Spring Security 6 is a major release that introduces several significant changes, especially aligning with Jakarta EE 10 and Spring Framework 6. The most notable shift is the migration from javax.* to jakarta.* namespaces, which has a widespread impact on how security is integrated in modern Spring Boot 3 applications.
⚙️ Why the Shift to Jakarta Security?
The Java EE technologies have now moved to the Eclipse Foundation and are branded as Jakarta EE. As a result:
- All
javax.*packages are nowjakarta.*. - Libraries like Spring Security had to adopt these changes to stay compatible.
- If you are upgrading from Spring Security 5 to 6, you must refactor imports and dependencies.
📦 Key Dependencies
For a Spring Boot 3 application with Spring Security 6, include the following dependency in pom.xml:
|
1 2 3 4 5 6 7 |
<dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency> |
Also make sure your project uses:
|
1 2 3 4 5 6 7 8 |
<parent> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-parent</artifactId> <version>3.x.x</version> </parent> |
🔑 Basic Concepts in Spring Security 6
1. Authentication vs Authorization
- Authentication verifies who you are.
- Authorization verifies what you can do.
Spring Security provides powerful filters and configurations to manage both.
2. SecurityFilterChain
In Spring Security 6, WebSecurityConfigurerAdapter is removed. You now define a SecurityFilterChain bean:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
@Configuration public class SecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeHttpRequests(auth -> auth .requestMatchers("/admin/**").hasRole("ADMIN") .anyRequest().authenticated() ) .formLogin(Customizer.withDefaults()); return http.build(); } } |
3. UserDetailsService and PasswordEncoder
You still need to provide user authentication data via UserDetailsService.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
@Bean public UserDetailsService userDetailsService() { UserDetails user = User.withUsername("user") .password(passwordEncoder().encode("password")) .roles("USER") .build(); return new InMemoryUserDetailsManager(user); } @Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); } |
⚠️ Spring Security 6 vs Jakarta Security Differences
| Feature | Spring Security 6 | Jakarta Security |
|---|---|---|
| Package | org.springframework.security.* | jakarta.security.enterprise.* |
| Integration | Seamless with Spring Boot | More general EE security |
| Use Case | Spring apps | Jakarta EE apps |
Spring Security is not a Jakarta Security implementation but aligns with Jakarta EE’s transition. Think of Spring Security 6 as Spring’s way of supporting modern Java EE (Jakarta EE) standards while retaining its flexibility and modularity.
🧪 Testing Spring Security 6
You can use @WithMockUser in your tests:
|
1 2 3 4 5 6 7 8 9 |
@WithMockUser(username = "admin", roles = {"ADMIN"}) @Test void testAdminAccess() throws Exception { mockMvc.perform(get("/admin")) .andExpect(status().isOk()); } |
Tips for Migrating to Spring Security 6
- Replace all
javax.*imports withjakarta.*. - Use
SecurityFilterChaininstead of extendingWebSecurityConfigurerAdapter. - Leverage component-based beans instead of overriding methods.
- Keep your dependencies up-to-date with Spring Boot 3 and Spring Framework 6.
📚 External References
🏁 Conclusion
Spring Security 6 marks a new era in secure Spring development by adopting Jakarta Security namespaces, embracing a more modular and declarative configuration model. It’s essential to understand these changes to develop secure, modern Java applications.
Use Spring Security 6 Jakarta Security as your go-to setup for all new Spring Boot 3 applications.