Packages 
Package Description
org.springframework.security.access
Core access-control related code, including security metadata related classes, interception code, access control annotations, EL support and voter-based implementations of the central AccessDecisionManager interface.
org.springframework.security.access.annotation
Support for JSR-250 and Spring Security @Secured annotations.
org.springframework.security.access.event
Authorization event and listener classes.
org.springframework.security.access.expression
Expression handling code to support the use of Spring-EL based expressions in @PreAuthorize, @PreFilter, @PostAuthorize and @PostFilter annotations.
org.springframework.security.access.expression.method
Implementation of expression-based method security.
org.springframework.security.access.hierarchicalroles
Role hierarchy implementation.
org.springframework.security.access.intercept
Abstract level security interception classes which are responsible for enforcing the configured security constraints for a secure object.
org.springframework.security.access.intercept.aopalliance
Enforces security for AOP Alliance MethodInvocations, such as via Spring AOP.
org.springframework.security.access.intercept.aspectj
Enforces security for AspectJ JointPoints, delegating secure object callbacks to the calling aspect.
org.springframework.security.access.method
Provides SecurityMetadataSource implementations for securing Java method invocations via different AOP libraries.
org.springframework.security.access.prepost
Contains the infrastructure classes for handling the @PreAuthorize, @PreFilter, @PostAuthorize and @PostFilter annotations.
org.springframework.security.access.vote
Implements a vote-based approach to authorization decisions.
org.springframework.security.acls
The Spring Security ACL package which implements instance-based security for domain objects.
org.springframework.security.acls.afterinvocation
After-invocation providers for collection and array filtering.
org.springframework.security.acls.domain
Basic implementation of access control lists (ACLs) interfaces.
org.springframework.security.acls.jdbc
JDBC-based persistence of ACL information
org.springframework.security.acls.model
Interfaces and shared classes to manage access control lists (ACLs) for domain object instances.
org.springframework.security.authentication
Core classes and interfaces related to user authentication, which are used throughout Spring Security.
org.springframework.security.authentication.dao
An AuthenticationProvider which relies upon a data access object.
org.springframework.security.authentication.event
Authentication success and failure events which can be published to the Spring application context.
org.springframework.security.authentication.jaas
An authentication provider for JAAS.
org.springframework.security.authentication.jaas.event
JAAS authentication events which can be published to the Spring application context by the JAAS authentication provider.
org.springframework.security.authentication.jaas.memory
An in memory JAAS implementation.
org.springframework.security.authentication.rcp
Allows remote clients to authenticate and obtain a populated Authentication object.
org.springframework.security.authorization  
org.springframework.security.cas
Spring Security support for Jasig's Central Authentication Service (CAS).
org.springframework.security.cas.authentication
An AuthenticationProvider that can process CAS service tickets and proxy tickets.
org.springframework.security.cas.jackson2  
org.springframework.security.cas.userdetails  
org.springframework.security.cas.web
Authenticates standard web browser users via CAS.
org.springframework.security.cas.web.authentication
Authentication processing mechanisms which respond to the submission of authentication credentials using CAS.
org.springframework.security.concurrent  
org.springframework.security.config
Support classes for the Spring Security namespace.
org.springframework.security.config.annotation  
org.springframework.security.config.annotation.authentication  
org.springframework.security.config.annotation.authentication.builders  
org.springframework.security.config.annotation.authentication.configuration  
org.springframework.security.config.annotation.authentication.configurers.ldap  
org.springframework.security.config.annotation.authentication.configurers.provisioning  
org.springframework.security.config.annotation.authentication.configurers.userdetails  
org.springframework.security.config.annotation.configuration  
org.springframework.security.config.annotation.method.configuration  
org.springframework.security.config.annotation.rsocket  
org.springframework.security.config.annotation.web  
org.springframework.security.config.annotation.web.builders  
org.springframework.security.config.annotation.web.configuration  
org.springframework.security.config.annotation.web.configurers  
org.springframework.security.config.annotation.web.configurers.oauth2.client  
org.springframework.security.config.annotation.web.configurers.oauth2.server.resource  
org.springframework.security.config.annotation.web.configurers.openid  
org.springframework.security.config.annotation.web.configurers.saml2  
org.springframework.security.config.annotation.web.messaging  
org.springframework.security.config.annotation.web.reactive  
org.springframework.security.config.annotation.web.servlet.configuration  
org.springframework.security.config.annotation.web.socket  
org.springframework.security.config.authentication
Parsing of <authentication-manager> and related elements.
