Spring Security features

Question

What security features does Spring provide that are not already provided by the Java EE specs?

In the Java EE specs we have:

1. A range of sevlet security options in the web.xml. Most people will configure basic or form based authentication. They link their Java EE application to an LDAP server - which stores users / groups. Request will be encrypted and come in over HTTPS.
2. Possibility to annotate any EJB and only allow certain roles execute certain methods
3. Ability to check user principle at runtime programmatically

So what security extras does Spring 3.0 give me?

Answer 1

One killer Feature are ACLs!

@See: Spring Security Reference Chapter 17. Domain Object Security (ACLs)

---

And I have the feeling that Spring Security is much easier to customize. For example if you need a User Management where the User can self register and get some of this privileges limitedly and some others after this email address has been confirmed.

Answer 2

Even if you just need some fairly simple authentication, Spring Security provides support for lots of simple but useful features (think of redirecting after logout, redirecting to login page on all URLs, remember-me). With Java EE you'll end up writing this yourself and - possibly - screwing up so you'll have an insecure app.

Spring Security works well with many standards/protocols/etc. out of the box (LDAP, JAAS, X.509). There's also more advanced stuff like SSO or ACLs. And if the standard functionality doesn't suit you, you can customize this fairly easily, often requiring just a little code.

What I also like is that it's fairly non-intrusive, your controller/action/… classes typically don't have to be involved.

That said, if you use it for the first time, it takes some time to set Spring Security up and get used to it.

(Finally, here's their own feature list: http://static.springsource.org/spring-security/site/features.html)