Search code examples
springspring-bootsecurityspring-securityspring-webflux

Which artifact represents spring security

When I read this CVE https://nvd.nist.gov/vuln/detail/CVE-2023-34034 it says that it affects spring security. And on spring official website they talk about this CVE that it affects spring security: https://spring.io/security/cve-2023-34034

I am not a developer, so I am not familiar with spring and its different projects, but I tried to search on maven online to see the spring security artifact but I got lot of results (see screenshot below)

enter image description here

Why I am doing so? because I want to know which component exeactly is affected by the CVE.

I was expecting to have a specific component that is affected by this CVE (eg: spring-security-core artifact) but there are lot of variations of spring security, and again I am not a developer and no idea what is the difference between each. Furthermore, if that is affecting spring security, does that mean that if I am usign spring boot or spring framework then I am not affected?

Solution

  • Simple answer, all of the artifacts are spring security.

    Spring eco system is modular, meaning that you only pull in what is needed for your specific application.

    core

    The base package that is always needed for all applications that want to use spring security (always needed).

    web

    if you want to secure web related endpoints like REST, WebSockets etc.

    config

    if you want to be able to configure your security (is basically always needed)

    crypto

    says what it is contains crypto related functions algorithms, handling certificates etc. etc.

    test

    contains all the testing tools to be able to write unit tests and other types of tests for spring security.

    Spring framework vs Spring boot

    Spring started out like a basic framework that handled dependency injection in servlet containers like tomcat, jetty etc.

    So it was basically just a library. That you can use in your application and then you deploy your application into a server.

    The spring created spring boot which took the framework and embedded a server into the package so you could get an entire application including a server in one lean package.

    So before boot, only an application that needed to be deployed on a server.

    With boot, you get the server packaged into your application basically.

    Framework are the fundamental packages that spring is based upon. For instance spring-framework-core. Then they use that packaged and built spring boot by including a server in the package (very simplified). Then if you want to have rest endpoints you include for instance spring-web. And if you want security you include spring-security-core and spring-security-core and spring-security-web.

    Instead of pulling in packages manually spring created starters for instance spring-security-starter which will pull in the necessary dependencies for you.