docs
Spring Security Core is the foundational module of the Spring Security framework, providing comprehensive authentication and authorization capabilities for Java applications. It contains the essential interfaces and classes for managing security contexts, user authentication, granted authorities, and credentials that serve as the building blocks for Spring's security model.
Required Dependencies:
spring-security-core (this package)spring-core and spring-context are requiredspring-aop required for method securityspring-expression required for SpEL-based security expressionsPackage Structure:
org.springframework.security.core - Core interfaces and classes (Authentication, GrantedAuthority, SecurityContext)org.springframework.security.authentication - Authentication processing (AuthenticationManager, AuthenticationProvider, tokens)org.springframework.security.authorization - Authorization decisions (AuthorizationManager, AuthorizationDecision)org.springframework.security.core.userdetails - User management (UserDetails, UserDetailsService, User)org.springframework.security.core.context - Security context management (SecurityContextHolder, strategies)org.springframework.security.authorization.method - Method security (@PreAuthorize, @PostAuthorize, interceptors)org.springframework.security.core.authority - Authority management (SimpleGrantedAuthority, AuthorityUtils, RoleHierarchy)Default Behaviors:
SecurityContextHolder uses MODE_THREADLOCAL by default (thread-bound context, not shared)isAuthenticated() == false) - must be authenticated via AuthenticationManagereraseCredentialsAfterAuthentication=true in ProviderManager)@EnableMethodSecurity (from spring-security-config module, not core)getAuthorities() never returns null (returns empty collection if no authorities)getContext() never returns null (creates empty context if none exists)AuthenticationException.getAuthenticationRequest() available since 6.5 (for logging failed attempts)Threading Model:
SecurityContext is thread-local by default (not shared across threads)DelegatingSecurityContextExecutor for async context propagation (required for thread pools)ReactiveSecurityContextHolder with Project Reactor Context (not SecurityContextHolder)InheritableThreadLocal strategy available for child thread inheritance (use with caution in thread pools)UserDetailsService implementations should be thread-safe (called from multiple threads)Common Patterns:
AuthorizationManager → Verify access decisionUserDetailsService → Load from data source → Return UserDetails with authorities@PreAuthorize → Configure interceptors → Evaluate SpEL expressionsAuthenticationProvider → Override authenticate() and supports() → Add to ProviderManagerIntegration Points:
spring-security-web for HTTP security (filters, servlet integration)spring-security-config for configuration (@EnableWebSecurity, @EnableMethodSecurity)AuthenticationManager, UserDetailsService)Critical Edge Cases:
getAuthentication() != null before usetoBuilder() since 7.0 to modify)ReactiveSecurityContextHolder not SecurityContextHolder in reactive chains@EnableMethodSecurity and AOP proxies (interface-based proxies work, CGLIB proxies preferred)PasswordEncoder, not plain text)SecurityContext serialized for session storage (requires Jackson modules for custom types)Exception Handling:
AuthenticationException - Base for all authentication failures (catch specific subclasses first)BadCredentialsException - Invalid credentials (don't reveal if username exists)AccountStatusException - Account issues (disabled, locked, expired)ProviderNotFoundException - No provider supports authentication typeUsernameNotFoundException - User not found (may be hidden to prevent user enumeration)Maven:
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>7.0.0</version>
</dependency>Gradle:
implementation 'org.springframework.security:spring-security-core:7.0.0'// Core authentication and authorization
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
// Authentication management
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.authentication.ProviderManager;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.BadCredentialsException;
// User details
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
// Authorization
import org.springframework.security.authorization.AuthorizationManager;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.authorization.AuthorityAuthorizationManager;
// Security context
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.context.ReactiveSecurityContextHolder;
// Authorities
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.authority.AuthorityUtils;// 1. Create authentication request
UsernamePasswordAuthenticationToken authRequest =
UsernamePasswordAuthenticationToken.unauthenticated("username", "password");
// 2. Authenticate via manager
AuthenticationManager authManager = // ... configured manager
try {
Authentication result = authManager.authenticate(authRequest);
// 3. Set in security context
SecurityContext context = SecurityContextHolder.getContext();
context.setAuthentication(result);
// 4. Access authenticated user
String username = result.getName();
Collection<? extends GrantedAuthority> authorities = result.getAuthorities();
} catch (BadCredentialsException e) {
// Handle authentication failure
Authentication failedRequest = e.getAuthenticationRequest();
log.error("Authentication failed for user: {}",
failedRequest != null ? failedRequest.getName() : "unknown");
}// Get current authentication
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
// Check authorities
boolean hasRole = authentication != null &&
authentication.getAuthorities().stream()
.anyMatch(auth -> auth.getAuthority().equals("ROLE_ADMIN"));
// Use AuthorizationManager
AuthorizationManager<Object> manager = AuthorityAuthorizationManager.hasRole("ADMIN");
AuthorizationDecision decision = manager.check(() -> authentication, null);
if (decision != null && decision.isGranted()) {
// Access granted
}// Create user with builder
UserDetails user = User.withUsername("john")
.password("{bcrypt}$2a$10$...") // Must be encoded
.authorities("ROLE_USER", "ROLE_ADMIN")
.accountExpired(false)
.accountLocked(false)
.credentialsExpired(false)
.disabled(false)
.build();
// Or with roles (automatically prefixed with "ROLE_")
UserDetails user = User.withUsername("jane")
.password("{bcrypt}$2a$10$...")
