.0 has landed with support for testing, Spring Data integration, plus support for WebSockets. The Java/Java EE framework hopes to keep up with exploits against applications as they evolve.

Spring Security has been amped up with its 4.0.0 offering, becoming decidedly more secure as part of this latest major release. Spring Security and LDAP project lead Robert Winch made the announcement recently, which closes over 175 tickets.

The main highlights of the release are WebSocket support and Spring Data integration, allowing for the possibility of referring to Spring Security’s user within Spring Data queries using SpEL.

The WebSocket support provided in the update doesn’t supply direct support for JSR-356, the Java API for WebSocket. The documentation states that doing so would “provide little value” in this regard.

This is because the format is unknown, so there is little Spring can do to secure an unknown format. Additionally, JSR-356 does not provide a way to intercept messages, so security would be rather invasive.

To take advantage of this new feature, users of Spring Security 4.0.0 are encouraged to simply extend the AbstractSecurityWebSocketMessageBrokerConfigurer and configure the MessageSecurityMetadataSourceRegistry as below:

public class WebSocketSecurityConfig
      extends AbstractSecurityWebSocketMessageBrokerConfigurer { 1 2

    protected void configureInbound(MessageSecurityMetadataSourceRegistry messages) {
                .simpDestMatchers("/user/*").authenticated() 3

More information about Spring Security’s new WebSocket support can be found here.

The inclusion of Spring Data integration has been described as useful and necessary to support paged results “since filtering the results afterwards would not scale”. Users can now apply a bean of type SecurityEvaluationContextExtension. Doing so looks like this:

public SecurityEvaluationContextExtension securityEvaluationContextExtension() {
	return new SecurityEvaluationContextExtension();

If you’re keen to utilise this in an XML configuration, it would look like this:

<bean class=""/>

The rest of the updates

Test support has additionally been added to the mix, to test method-based security. Once you’ve set up a Spring Security test (using @RunWith and @ContextConfiguration), you’ll be able to run tests via the following:

  • @WithMockUser: Easy running of tests as a user with the username “user”, the password “password”, and the roles “ROLE_USER”
  • @WithUserDetails: Similar to @WithMockUser, this customises the Authentication principle, requiring the user to exist
  • @WithSecurityContext: Allows you to create any SecurityContext you want

Spring MVC Test integration is also in there, which had already existed as a separate project on GitHub before being included in Spring Framework 3.2.

Calling this release “more secure by default”, Winch also detailed some non-passive changes to ensure there was a minimising of information leakage, deprecated APIs were removed, as well as default secure settings being established.

Documentation is available for the migration from Spring Security 3 to Spring Security 4, which is available in XML and Java configurations.

Natali Vlatko
An Australian who calls Berlin home, via a two year love affair with Singapore. Natali was an Editorial Assistant for (S&S Media Group).

Inline Feedbacks
View all comments