org.springframework.security.config.core  
org.springframework.security.config.core.userdetails  
org.springframework.security.config.crypto  
org.springframework.security.config.debug  
org.springframework.security.config.http
Parsing of the <http> namespace element.
org.springframework.security.config.ldap
Security namespace support for LDAP authentication.
org.springframework.security.config.method
Support for parsing of the <global-method-security> and <intercept-methods> elements.
org.springframework.security.config.oauth2.client  
org.springframework.security.config.provisioning  
org.springframework.security.config.web.server  
org.springframework.security.config.websocket  
org.springframework.security.context  
org.springframework.security.converter  
org.springframework.security.core
Core classes and interfaces related to user authentication and authorization, as well as the maintenance of a security context.
org.springframework.security.core.annotation  
org.springframework.security.core.authority
The default implementation of the GrantedAuthority interface.
org.springframework.security.core.authority.mapping
Strategies for mapping a list of attributes (such as roles or LDAP groups) to a list of GrantedAuthoritys.
org.springframework.security.core.context
Classes related to the establishment of a security context for the duration of a request (such as an HTTP or RMI invocation).
org.springframework.security.core.parameters  
org.springframework.security.core.session
Session abstraction which is provided by the org.springframework.security.core.session.SessionInformation SessionInformation class.
org.springframework.security.core.token
A service for building secure random tokens.
org.springframework.security.core.userdetails
The standard interfaces for implementing user data DAOs.
org.springframework.security.core.userdetails.cache
Implementations of UserCache.
org.springframework.security.core.userdetails.jdbc
Exposes a JDBC-based authentication repository, implementing org.springframework.security.core.userdetails.UserDetailsService UserDetailsService.
org.springframework.security.core.userdetails.memory
Exposes an in-memory authentication repository.
org.springframework.security.crypto.argon2  
org.springframework.security.crypto.bcrypt  
org.springframework.security.crypto.codec
Internal codec classes.
org.springframework.security.crypto.encrypt  
org.springframework.security.crypto.factory  
org.springframework.security.crypto.keygen  
org.springframework.security.crypto.password  
org.springframework.security.crypto.scrypt  
org.springframework.security.crypto.util  
org.springframework.security.data.repository.query  
org.springframework.security.jackson2
Mix-in classes to add Jackson serialization support.
org.springframework.security.ldap
Spring Security's LDAP module.
org.springframework.security.ldap.authentication
The LDAP authentication provider package.
org.springframework.security.ldap.authentication.ad  
org.springframework.security.ldap.ppolicy
Implementation of password policy functionality based on the Password Policy for LDAP Directories.
org.springframework.security.ldap.search
LdapUserSearch implementations.
org.springframework.security.ldap.server
Embedded Apache Directory Server implementation, as used by the configuration namespace.
org.springframework.security.ldap.userdetails
LDAP-focused UserDetails implementations which map from a ubset of the data contained in some of the standard LDAP types (such as InetOrgPerson).
org.springframework.security.messaging.access.expression  
org.springframework.security.messaging.access.intercept  
org.springframework.security.messaging.context  
org.springframework.security.messaging.handler.invocation.reactive  
org.springframework.security.messaging.util.matcher  
org.springframework.security.messaging.web.csrf  
org.springframework.security.messaging.web.socket.server  
org.springframework.security.oauth2.client
Core classes and interfaces providing support for OAuth 2.0 Client.
org.springframework.security.oauth2.client.annotation  
org.springframework.security.oauth2.client.authentication
Support classes and interfaces for authenticating and authorizing a client with an OAuth 2.0 Authorization Server using a specific authorization grant flow.
org.springframework.security.oauth2.client.endpoint
Classes and interfaces providing support to the client for initiating requests to the Authorization Server's Protocol Endpoints.
