3. Getting Spring Security
Prev Part I. Preface Next

3. Getting Spring Security

You can get hold of Spring Security in several ways. You can download a packaged distribution from the main Spring Security page, download individual jars from the Maven Central repository (or a Spring Maven repository for snapshot and milestone releases) or, alternatively, you can build the project from source yourself.

3.1 Release Numbering

Spring Security versions are formatted as MAJOR.MINOR.PATCH such that

  • MAJOR versions may contain breaking changes. Typically these are done to provide improved security to match modern security practices.
  • MINOR versions contain enhancements, but are considered passive updates
  • PATCH level should be perfectly compatible, forwards and backwards, with the possible exception of changes which are to fix bugs

3.2 Usage with Maven

A minimal Spring Security Maven set of dependencies typically looks like the following:

pom.xml.  

<dependencies>
    <!-- ... other dependency elements ... -->
    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-web</artifactId>
        <version>5.1.0.RELEASE</version>
    </dependency>
    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-config</artifactId>
        <version>5.1.0.RELEASE</version>
    </dependency>
</dependencies>

If you are using additional features like LDAP, OpenID, etc. you will need to also include the appropriate Chapter 4, Project Modules.

3.2.1 Maven Repositories

All GA releases (i.e. versions ending in .RELEASE) are deployed to Maven Central, so no additional Maven repositories need to be declared in your pom.

If you are using a SNAPSHOT version, you will need to ensure you have the Spring Snapshot repository defined as shown below:

pom.xml.  

<repositories>
    <!-- ... possibly other repository elements ... -->
    <repository>
        <id>spring-snapshot</id>
        <name>Spring Snapshot Repository</name>
        <url>http://repo.spring.io/snapshot</url>
    </repository>
</repositories>

If you are using a milestone or release candidate version, you will need to ensure you have the Spring Milestone repository defined as shown below:

pom.xml.  

<repositories>
    <!-- ... possibly other repository elements ... -->
    <repository>
        <id>spring-milestone</id>
        <name>Spring Milestone Repository</name>
        <url>http://repo.spring.io/milestone</url>
    </repository>
</repositories>

3.2.2 Spring Framework BOM

Spring Security builds against Spring Framework 5.1.0.RELEASE, but should work with 5 The problem that many users will have is that Spring Security’s transitive dependencies resolve Spring Framework 5.1.0.RELEASE which can cause strange classpath problems.

One (tedious) way to circumvent this issue would be to include all the Spring Framework modules in a <dependencyManagement> section of your pom. An alternative approach is to include the spring-framework-bom within your <dependencyManagement> section of your pom.xml as shown below:

pom.xml.  

<dependencyManagement>
    <dependencies>
    <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-framework-bom</artifactId>
        <version>5.1.0.RELEASE</version>
        <type>pom</type>
        <scope>import</scope>
    </dependency>
    </dependencies>
</dependencyManagement>

This will ensure that all the transitive dependencies of Spring Security use the Spring 5.1.0.RELEASE modules.

[Note]Note

This approach uses Maven’s "bill of materials" (BOM) concept and is only available in Maven 2.0.9+. For additional details about how dependencies are resolved refer to Maven’s Introduction to the Dependency Mechanism documentation.

3.3 Gradle

A minimal Spring Security Gradle set of dependencies typically looks like the following:

build.gradle.  

dependencies {
    compile 'org.springframework.security:spring-security-web:5.1.0.RELEASE'
    compile 'org.springframework.security:spring-security-config:5.1.0.RELEASE'
}

If you are using additional features like LDAP, OpenID, etc. you will need to also include the appropriate Chapter 4, Project Modules.

3.3.1 Gradle Repositories

All GA releases (i.e. versions ending in .RELEASE) are deployed to Maven Central, so using the mavenCentral() repository is sufficient for GA releases.

build.gradle.  

repositories {
    mavenCentral()
}

If you are using a SNAPSHOT version, you will need to ensure you have the Spring Snapshot repository defined as shown below:

build.gradle.  

repositories {
    maven { url 'https://repo.spring.io/snapshot' }
}

If you are using a milestone or release candidate version, you will need to ensure you have the Spring Milestone repository defined as shown below:

build.gradle.  

repositories {
    maven { url 'https://repo.spring.io/milestone' }
}

3.3.2 Using Spring 4.0.x and Gradle

By default Gradle will use the newest version when resolving transitive versions. This means that often times no additional work is necessary when running Spring Security 5.1.0.RELEASE with Spring Framework 5.1.0.RELEASE. However, at times there can be issues that come up so it is best to mitigate this using Gradle’s ResolutionStrategy as shown below:

build.gradle.  

configurations.all {
    resolutionStrategy.eachDependency { DependencyResolveDetails details ->
        if (details.requested.group == 'org.springframework') {
            details.useVersion '5.1.0.RELEASE'
        }
    }
}

This will ensure that all the transitive dependencies of Spring Security use the Spring 5.1.0.RELEASE modules.

[Note]Note

This example uses Gradle 1.9, but may need modifications to work in future versions of Gradle since this is an incubating feature within Gradle.

Prev Up Next
2. What’s New in Spring Security 5.1 Home 4. Project Modules