Spring Security 6 is a major release that introduces several significant changes, especially aligning with Jakarta EE 10 and Spring Framework 6. The most notable shift is the migration from javax.* to jakarta.* namespaces, which has a widespread impact on how security is integrated in modern Spring Boot 3 applications.
⚙️ Why the Shift to Jakarta Security?
The Java EE technologies have now moved to the Eclipse Foundation and are branded as Jakarta EE. As a result:
- All
javax.*packages are nowjakarta.*. - Libraries like Spring Security had to adopt these changes to stay compatible.
- If you are upgrading from Spring Security 5 to 6, you must refactor imports and dependencies.
📦 Key Dependencies
For a Spring Boot 3 application with Spring Security 6, include the following dependency in pom.xml:
org.springframework.boot
spring-boot-starter-security
Also make sure your project uses:
org.springframework.boot
spring-boot-starter-parent
3.x.x
🔑 Basic Concepts in Spring Security 6
1. Authentication vs Authorization
- Authentication verifies who you are.
- Authorization verifies what you can do.
Spring Security provides powerful filters and configurations to manage both.
2. SecurityFilterChain
In Spring Security 6, WebSecurityConfigurerAdapter is removed. You now define a SecurityFilterChain bean:
@Configuration
public class SecurityConfig {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests(auth -> auth
.requestMatchers("/admin/**").hasRole("ADMIN")
.anyRequest().authenticated()
)
.formLogin(Customizer.withDefaults());
return http.build();
}
}
3. UserDetailsService and PasswordEncoder
You still need to provide user authentication data via UserDetailsService.
@Bean
public UserDetailsService userDetailsService() {
UserDetails user = User.withUsername("user")
.password(passwordEncoder().encode("password"))
.roles("USER")
.build();
return new InMemoryUserDetailsManager(user);
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
⚠️ Spring Security 6 vs Jakarta Security Differences
| Feature | Spring Security 6 | Jakarta Security |
|---|---|---|
| Package | org.springframework.security.* | jakarta.security.enterprise.* |
| Integration | Seamless with Spring Boot | More general EE security |
| Use Case | Spring apps | Jakarta EE apps |
Spring Security is not a Jakarta Security implementation but aligns with Jakarta EE’s transition. Think of Spring Security 6 as Spring’s way of supporting modern Java EE (Jakarta EE) standards while retaining its flexibility and modularity.
🧪 Testing Spring Security 6
You can use @WithMockUser in your tests:
@WithMockUser(username = "admin", roles = {"ADMIN"})
@Test
void testAdminAccess() throws Exception {
mockMvc.perform(get("/admin"))
.andExpect(status().isOk());
}
Tips for Migrating to Spring Security 6
- Replace all
javax.*imports withjakarta.*. - Use
SecurityFilterChaininstead of extendingWebSecurityConfigurerAdapter. - Leverage component-based beans instead of overriding methods.
- Keep your dependencies up-to-date with Spring Boot 3 and Spring Framework 6.
📚 External References
🏁 Conclusion
Spring Security 6 marks a new era in secure Spring development by adopting Jakarta Security namespaces, embracing a more modular and declarative configuration model. It’s essential to understand these changes to develop secure, modern Java applications.
Use Spring Security 6 Jakarta Security as your go-to setup for all new Spring Boot 3 applications.