On behalf of the community, I'm pleased to announce the release of Spring Security 5.0.0 M1. This release includes bug fixes, new features, and is based off of Spring Framework 5.0.0 RC1. The highlights of the release include:

• Initial Support for Reactive Web Applications
• New Support for OAuth 2.0 and OpenID Connect 1.0

Initial Support for Reactive Web Applications

Following one of the primary themes of Spring Framework 5.0, Spring Security 5.0 will add support for Reactive applications by building on top of Spring's reactive support. The first milestone focused on getting primary infrastructure in place.

A complete example of using Spring Security to secure a Spring WebFlux application can be found in the Spring Security samples at hellowebflux.

A quick highlight of the code can be found below:

@Bean
WebFilter springSecurityFilterChain(ReactiveAuthenticationManager manager) {
  HttpSecurity http = http();
  http.authenticationManager(manager);
  http.httpBasic();

  AuthorizeExchangeBuilder authorize = http.authorizeExchange();
  authorize.antMatchers("/admin/**").hasRole("ADMIN");
  authorize.antMatchers("/users/{user}/**").access(this::currentUserMatchesPath);
  authorize.anyExchange().authenticated();
  return http.build();
}

The code should look familiar if you have used Spring Security's web based authorization support.

One important thing to notice is that in reactive applications access allows for an interface to be injected rather than a String. This allows for lambda's or method references to be used for custom authorization logic. For example, currentUserMatchesPath looks like this:

Mono<AuthorizationDecision> currentUserMatchesPath(
    Mono<Authentication> authentication, AuthorizationContext context) {
  return authentication
    .map( a -> context.getVariables().get("user").equals(a.getName()))
    .map( granted -> new AuthorizationDecision(granted));
}

Obviously we could have just used a lambda rather than a method reference, but this is a little easier to read (especially when there might be more rules).

New Support for OAuth 2.0 and OpenID Connect 1.0

We are very excited to introduce new support for OAuth 2.0 Authorization Framework and OpenID Connect 1.0 in Spring Security 5. The initial support in M1 is primarily focused on the OAuth Client role, providing the capability for authenticating the end-user against an OAuth 2.0 Provider (for example, Facebook) or an OpenID Connect 1.0 Provider (for example, Google).

The OAuth 2.0 Login feature essentially realizes the use case "Login with Google" or "Login with Facebook" and is implemented by leveraging the Authorization Code Grant flow, as specified in the OAuth 2.0 Authorization Framework.

The best place to start learning on how to use OAuth 2.0 Login is to follow the guide and associated sample. The guide will walk you through setting up OAuth 2.0 Login with Google, GitHub, Facebook and Okta.

The Future of OAuth in Spring Security

Support for OAuth is currently spread out in the following Spring projects:

• Spring Security OAuth
• Spring Social
• Spring Cloud Security
• Spring Boot's OAuth2 SSO Support

With Spring Security 5, the main direction going forward is to build first-class support for OAuth 2.0 Authorization Framework, OpenID Connect 1.0, JWT, and JOSE (JWS/JWE/JWK) into Spring Security proper. The goal is to have Spring Security "house" the core logic for the lower-level protocol flows, for example, the "authorization code grant" flow, which would then be reused by the various Spring projects requiring it, such as, Spring Social. A lot of the protocol flow logic has already been implemented in Spring Security OAuth, however, the decision was made to do a re-write as we incorporate it into Spring Security proper. That being said, the Spring Security OAuth project is in maintenance mode as we are limiting new features and focusing on bug fixes and minor enhancements only. Our efforts going forward will be focused on building out the support within Spring Security.

The ultimate goal with the new support for OAuth 2.0 and OpenID Connect 1.0 is to provide an easy-to-use abstraction on top of the lower-level protocol flows that are inherently complex. In order to move quickly and stay current, we are leveraging Nimbus OAuth 2.0 and OIDC SDK for our internal implementation. As a key preliminary step before we proceeded with the re-write, we researched and evaluated existing OAuth 2.0 and OpenID Connect 1.0 Java libraries available in the open source community and documented our findings here. As a result of this evaluation phase, we found Nimbus OAuth 2.0 and OIDC SDK to be the most mature and comprehensive Java library available today as it provides extensive support for all the relevant specifications.

In the upcoming 5.0.0 M2 release we plan to build further support for reactive based security and OAuth 2.0 and OpenID Connect 1.0. We would greatly appreciate any feedback on these new features and if you have anything that you would like prioritized, please create an issue.

Project Site | Reference | Guides | Help