.roles("USER", "ADMIN") // Becomes ROLE_USER, ROLE_ADMIN
.build();Spring Security Core is organized around several key architectural components:
Authentication, AuthenticationManager) and implementations for processing authentication requests across various mechanisms (username/password, tokens, custom)AuthorizationManager API for making access control decisions with support for method security, role-based access, and custom authorization logicMono and Flux return types throughout the API (WebFlux integration)The foundational authentication interfaces and classes that represent authentication requests and authenticated principals. Includes the Authentication interface, GrantedAuthority, and exception hierarchy.
package org.springframework.security.core;
interface Authentication extends Principal, Serializable {
Collection<? extends GrantedAuthority> getAuthorities();
Object getCredentials();
Object getDetails();
Object getPrincipal();
boolean isAuthenticated();
void setAuthenticated(boolean isAuthenticated) throws IllegalArgumentException;
Builder<?> toBuilder(); // since 7.0
interface Builder<B extends Builder<B>> {
B principal(Object principal);
B credentials(Object credentials);
B authorities(Consumer<Collection<GrantedAuthority>> authorities);
B details(Object details);
B authenticated(boolean authenticated);
Authentication build();
}
}
interface GrantedAuthority extends Serializable {
@Nullable String getAuthority();
}
abstract class AuthenticationException extends RuntimeException {
Authentication getAuthenticationRequest(); // since 6.5
void setAuthenticationRequest(Authentication authentication);
}Key Methods:
getAuthorities() - Returns collection of granted authorities (never null, may be empty)getPrincipal() - Returns principal (usually UserDetails or String username)getCredentials() - Returns credentials (typically null after authentication)isAuthenticated() - Returns true if token has been authenticatedtoBuilder() - Creates builder for modifying authentication (since 7.0)Services for processing authentication requests through a chain of authentication providers. Includes AuthenticationManager, ProviderManager, and reactive alternatives.
package org.springframework.security.authentication;
@FunctionalInterface
interface AuthenticationManager {
Authentication authenticate(Authentication authentication)
throws AuthenticationException;
}
class ProviderManager implements AuthenticationManager {
ProviderManager(List<AuthenticationProvider> providers);
ProviderManager(List<AuthenticationProvider> providers, AuthenticationManager parent);
void setEraseCredentialsAfterAuthentication(boolean eraseCredentials);
void setAuthenticationEventPublisher(AuthenticationEventPublisher publisher);
void setParent(AuthenticationManager parent);
}
interface AuthenticationProvider {
Authentication authenticate(Authentication authentication)
throws AuthenticationException;
boolean supports(Class<?> authentication);
}Key Methods:
AuthenticationManager.authenticate() - Processes authentication, returns authenticated token or throws exceptionProviderManager - Iterates through providers until one succeeds or all failAuthenticationProvider.supports() - Checks if provider supports authentication typeConcrete implementations of Authentication for various authentication mechanisms including username/password, anonymous, remember-me, and testing scenarios.
