All Packages
Package Summary
Package
Description
Core access-control related code, including security metadata related classes,
 interception code, access control annotations, EL support and voter-based
 implementations of the central
 
AccessDecisionManager
 interface.Support for JSR-250 and Spring Security 
@Secured annotations.Authorization event and listener classes.
Expression handling code to support the use of Spring-EL based expressions in
 
@PreAuthorize, @PreFilter, @PostAuthorize and
 @PostFilter annotations.Implementation of expression-based method security.
Role hierarchy implementation.
Abstract level security interception classes which are responsible for enforcing the
 configured security constraints for a secure object.
Enforces security for AOP Alliance 
MethodInvocations, such as via Spring
 AOP.Enforces security for AspectJ 
JointPoints, delegating secure object
 callbacks to the calling aspect.Provides 
SecurityMetadataSource implementations for securing Java method
 invocations via different AOP libraries.Contains the infrastructure classes for handling the 
@PreAuthorize,
 @PreFilter, @PostAuthorize and @PostFilter annotations.Implements a vote-based approach to authorization decisions.
The Spring Security ACL package which implements instance-based security for domain
 objects.
After-invocation providers for collection and array filtering.
Basic implementation of access control lists (ACLs) interfaces.
JDBC-based persistence of ACL information
Interfaces and shared classes to manage access control lists (ACLs) for domain object
 instances.
Core classes and interfaces related to user authentication, which are used throughout
 Spring Security.
An 
AuthenticationProvider which relies upon a data access object.Authentication success and failure events which can be published to the Spring
 application context.
An authentication provider for JAAS.
JAAS authentication events which can be published to the Spring application context by
 the JAAS authentication provider.
An in memory JAAS implementation.
Spring Security support for Apereo's Central Authentication Service
 (CAS).
An 
AuthenticationProvider that can process CAS service tickets and proxy
 tickets.Jackson 3+ serialization support for CAS.
Jackson 2 support for CAS.
UserDetails abstractions for CAS.Authenticates standard web browser users via CAS.
Authentication processing mechanisms which respond to the submission of authentication
 credentials using CAS.
Support classes for the Spring Security namespace.
Parsing of <authentication-manager> and related elements.
Parsing of the <http> namespace element.
Security namespace support for LDAP authentication.
Support for parsing of the <global-method-security> and <intercept-methods>
 elements.
Core classes and interfaces related to user authentication and authorization, as well
 as the maintenance of a security context.
The default implementation of the 
GrantedAuthority interface.Strategies for mapping a list of attributes (such as roles or LDAP groups) to a list of
 
GrantedAuthoritys.Classes related to the establishment of a security context for the duration of a
 request (such as an HTTP or RMI invocation).
Session abstraction which is provided by the
 
org.springframework.security.core.session.SessionInformation
 SessionInformation class.A service for building secure random tokens.
The standard interfaces for implementing user data DAOs.
Implementations of 
UserCache.Exposes a JDBC-based authentication repository, implementing
 
org.springframework.security.core.userdetails.UserDetailsService UserDetailsService.Exposes an in-memory authentication repository.
Internal codec classes.
AOT integration for Spring Security's Data integration.
Spring Security extensions for Spring Data queries.
Jackson 3+ serialization support.
Jackson 2 serialization support.
Spring Security's LDAP module.
The LDAP authentication provider package.
Jackson 3+ serialization support for LDAP.
Jackson 2 serialization support for LDAP.
Implementation of password policy functionality based on the 
 Password Policy for LDAP Directories.
LdapUserSearch implementations.Embedded UnboundID Server implementation, as used by the configuration namespace.
LDAP-focused 
UserDetails implementations which map from a ubset of the data
 contained in some of the standard LDAP types (such as InetOrgPerson).Security expression support for 
Message.Authorization support for 
Message.Support for establishing the
 
SecurityContext within messaging.Reactive support for resolving security related arguments.
Support for matching messages.
Support CSRF protection in messages.
Reactive Security CSRF protection.
Core classes and interfaces providing support for OAuth 2.0 Client.
Support classes and interfaces for authenticating and authorizing a client with an
 OAuth 2.0 Authorization Server using a specific authorization grant flow.
Classes and interfaces providing support to the client for initiating requests to the
 Authorization Server's Protocol Endpoints.
Jackson 3+ serialization support for OAuth2 client.
Jackson 2 serialization support for OAuth2 client.
Support classes and interfaces for authenticating and authorizing a client with an
 OpenID Connect 1.0 Provider using a specific authorization grant flow.
Classes and interfaces providing support to the client for initiating requests to the
 OpenID Connect 1.0 Provider's UserInfo Endpoint.
Classes and interfaces that provide support for
 
ClientRegistration.Classes and interfaces providing support to the client for initiating requests to the
 OAuth 2.0 Authorization Server's UserInfo Endpoint.
OAuth 2.0 Client 
Filter's and supporting classes and interfaces.Core classes and interfaces providing support for the OAuth 2.0 Authorization
 Framework.
Support classes that model the OAuth 2.0 Request and Response messages from the
 Authorization Endpoint and Token Endpoint.
Core classes and interfaces providing support for OpenID Connect Core 1.0.
Support classes that model the OpenID Connect Core 1.0 Request and Response messages
 from the Authorization Endpoint and Token Endpoint.
Provides a model for an OpenID Connect Core 1.0 representation of a user
 
