Java SDK Spring Security Integration

Spring Security provides a comprehensive authentication and authorization solution for J2EE-based applications.

The Spring Security integration simplifies usage of the OAuth Connector with the Spring Security framework. You can take advantage of this if your application uses Spring Security.

The simplest way to configure a Spring application is to include the fss namespace in your spring-configuration.xml file.

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns=""

    <!-- OAuth security config -->
    <fss:oauth logout-from-sfdc="true" />
     <fss:connectionUrl url="URL or a ${Java system property} or ${environment variable}" />

    <!-- Include this bean, if connection URL is in Java system property or environment variable. -->
    <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer" />

    <!-- Configure Spring Security -->
    <security:anonymous />


The main customizations of interest are:

  • Include the namespace: xmlns:fss=""
  • Specify the schema location for the force-springsecurity XSD
  • Add the <fss:oauth /> tag
  • Add the <security:http /> tag. For more information about this tag, see Spring Security documentation.

The <oauth /> tag requires that you provide OAuth properties using the connectionUrl tag. For example:

    <fss:connectionUrl url="force://;oauth_secret=sampleSecret" />

It is preferable to configure the connection URL as a system property or environment variable rather than setting the URL directly in the connectionUrl tag. We don't recommend specifying the URL directly in your configuration because you should not check your oauth key and secret into version control. These may vary from one environment to another and should be protected.

Instead, set the connection URL as a system property or environment variable and enable the configuration by including the following tag in your spring-configuration.xml file:

<bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer" />

Set the following in your spring-configuration.xml file:

<!-- Uses the connection URL in the CONNECTION_URL environment variable or Java system property -->
    <fss:connectionUrl url="${CONNECTION_URL}" />

The PropertyPlaceholderConfigurer looks for a CONNECTION_URL Java system property. If that's not found, it looks for a CONNECTION_URL environment variable.

The following attributes are optional for <fss:oauth> in spring-configuration.xml:

Attribute Description
default-login-success A user is redirected to this URL after a successful OAuth logout. The default value is /spring/logoutSuccess
default-logout-success A user is redirected to this URL after a successful OAuth logout. The default value is /spring/logoutSuccess
login-url Navigation to this URL initiates a login sequence. The default value is /spring/login
logout-url Navigation to this URL initiates a logout sequence. The default is /spring/logout
logout-from-sfdc This attribute controls whether a logout from the OAuth application also logs the user out of This logout redirects the user to the logout page so when it is set to true, the default-logout-success URL is ignored. The default value is false.
store-data-in-session Flag that sets whether data about the authenticated user is stored in a server side session or an encrypted browser cookie. The default is false (cookies are used). Sessions should only be used if sticky load balancing is available or if the application runs with a single instance.
store-user-name Flag that sets whether or not the username is stored in the user data. This enables you to avoid storing usernames in browser cookies, but it can be used to prevent storing the username in sessions too. The default value is true.
secure-key-file The name of a secure key file, which must be on the classpath. AES encryption is used to encrypt the data about the authenticated user when it's stored in a browser cookie. This is only used if browser cookie storage is on. If cookies are used and no file is specified, a key is automatically generated. However, this should only be done for development purposes because it will be problematic in a multi-instance deployment since each instance will generate a different key. The key is base-64 encoded.

The following is a sample file for the secure-key-file attribute. Replace yourKeyGoesHere with a secure key. For more information on AES, see Using AES with Java Technology.

# A valid key in base-64 encoding.