package org.springframework.security.authentication;
class UsernamePasswordAuthenticationToken extends AbstractAuthenticationToken {
static UsernamePasswordAuthenticationToken unauthenticated(
Object principal, Object credentials);
static UsernamePasswordAuthenticationToken authenticated(
Object principal, Object credentials,
Collection<? extends GrantedAuthority> authorities);
}
class AnonymousAuthenticationToken extends AbstractAuthenticationToken {
AnonymousAuthenticationToken(String key, Object principal,
Collection<? extends GrantedAuthority> authorities);
}
class RememberMeAuthenticationToken extends AbstractAuthenticationToken {
RememberMeAuthenticationToken(String key, Object principal,
Collection<? extends GrantedAuthority> authorities);
}Factory Methods:
unauthenticated() - Creates authentication request tokenauthenticated() - Creates fully authenticated token with authoritiesInterfaces and implementations for loading and managing user information from various data sources. Includes in-memory, JDBC, and reactive implementations.
package org.springframework.security.core.userdetails;
interface UserDetailsService {
UserDetails loadUserByUsername(String username)
throws UsernameNotFoundException;
}
interface UserDetails extends Serializable {
Collection<? extends GrantedAuthority> getAuthorities();
@Nullable String getPassword();
String getUsername();
default boolean isAccountNonExpired() { return true; }
default boolean isAccountNonLocked() { return true; }
default boolean isCredentialsNonExpired() { return true; }
default boolean isEnabled() { return true; }
}
interface UserDetailsManager extends UserDetailsService {
void createUser(UserDetails user);
void updateUser(UserDetails user);
void deleteUser(String username);
void changePassword(String oldPassword, String newPassword);
boolean userExists(String username);
}
class User implements UserDetails {
static UserBuilder withUsername(String username);
static UserBuilder withUserDetails(UserDetails userDetails);
}Key Methods:
loadUserByUsername() - Loads user by username (throws UsernameNotFoundException if not found)User.withUsername() - Builder for creating UserDetails instancesUserDetailsManager - Extended interface with CRUD operationsThread-local and reactive context management for associating security information with the current execution context. Includes strategies for different threading models.
package org.springframework.security.core.context;
interface SecurityContext extends Serializable {
Authentication getAuthentication();
void setAuthentication(Authentication authentication);
}
class SecurityContextHolder {
static final String MODE_THREADLOCAL = "MODE_THREADLOCAL";
static final String MODE_INHERITABLETHREADLOCAL = "MODE_INHERITABLETHREADLOCAL";
static final String MODE_GLOBAL = "MODE_GLOBAL";
static SecurityContext getContext();
static void setContext(SecurityContext context);
static void clearContext();
static SecurityContext createEmptyContext();
static void setStrategyName(String strategyName);
}
class ReactiveSecurityContextHolder {
static Mono<SecurityContext> getContext();
static Function<Context, Context> clearContext();
static Context withSecurityContext(Mono<? extends SecurityContext> securityContext);
static Context withAuthentication(Authentication authentication);
}Key Methods:
getContext() - Returns current context (never null, creates empty if none exists)setContext() - Sets context (use clearContext() to remove)ReactiveSecurityContextHolder.getContext() - Returns Mono<SecurityContext> for reactive chainsModern authorization framework using AuthorizationManager for making access control decisions. Supports method security, role-based access control, and custom authorization logic.
package org.springframework.security.authorization;
@FunctionalInterface
interface AuthorizationManager<T> {
@Nullable AuthorizationResult authorize(
Supplier<? extends @Nullable Authentication> authentication, T object);
default void verify(
Supplier<? extends @Nullable Authentication> authentication, T object) {
// throws AuthorizationDeniedException if access is denied
}
}
interface AuthorizationResult extends Serializable {
boolean isGranted();
}
class AuthorizationDecision implements AuthorizationResult {
AuthorizationDecision(boolean granted);
boolean isGranted();
}
class AuthorityAuthorizationManager implements AuthorizationManager<Object> {
static AuthorityAuthorizationManager hasRole(String role);
static AuthorityAuthorizationManager hasAuthority(String authority);
}Key Methods:
authorize() - Checks authorization, returns decision or nullverify() - Checks authorization, throws exception if deniedAuthorityAuthorizationManager.hasRole() - Factory for role-based authorizationAnnotation-based and programmatic method security using interceptors and authorization managers. Supports pre/post authorization, filtering, and JSR-250 annotations.