Principal.Provides a model for an OAuth 2.0 representation of a user 
Principal.Core classes and interfaces providing support for JSON Web Signature (JWS).
Core classes and interfaces providing support for JSON Web Token (JWT).
OAuth 2.0 Resource Server core classes and interfaces providing support.
OAuth 2.0 Resource Server 
Authentications and supporting classes and
 interfaces.OAuth 2.0 Introspection supporting classes and interfaces.
OAuth 2.0 Resource Server 
Filter's and supporting classes and interfaces.OAuth 2.0 Resource Server access denial classes and interfaces.
Contains simple user and authority group account provisioning interfaces together with
 a a JDBC-based implementation.
Spring Security RSocket APIs.
Spring Security RSocket Authentication integration.
Spring Security RSocket authorization integration.
Spring Security RSocket core integration.
Spring Security RSocket metadata integration.
Spring Security RSocket matching APIs.
Jackson 3+ serialization support for SAML2.
Jackson 2 serialization support for SAML2.
Security related tag libraries that can be used in JSPs and templates.
JSP Security tag library implementation.
JSP Security tag library integration with CSRF protection.
Spring Security support managing the
 
SecurityContext.Support for Framework's Test annotations.
Spring Security support classes for the Spring TestContext Framework.
Spring Security upport for testing Spring WebFlux server endpoints via WebTestClient.
Spring Security built-in org.springframework.test.web.servlet.RequestBuilder
 implementations.
Spring Security server-side support for testing Spring MVC applications.
Spring Security built-in MockMvcBuilder implementations.
Spring Security supporting the org.springframework.web.context package, such as
 WebApplicationContext implementations and various utility classes.
General utility classes used throughout the Spring Security framework.
Spring Security's web security module.
Access-control related classes and packages.
Classes that ensure web requests are received over required transport channels.
Implementation of web security expressions.
Enforcement of security for HTTP requests, typically by the URL requested.
Authentication processing mechanisms, which respond to the submission of authentication
 credentials using various protocols (eg BASIC, CAS, form login etc).
Logout functionality based around a filter which handles a specific logout URL.
Package for One Time Token usage.
Classes for Password APIs.
Support for "pre-authenticated" scenarios, where Spring Security assumes the incoming
 request has already been authenticated by some externally configured system.
Pre-authentication support for container-authenticated requests.
Websphere-specific pre-authentication classes.
X.509 client certificate authentication support.
Support for remembering a user between different web sessions.
Strategy interface and implementations for handling session-related behaviour for a
 newly authenticated user.
Provides HTTP-based "switch user" (su) capabilities.
Authentication user-interface rendering code.
WWW-Authenticate based authentication mechanism implementations: Basic and Digest
 authentication.
Annotations for binding web security APIs.
Support for binding web security APIs.
Classes which are responsible for maintaining the security context between HTTP
 requests.
Async request context APIs.
Async support for request context.
APIs for protection against CSRF attacks.
APIs for debugging web security.
APIs for web security firewall support.
APIs for writing security HTTP Headers.
APIs for writing security HTTP Headers.
APIs for writing security HTTP Headers related to frame options.
HTTP based security APIs.
Makes a JAAS Subject available as the current Subject.
Jackson 3+ serialization support for web.
Jackson 2 serialization support for web.
Support for Spring Framework's handler method processing.
Support for Spring Framework's reactive handler method processing.
Support for Spring Framework's reactive view processing.
Classes related to the caching of an 
HttpServletRequest which requires
 authentication.WebFlux Spring Security support.
Reactive web Authorization APIs.
Reactive logout APIs.
Reactive OTT APIs.
Reactive web OTT APIs.
Reactive web context APIs.
Reactive APIs for protecting against CSRF attacks.
Reactive HTTP Firewall APIs.
Reactive APIs for adding HTTP Header based security.
Jackson 3+ serialization support for reactive web server.
Jackson 2 serialization support for reactive web server.
Reactive support for saving requests (to replay them after interrupted by security
 workflows like authentication).
WebFlux based transport security.
Support for rendering UIs (e.g.
Reactive APIs for matching requests which are used for, among other things, mapping
 authorization rules.
CSRF support classes for Spring's web MVC framework.
Integration with Spring Framework's support for matching HTTP request paths.
Populates a Servlet request with a new Spring Security compliant
 
HttpServletRequestWrapper.Session management filters, 
HttpSession events and publisher classes.Spring Security HTTP transport support.
Web utility classes.
Servlet APIs for matching requests which are used for, among other things, mapping
 authorization rules.
WebAuthn APIs.
WebAuthn Authentication support.
WebAuthn Jackson Support.
Management of the WebAuthn APIs.
WebAuthn Registration support.