org.springframework.security.oauth2.client.http  
org.springframework.security.oauth2.client.jackson2  
org.springframework.security.oauth2.client.oidc.authentication
Support classes and interfaces for authenticating and authorizing a client with an OpenID Connect 1.0 Provider using a specific authorization grant flow.
org.springframework.security.oauth2.client.oidc.userinfo
Classes and interfaces providing support to the client for initiating requests to the OpenID Connect 1.0 Provider's UserInfo Endpoint.
org.springframework.security.oauth2.client.oidc.web.logout  
org.springframework.security.oauth2.client.oidc.web.server.logout  
org.springframework.security.oauth2.client.registration
Classes and interfaces that provide support for ClientRegistration.
org.springframework.security.oauth2.client.userinfo
Classes and interfaces providing support to the client for initiating requests to the OAuth 2.0 Authorization Server's UserInfo Endpoint.
org.springframework.security.oauth2.client.web
OAuth 2.0 Client Filter's and supporting classes and interfaces.
org.springframework.security.oauth2.client.web.method.annotation  
org.springframework.security.oauth2.client.web.reactive.function.client  
org.springframework.security.oauth2.client.web.reactive.result.method.annotation  
org.springframework.security.oauth2.client.web.server  
org.springframework.security.oauth2.client.web.server.authentication  
org.springframework.security.oauth2.core
Core classes and interfaces providing support for the OAuth 2.0 Authorization Framework.
org.springframework.security.oauth2.core.converter  
org.springframework.security.oauth2.core.endpoint
Support classes that model the OAuth 2.0 Request and Response messages from the Authorization Endpoint and Token Endpoint.
org.springframework.security.oauth2.core.http.converter  
org.springframework.security.oauth2.core.oidc
Core classes and interfaces providing support for OpenID Connect Core 1.0.
org.springframework.security.oauth2.core.oidc.endpoint
Support classes that model the OpenID Connect Core 1.0 Request and Response messages from the Authorization Endpoint and Token Endpoint.
org.springframework.security.oauth2.core.oidc.user
Provides a model for an OpenID Connect Core 1.0 representation of a user Principal.
org.springframework.security.oauth2.core.user
Provides a model for an OAuth 2.0 representation of a user Principal.
org.springframework.security.oauth2.core.web.reactive.function  
org.springframework.security.oauth2.jose  
org.springframework.security.oauth2.jose.jws
Core classes and interfaces providing support for JSON Web Signature (JWS).
org.springframework.security.oauth2.jwt
Core classes and interfaces providing support for JSON Web Token (JWT).
org.springframework.security.oauth2.server.resource
OAuth 2.0 Resource Server core classes and interfaces providing support.
org.springframework.security.oauth2.server.resource.authentication
OAuth 2.0 Resource Server Authentications and supporting classes and interfaces.
org.springframework.security.oauth2.server.resource.introspection
OAuth 2.0 Introspection supporting classes and interfaces.
org.springframework.security.oauth2.server.resource.web
OAuth 2.0 Resource Server Filter's and supporting classes and interfaces.
org.springframework.security.oauth2.server.resource.web.access
OAuth 2.0 Resource Server access denial classes and interfaces.
org.springframework.security.oauth2.server.resource.web.access.server  
org.springframework.security.oauth2.server.resource.web.reactive.function.client  
org.springframework.security.oauth2.server.resource.web.server  
org.springframework.security.openid  
org.springframework.security.provisioning
Contains simple user and authority group account provisioning interfaces together with a a JDBC-based implementation.
org.springframework.security.remoting.dns
DNS resolution.
org.springframework.security.remoting.httpinvoker
Enables use of Spring's HttpInvoker extension points to present the principal and credentials located in the ContextHolder via BASIC authentication.
org.springframework.security.remoting.rmi
Enables use of Spring's RMI remoting extension points to propagate the SecurityContextHolder (which should contain an Authentication request token) from one JVM to the remote JVM.
org.springframework.security.rsocket.api  
org.springframework.security.rsocket.authentication  
org.springframework.security.rsocket.authorization  
org.springframework.security.rsocket.core  
org.springframework.security.rsocket.metadata  
org.springframework.security.rsocket.util.matcher  
org.springframework.security.scheduling  
org.springframework.security.taglibs
Security related tag libraries that can be used in JSPs and templates.
