the Application Context • Spring configuration • Using Spring Security's "Security" namespace <beans> <security:http use-expressions="true"> <security:intercept-url pattern="/accounts/**" access="hasAnyRole('ROLE_ADMIN', 'ROLE_USER')" /> <security:form-login login-page="/login.htm"/> <security:logout logout-success-url="/index.html"/> </security:http> </beans> Match all URLs starting with /accounts/ (ANT-style path) Spring configuration file
web.xml • Define the single proxy filter – springSecurityFilterChain is a mandatory name – Refers to an existing Spring bean with same name <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class> org.springframework.web.filter.DelegatingFilterProxy </filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> web.xml
Expression Language • Expression Language provides more flexibility – Many built-in expressions available <beans> <security:http use-expressions="true"> <security:intercept-url pattern="/accounts/edit*" access="hasRole('ROLE_ADMIN')" /> <security:intercept-url pattern="/accounts/account*" access="hasAnyRole('ROLE_ADMIN', 'ROLE_USER')" /> <security:intercept-url pattern="/accounts/**" access="isAuthenticated() and hasIpAddress('192.168.1.0/24')" /> </security:http> </beans> Spring configuration file Expression Language needs to be enabled explicitly
• DAO Authentication provider is default – Expects a UserDetailsService implementation to provide credentials and authorities • Built-in: In-memory (properties), JDBC (database), LDAP • Custom • Or define your own Authentication provider – Example: to get pre-authenticated user details when using single sign-on • CAS, TAM, SiteMinder ... – See online examples
User Login • Default auth. provider assumes form-based login – This is web security after all – Must specify form-login element – A basic form is provided – Configure to use your own login-page <security:http> <security:form-login/> … </security:http> <security:authentication-manager> <security:authentication-provider> ... </security:authentication-provider> <security:authentication-manager>
Login Page <form action=“<c:url value=’j_spring_security_check’/>” method=“POST”> <input type=“text” name=“j_username”/> <br/> <input type=“password” name=“j_password”/> <br/> <input type=“submit” name=“submit” value=“LOGIN”/> </form> The expected keys for generation of an authentication request token URL that indicates an authentication request Above example shows default values (j_spring_security_check, j_username, j_password). All of them can be redefined using <security:form-login/> login-example.jsp
User Service • Useful for development and testing – Note: must restart system to reload properties <security:authentication-manager> <security:authentication-provider> <security:user-service properties="/WEB-INF/users.properties" /> </security:authentication-provider> <security:authentication-manager> Spring configuration file admin=secret,ROLE_ADMIN,ROLE_MEMBER,ROLE_GUEST testuser1=pass,ROLE_MEMBER,ROLE_GUEST testuser2=pass,ROLE_MEMBER guest=guest,ROLE_GUEST List of roles separated by commas login password
user service (1/2) Queries RDBMS for users and their authorities • Provides default queries – SELECT username, password, enabled FROM users WHERE username = ? – SELECT username, authority FROM authorities WHERE username = ? • Groups also supported – groups, group_members, group_authorities tables – See online documentation for details • Advantage – Can modify user info whilst system is running
• Can encode passwords using a hash – sha, md5, … • Secure passwords using a well-known string – Known as a 'salt', makes brute force attacks harder <security:authentication-provider> <security:password-encoder hash="sha-256"> <security:salt-source system-wide="MySalt" /> </security:password-encoder> <security:user-service properties="/WEB-INF/users.properties" /> </security:authentication-provider> <security:authentication-provider> <security:password-encoder hash="sha-256" /> <security:user-service properties="/WEB-INF/users.properties" /> </security:authentication-provider> simple encoding encoding with salt bcrypt bcrypt
declaration • The Spring Security tag library is declared as follows <%@ taglib prefix="security" uri="http://www.springframework.org/security/tags" %> <%@ taglib prefix="security" uri="http://www.springframework.org/security/tags" %> available since Spring Security 2.0 jsp
Tag Library • Display properties of the Authentication object • Hide sections of output based on role You are logged in as: <security:authentication property=“principal.username”/> <security:authorize access=“hasRole('ROLE_MANAGER')”> TOP-SECRET INFORMATION Click <a href=“/admin/deleteAll”>HERE</a> to delete all records. </security:authorize> jsp jsp
Chain: Summary # Filter Name Main Purpose 1 SecurityContext IntegrationFilter Establishes SecurityContext and maintains between HTTP requests formerly: HttpSessionContextIntegrationFilter 2 LogoutFilter Clears SecurityContextHolder when logout requested 3 UsernamePassword Processing Filter Puts Authentication into the SecurityContext on login request formerly: AuthenticationProcessingFilter 4 Exception TranslationFilter Converts SpringSecurity exceptions into HTTP response or redirect 5 FilterSecurity Interceptor Authorizes web requests based on on config attributes and authorities
Chain • Filter on the stack may be replaced by a custom filter <security:http> <security:custom-filter position="FORM_LOGIN_FILTER" ref="myFilter” /> </security:http> <bean id="myFilter" class="com.mycompany.MySpecialAuthenticationFilter"/> <security:http> <security:custom-filter after="FORM_LOGIN_FILTER" ref="myFilter” /> </security:http> <bean id="myFilter" class="com.mycompany.MySpecialFilter"/> • Filter can be added to the chain