package org.springframework.security.authorization.method;
@Target({METHOD, TYPE})
@Retention(RUNTIME)
@Inherited
@interface PreAuthorize {
String value(); // SpEL expression
}
@Target({METHOD, TYPE})
@Retention(RUNTIME)
@Inherited
@interface PostAuthorize {
String value(); // SpEL expression
}
@Target({METHOD, TYPE})
@Retention(RUNTIME)
@Inherited
@interface PreFilter {
String value(); // SpEL expression
String filterTarget() default "";
}
@Target({METHOD, TYPE})
@Retention(RUNTIME)
@Inherited
@interface PostFilter {
String value(); // SpEL expression
}
@Target({METHOD, TYPE})
@Retention(RUNTIME)
@interface Secured {
String[] value(); // Security attributes (roles/authorities)
}Note: @EnableMethodSecurity is located in the spring-security-config module, not the core module. To use method security annotations, you must include the spring-security-config dependency.
Authority representations and mapping utilities for managing granted authorities, role hierarchies, and authority transformations.
package org.springframework.security.core.authority;
final class SimpleGrantedAuthority implements GrantedAuthority {
SimpleGrantedAuthority(String role);
@Nullable String getAuthority();
}
class AuthorityUtils {
static final List<GrantedAuthority> NO_AUTHORITIES;
static List<GrantedAuthority> createAuthorityList(String... authorities);
static Set<String> authorityListToSet(
Collection<? extends GrantedAuthority> authorities);
static List<GrantedAuthority> commaSeparatedStringToAuthorityList(
String authorityString);
}
interface RoleHierarchy {
Collection<? extends GrantedAuthority> getReachableGrantedAuthorities(
Collection<? extends GrantedAuthority> authorities);
}Key Methods:
createAuthorityList() - Creates list of SimpleGrantedAuthority from stringsauthorityListToSet() - Converts authorities to set of stringsRoleHierarchy.getReachableGrantedAuthorities() - Returns input authorities plus implied onesSession registry and tracking for managing concurrent sessions, session fixation protection, and session information.
package org.springframework.security.core.session;
interface SessionRegistry {
List<Object> getAllPrincipals();
List<SessionInformation> getAllSessions(Object principal,
boolean includeExpiredSessions);
SessionInformation getSessionInformation(String sessionId);
void refreshLastRequest(String sessionId);
void registerNewSession(String sessionId, Object principal);
void removeSessionInformation(String sessionId);
}
class SessionInformation implements Serializable {
Object getPrincipal();
String getSessionId();
Date getLastRequest();
void refreshLastRequest();
boolean isExpired();
void expireNow();
}Key Methods:
getAllSessions() - Returns all sessions for principal (excludes expired by default)expireNow() - Marks session as expiredregisterNewSession() - Registers new session (typically called automatically via events)Authentication providers that use UserDetailsService for retrieving user information. Includes password encoding and validation.
package org.springframework.security.authentication.dao;
class DaoAuthenticationProvider
extends AbstractUserDetailsAuthenticationProvider {
DaoAuthenticationProvider();
void setUserDetailsService(UserDetailsService userDetailsService);
void setPasswordEncoder(PasswordEncoder passwordEncoder);
void setUserDetailsPasswordService(
UserDetailsPasswordService userDetailsPasswordService);
void setCompromisedPasswordChecker(
CompromisedPasswordChecker compromisedPasswordChecker);
void setUserCache(UserCache userCache);
void setHideUserNotFoundExceptions(boolean hideUserNotFoundExceptions);
}Key Methods:
setUserDetailsService() - Sets service for loading users (required)setPasswordEncoder() - Sets encoder for password verification (required)setUserCache() - Sets cache for user details (optional, improves performance)User and group management with CRUD operations for in-memory and JDBC-based implementations.
package org.springframework.security.provisioning;
class InMemoryUserDetailsManager
implements UserDetailsManager, UserDetailsPasswordService {
InMemoryUserDetailsManager();
InMemoryUserDetailsManager(UserDetails... users);
InMemoryUserDetailsManager(Collection<UserDetails> users);
void createUser(UserDetails user);
void updateUser(UserDetails user);
void deleteUser(String username);
void changePassword(String oldPassword, String newPassword);
boolean userExists(String username);
}
class JdbcUserDetailsManager extends JdbcDaoImpl
implements UserDetailsManager, GroupManager {
JdbcUserDetailsManager();
JdbcUserDetailsManager(DataSource dataSource);
void createUser(UserDetails user);
void updateUser(UserDetails user);
void deleteUser(String username);
boolean userExists(String username);
}Key Methods:
createUser() - Creates new user (throws exception if user exists)updateUser() - Updates existing user (replaces all fields)userExists() - Checks if user exists (returns boolean, no exception)One-time token (OTT) authentication for passwordless login flows. Includes in-memory and JDBC implementations.