org.springframework.security.taglibs.authz
JSP Security tag library implementation.
org.springframework.security.taglibs.csrf  
org.springframework.security.task  
org.springframework.security.test.context  
org.springframework.security.test.context.annotation  
org.springframework.security.test.context.support  
org.springframework.security.test.web.reactive.server  
org.springframework.security.test.web.servlet.request  
org.springframework.security.test.web.servlet.response  
org.springframework.security.test.web.servlet.setup  
org.springframework.security.test.web.support  
org.springframework.security.util
General utility classes used throughout the Spring Security framework.
org.springframework.security.web
Spring Security's web security module.
org.springframework.security.web.access
Access-control related classes and packages.
org.springframework.security.web.access.channel
Classes that ensure web requests are received over required transport channels.
org.springframework.security.web.access.expression
Implementation of web security expressions.
org.springframework.security.web.access.intercept
Enforcement of security for HTTP requests, typically by the URL requested.
org.springframework.security.web.authentication
Authentication processing mechanisms, which respond to the submission of authentication credentials using various protocols (eg BASIC, CAS, form login etc).
org.springframework.security.web.authentication.logout
Logout functionality based around a filter which handles a specific logout URL.
org.springframework.security.web.authentication.preauth
Support for "pre-authenticated" scenarios, where Spring Security assumes the incoming request has already been authenticated by some externally configured system.
org.springframework.security.web.authentication.preauth.j2ee
Pre-authentication support for container-authenticated requests.
org.springframework.security.web.authentication.preauth.websphere
Websphere-specific pre-authentication classes.
org.springframework.security.web.authentication.preauth.x509
X.509 client certificate authentication support.
org.springframework.security.web.authentication.rememberme
Support for remembering a user between different web sessions.
org.springframework.security.web.authentication.session
Strategy interface and implementations for handling session-related behaviour for a newly authenticated user.
org.springframework.security.web.authentication.switchuser
Provides HTTP-based "switch user" (su) capabilities.
org.springframework.security.web.authentication.ui
Authentication user-interface rendering code.
org.springframework.security.web.authentication.www
WWW-Authenticate based authentication mechanism implementations: Basic and Digest authentication.
org.springframework.security.web.bind.annotation  
org.springframework.security.web.bind.support  
org.springframework.security.web.context
Classes which are responsible for maintaining the security context between HTTP requests.
org.springframework.security.web.context.request.async  
org.springframework.security.web.context.support  
org.springframework.security.web.csrf  
org.springframework.security.web.debug  
org.springframework.security.web.firewall  
org.springframework.security.web.header  
org.springframework.security.web.header.writers  
org.springframework.security.web.header.writers.frameoptions  
org.springframework.security.web.http  
org.springframework.security.web.jaasapi
Makes a JAAS Subject available as the current Subject.
org.springframework.security.web.jackson2
Mix-in classes to provide Jackson serialization support.
org.springframework.security.web.method.annotation  
org.springframework.security.web.reactive.result.method.annotation  
org.springframework.security.web.reactive.result.view  
org.springframework.security.web.savedrequest
Classes related to the caching of an HttpServletRequest which requires authentication.
org.springframework.security.web.server  
org.springframework.security.web.server.authentication  
org.springframework.security.web.server.authentication.logout  
org.springframework.security.web.server.authorization  
org.springframework.security.web.server.context  
org.springframework.security.web.server.csrf  
org.springframework.security.web.server.header  
org.springframework.security.web.server.jackson2  
org.springframework.security.web.server.savedrequest  
org.springframework.security.web.server.transport  
org.springframework.security.web.server.ui  
org.springframework.security.web.server.util.matcher  
org.springframework.security.web.servlet.support.csrf  
org.springframework.security.web.servlet.util.matcher  
org.springframework.security.web.servletapi
Populates a Servlet request with a new Spring Security compliant HttpServletRequestWrapper.
org.springframework.security.web.session
Session management filters, HttpSession events and publisher classes.
org.springframework.security.web.util
Web utility classes.
org.springframework.security.web.util.matcher