Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Introduction to Spring Security

Introduction to Spring Security

Slides used at the Singapore Spring User Group on July 3rd

Michael Isvy

July 03, 2014
Tweet

More Decks by Michael Isvy

Other Decks in Programming

Transcript

  1. 1 © Copyright 2014 Pivotal. All rights reserved. 1 ©

    Copyright 2014 Pivotal. All rights reserved. Spring Security Web Application Security Vinit Kumar Michael Isvy
  2. 2 © Copyright 2014 Pivotal. All rights reserved. Configuration in

    the Application Context • Spring configuration • Using Spring Security's "Security" namespace <beans> <security:http use-expressions="true"> <security:intercept-url pattern="/accounts/**" access="hasAnyRole('ROLE_ADMIN', 'ROLE_USER')" /> <security:form-login login-page="/login.htm"/> <security:logout logout-success-url="/index.html"/> </security:http> </beans> Match all URLs starting with /accounts/ (ANT-style path) Spring configuration file
  3. 3 © Copyright 2014 Pivotal. All rights reserved. Configuration in

    web.xml • Define the single proxy filter – springSecurityFilterChain is a mandatory name – Refers to an existing Spring bean with same name <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class> org.springframework.web.filter.DelegatingFilterProxy </filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> web.xml
  4. 4 © Copyright 2014 Pivotal. All rights reserved. Intercept-url and

    Expression Language • Expression Language provides more flexibility – Many built-in expressions available <beans> <security:http use-expressions="true"> <security:intercept-url pattern="/accounts/edit*" access="hasRole('ROLE_ADMIN')" /> <security:intercept-url pattern="/accounts/account*" access="hasAnyRole('ROLE_ADMIN', 'ROLE_USER')" /> <security:intercept-url pattern="/accounts/**" access="isAuthenticated() and hasIpAddress('192.168.1.0/24')" /> </security:http> </beans> Spring configuration file Expression Language needs to be enabled explicitly
  5. 5 © Copyright 2014 Pivotal. All rights reserved. <beans ...>

    <security:http pattern="/accounts/login" security="none"/> <security:http use-expressions="true"> <security:form-login login-page="/accounts/login" default-target-url="/accounts/home"/> <security:intercept-url pattern="/accounts/update*" access="hasAnyRole('ROLE_ADMIN', 'ROLE_MANAGER')" /> <security:intercept-url pattern="/accounts/**" access="hasRole('ROLE_ADMIN')" /> <security:logout logout-success-url="/home.html" </security:http> ... Spring configuration file Specifying login and logout Must be declared explicitly or no logout possible Exempt login page (Spring Security 3.1) Specify login options
  6. 6 © Copyright 2014 Pivotal. All rights reserved. Configure Authentication

    • DAO Authentication provider is default – Expects a UserDetailsService implementation to provide credentials and authorities • Built-in: In-memory (properties), JDBC (database), LDAP • Custom • Or define your own Authentication provider – Example: to get pre-authenticated user details when using single sign-on • CAS, TAM, SiteMinder ... – See online examples
  7. 7 © Copyright 2014 Pivotal. All rights reserved. Setting up

    User Login • Default auth. provider assumes form-based login – This is web security after all – Must specify form-login element – A basic form is provided – Configure to use your own login-page <security:http> <security:form-login/> … </security:http> <security:authentication-manager> <security:authentication-provider> ... </security:authentication-provider> <security:authentication-manager>
  8. 8 © Copyright 2014 Pivotal. All rights reserved. An Example

    Login Page <form action=“<c:url value=’j_spring_security_check’/>” method=“POST”> <input type=“text” name=“j_username”/> <br/> <input type=“password” name=“j_password”/> <br/> <input type=“submit” name=“submit” value=“LOGIN”/> </form> The expected keys for generation of an authentication request token URL that indicates an authentication request Above example shows default values (j_spring_security_check, j_username, j_password). All of them can be redefined using <security:form-login/> login-example.jsp
  9. 9 © Copyright 2014 Pivotal. All rights reserved. The In-Memory