package org.springframework.security.authentication.ott;
interface OneTimeToken extends Serializable {
String getTokenValue();
String getUsername();
Instant getExpiresAt();
}
interface OneTimeTokenService {
OneTimeToken generate(GenerateOneTimeTokenRequest request);
OneTimeToken consume(String tokenValue)
throws InvalidOneTimeTokenException;
}
class GenerateOneTimeTokenRequest {
GenerateOneTimeTokenRequest(String username); // Uses default 5 minute expiration
GenerateOneTimeTokenRequest(String username, Duration expiresIn);
}
class OneTimeTokenAuthenticationProvider implements AuthenticationProvider {
OneTimeTokenAuthenticationProvider(OneTimeTokenService oneTimeTokenService,
UserDetailsService userDetailsService);
}Key Methods:
generate() - Generates token for username (default 5 minute expiration)consume() - Validates and removes token (single-use, throws exception if invalid/expired)SecurityContext propagation for concurrent and asynchronous execution using executors, task schedulers, and reactive contexts.
package org.springframework.security.concurrent;
class DelegatingSecurityContextExecutor implements Executor {
DelegatingSecurityContextExecutor(Executor delegate);
DelegatingSecurityContextExecutor(Executor delegate,
SecurityContext securityContext);
void execute(Runnable task);
}
class DelegatingSecurityContextExecutorService
extends DelegatingSecurityContextExecutor implements ExecutorService {
DelegatingSecurityContextExecutorService(ExecutorService delegate);
<T> Future<T> submit(Callable<T> task);
<T> Future<T> submit(Runnable task, T result);
Future<?> submit(Runnable task);
}
class DelegatingSecurityContextTaskScheduler implements TaskScheduler {
DelegatingSecurityContextTaskScheduler(TaskScheduler delegate);
ScheduledFuture<?> schedule(Runnable task, Trigger trigger);
ScheduledFuture<?> scheduleAtFixedRate(Runnable task, Duration period);
}Key Methods:
DelegatingSecurityContextExecutor - Wraps executor to propagate contextsubmit() - Submits tasks with context propagationEvent publishing and listening infrastructure for authentication and authorization events.
package org.springframework.security.authentication;
interface AuthenticationEventPublisher {
void publishAuthenticationSuccess(Authentication authentication);
void publishAuthenticationFailure(AuthenticationException exception,
Authentication authentication);
}
class DefaultAuthenticationEventPublisher
implements AuthenticationEventPublisher, ApplicationEventPublisherAware {
void setDefaultAuthenticationFailureEvent(
Class<? extends AbstractAuthenticationFailureEvent> defaultAuthenticationFailureEvent);
void setAdditionalExceptionMappings(
Map<Class<? extends AuthenticationException>,
Class<? extends AbstractAuthenticationFailureEvent>> mappings);
}
abstract class AbstractAuthenticationEvent extends ApplicationEvent {
Authentication getAuthentication();
}Key Methods:
publishAuthenticationSuccess() - Publishes success eventpublishAuthenticationFailure() - Publishes failure event with exceptionsetAdditionalExceptionMappings() - Maps custom exceptions to eventsJava Authentication and Authorization Service (JAAS) integration for enterprise authentication scenarios.
package org.springframework.security.authentication.jaas;
class JaasAuthenticationProvider extends AbstractJaasAuthenticationProvider {
JaasAuthenticationProvider();
void setConfiguration(Configuration configuration);
void setAuthorityGranters(AuthorityGranter[] authorityGranters);
}
interface AuthorityGranter {
Set<String> grant(Principal principal);
}
class JaasAuthenticationToken extends UsernamePasswordAuthenticationToken {
JaasAuthenticationToken(Object principal, Object credentials,
LoginContext loginContext,
Collection<? extends GrantedAuthority> authorities);
LoginContext getLoginContext();
}Key Methods:
setConfiguration() - Sets JAAS configuration (required)setAuthorityGranters() - Sets mappers for JAAS principals to Spring Security authoritiesgetLoginContext() - Returns JAAS LoginContext for accessing SubjectSpEL (Spring Expression Language) support for security expressions in authorization decisions.
