Pattern Spring Security after Spring Data/Cloud

[Crain-32]

Based on conversations and my own experiences getting into Spring Ecosystem, Spring Security stands as a large obstacle in terms of feeling comfortable and productive in the workplace. This is partially because Security as a whole is complex, but also because Spring Security feels split into multiple places.

I'm wondering what the team thinks about expanding the pattern Spring Data/Cloud have?

I know Spring Security Kerebos exists, but then you have Spring Authorization Server outside of the nesting. As a consumer of Spring it feels off, since I'm not sure if I should follow Spring Security's OAuth2 Guide, or Spring Authorization Server's Guide.

I think if Spring Security expanded more into that pattern, potentially even splitting off portions like specific connectors (Spring Data Style), it could improve the readability of the documentation, along with making Spring Security more like other Spring Projects.

[sjohnr]

Hi @Crain-32, thanks for your interest in the project!

Indeed, each Spring project team does some things differently, and the Spring Cloud team manages numerous sub-projects. Historically (and farther back than I go on the team), the philosophy in Spring Security was the opposite, that splitting projects into smaller chunks makes things more difficult, and there have been numerous efforts to consolidate things. This is really a team decision and preference in the end.

Regarding Spring Authorization Server, while it is built on Spring Security, it is intended to be a separate and top-level project for visibility. It could make sense to nest it on the spring.io website, but this likely wouldn't change much. Also, regarding documentation there is an effort underway to link and create navigation to documentation sites across the entire Spring porfolio, that will hopefully address things in a more organic way, so I don't think the way things are organized on spring.io will make much difference. Keep in mind that Spring Security and Spring Authorization Server cover different roles of the OAuth2 landscape, and are complementary, meaning you should read both guides.

Beyond that, I'm not really sure what specifics you're suggesting or how they address any issues with complexity of Spring Security for the community? Regardless, I'll note this suggestion for the team as we are thinking a lot about simplifying right now. But I'm going to close this issue, as I don't see anything actionable. I also don't really see a significant reorganization of modules/projects separate from a larger effort to simplify Spring Security (see theme issue gh-13266). However, I'm happy to have additional discussion with you on this issue if you have further (and more specific) thoughts on this.