    User Service • Useful for development and testing – Note: must restart system to reload properties <security:authentication-manager> <security:authentication-provider> <security:user-service properties="/WEB-INF/users.properties" /> </security:authentication-provider> <security:authentication-manager> Spring configuration file admin=secret,ROLE_ADMIN,ROLE_MEMBER,ROLE_GUEST testuser1=pass,ROLE_MEMBER,ROLE_GUEST testuser2=pass,ROLE_MEMBER guest=guest,ROLE_GUEST List of roles separated by commas login password
  10. 10 © Copyright 2014 Pivotal. All rights reserved. The JDBC

    user service (1/2) Queries RDBMS for users and their authorities • Provides default queries – SELECT username, password, enabled FROM users WHERE username = ? – SELECT username, authority FROM authorities WHERE username = ? • Groups also supported – groups, group_members, group_authorities tables – See online documentation for details • Advantage – Can modify user info whilst system is running
  11. 11 © Copyright 2014 Pivotal. All rights reserved. The JDBC

    user service (2/2) • Configuration: <beans> <security:http> … <security:http> <security:authentication-manager> <security:authentication-provider> <security:jdbc-user-service data-source-ref="myDatasource" /> </security:authentication-provider> <security:authentication-manager> </beans> Spring configuration file Can customize queries using attributes: users-by-username-query authorities-by-username-query group-authorities-by-username-query
  12. 12 © Copyright 2014 Pivotal. All rights reserved. Password Encoding

    • Can encode passwords using a hash – sha, md5, … • Secure passwords using a well-known string – Known as a 'salt', makes brute force attacks harder <security:authentication-provider> <security:password-encoder hash="sha-256"> <security:salt-source system-wide="MySalt" /> </security:password-encoder> <security:user-service properties="/WEB-INF/users.properties" /> </security:authentication-provider> <security:authentication-provider> <security:password-encoder hash="sha-256" /> <security:user-service properties="/WEB-INF/users.properties" /> </security:authentication-provider> simple encoding encoding with salt bcrypt bcrypt
  13. 13 © Copyright 2014 Pivotal. All rights reserved. Tag library

    declaration • The Spring Security tag library is declared as follows <%@ taglib prefix="security" uri="http://www.springframework.org/security/tags" %> <%@ taglib prefix="security" uri="http://www.springframework.org/security/tags" %> available since Spring Security 2.0 jsp
  14. 14 © Copyright 2014 Pivotal. All rights reserved. Spring Security’s

    Tag Library • Display properties of the Authentication object • Hide sections of output based on role You are logged in as: <security:authentication property=“principal.username”/> <security:authorize access=“hasRole('ROLE_MANAGER')”> TOP-SECRET INFORMATION Click <a href=“/admin/deleteAll”>HERE</a> to delete all records. </security:authorize> jsp jsp
  15. 15 © Copyright 2014 Pivotal. All rights reserved. The Filter

    Chain: Summary # Filter Name Main Purpose 1 SecurityContext IntegrationFilter Establishes SecurityContext and maintains between HTTP requests formerly: HttpSessionContextIntegrationFilter 2 LogoutFilter Clears SecurityContextHolder when logout requested 3 UsernamePassword Processing Filter Puts Authentication into the SecurityContext on login request formerly: AuthenticationProcessingFilter 4 Exception TranslationFilter Converts SpringSecurity exceptions into HTTP response or redirect 5 FilterSecurity Interceptor Authorizes web requests based on on config attributes and authorities
  16. 16 © Copyright 2014 Pivotal. All rights reserved. Custom Filter

    Chain • Filter on the stack may be replaced by a custom filter <security:http> <security:custom-filter position="FORM_LOGIN_FILTER" ref="myFilter” /> </security:http> <bean id="myFilter" class="com.mycompany.MySpecialAuthenticationFilter"/> <security:http> <security:custom-filter after="FORM_LOGIN_FILTER" ref="myFilter” /> </security:http> <bean id="myFilter" class="com.mycompany.MySpecialFilter"/> • Filter can be added to the chain