package org.springframework.security.access.expression;
interface SecurityExpressionOperations {
Authentication getAuthentication();
boolean hasAuthority(String authority);
boolean hasAnyAuthority(String... authorities);
boolean hasRole(String role);
boolean hasAnyRole(String... roles);
boolean permitAll();
boolean denyAll();
boolean isAnonymous();
boolean isAuthenticated();
boolean isRememberMe();
boolean isFullyAuthenticated();
boolean hasPermission(Object target, Object permission);
boolean hasPermission(Object targetId, String targetType, Object permission);
Object getPrincipal();
Object getFilterObject();
Object getReturnObject();
}
interface SecurityExpressionHandler<T> extends AopInfrastructureBean {
ExpressionParser getExpressionParser();
EvaluationContext createEvaluationContext(Authentication authentication,
T invocation);
}Key Methods:
hasRole() - Checks for role (automatically adds "ROLE_" prefix)hasAuthority() - Checks for exact authority stringhasPermission() - Checks domain object permission (requires PermissionEvaluator)getReturnObject() - Available in @PostAuthorize expressionsExpression-Based Access Control
Micrometer observation support for authentication and authorization operations, enabling metrics collection and tracing.
package org.springframework.security.authentication;
final class ObservationAuthenticationManager implements AuthenticationManager {
ObservationAuthenticationManager(ObservationRegistry observationRegistry,
AuthenticationManager delegate);
Authentication authenticate(Authentication authentication)
throws AuthenticationException;
}
class AuthenticationObservationContext extends Observation.Context {
Authentication getAuthenticationRequest();
Authentication getAuthenticationResult();
Throwable getError();
}
class ObservationAuthorizationManager<T> implements AuthorizationManager<T> {
ObservationAuthorizationManager(ObservationRegistry observationRegistry,
AuthorizationManager<T> delegate);
AuthorizationResult authorize(
Supplier<Authentication> authentication, T object);
}Key Methods:
ObservationAuthenticationManager - Wraps manager with observation supportObservationAuthorizationManager - Wraps authorization manager with observationIntegration points for checking if passwords have been compromised in data breaches.
package org.springframework.security.authentication.password;
interface CompromisedPasswordChecker {
CompromisedPasswordDecision check(String password);
}
interface ReactiveCompromisedPasswordChecker {
Mono<CompromisedPasswordDecision> check(String password);
}
class CompromisedPasswordDecision {
CompromisedPasswordDecision(boolean compromised);
CompromisedPasswordDecision(boolean compromised, long compromisedCount);
boolean isCompromised();
long getCompromisedCount();
}
class CompromisedPasswordException extends AuthenticationException {
CompromisedPasswordException(String msg);
}Key Methods:
check() - Checks if password is compromised (returns decision, not exception)isCompromised() - Returns true if password found in breach databasegetCompromisedCount() - Returns number of times password found in breachesJSON serialization/deserialization support for Spring Security objects using Jackson.
package org.springframework.security.jackson;
final class SecurityJacksonModules {
static List<JacksonModule> getModules(ClassLoader loader);
static List<JacksonModule> getModules(
ClassLoader loader,
BasicPolymorphicTypeValidator.Builder validatorBuilder);
}
class CoreJacksonModule extends SecurityJacksonModule {
CoreJacksonModule();
void setupModule(SetupContext context);
}Key Methods:
getModules() - Returns all Spring Security Jackson modulesCoreJacksonModule - Registers mixins for core security typesSecurityJacksonModules.Ahead-of-Time (AOT) compilation and GraalVM native image support through runtime hints registration.
package org.springframework.security.aot.hint;
interface SecurityHintsRegistrar {
void registerHints(RuntimeHints hints,
ConfigurableListableBeanFactory beanFactory);
}
class AuthorizeReturnObjectHintsRegistrar implements SecurityHintsRegistrar {
AuthorizeReturnObjectHintsRegistrar(AuthorizationProxyFactory proxyFactory,
Class<?>... classes);
}
class PrePostAuthorizeHintsRegistrar implements SecurityHintsRegistrar {
void registerHints(RuntimeHints hints,
ConfigurableListableBeanFactory beanFactory);
}Key Methods:
registerHints() - Registers runtime hints for native image compilationAuthorizeReturnObjectHintsRegistrar - Registers hints for @AuthorizeReturnObject proxiesPrePostAuthorizeHintsRegistrar - Registers hints for method security expressions