the Application Context • Spring configuration • Using Spring Security's "Security" namespace <beans> <security:http use-expressions="true"> <security:intercept-url pattern="/accounts/**" access="hasAnyRole('ROLE_ADMIN', 'ROLE_USER')" /> <security:form-login login-page="/login.htm"/> <security:logout logout-success-url="/index.html"/> </security:http> </beans> Match all URLs starting with /accounts/ (ANT-style path) Spring configuration file
web.xml • Define the single proxy filter – springSecurityFilterChain is a mandatory name – Refers to an existing Spring bean with same name <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class> org.springframework.web.filter.DelegatingFilterProxy </filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> web.xml
Expression Language • Expression Language provides more flexibility – Many built-in expressions available <beans> <security:http use-expressions="true"> <security:intercept-url pattern="/accounts/edit*" access="hasRole('ROLE_ADMIN')" /> <security:intercept-url pattern="/accounts/account*" access="hasAnyRole('ROLE_ADMIN', 'ROLE_USER')" /> <security:intercept-url pattern="/accounts/**" access="isAuthenticated() and hasIpAddress('192.168.1.0/24')" /> </security:http> </beans> Spring configuration file Expression Language needs to be enabled explicitly
• DAO Authentication provider is default – Expects a UserDetailsService implementation to provide credentials and authorities • Built-in: In-memory (properties), JDBC (database), LDAP • Custom • Or define your own Authentication provider – Example: to get pre-authenticated user details when using single sign-on • CAS, TAM, SiteMinder ... – See online examples
User Login • Default auth. provider assumes form-based login – This is web security after all – Must specify form-login element – A basic form is provided – Configure to use your own login-page <security:http> <security:form-login/> … </security:http> <security:authentication-manager> <security:authentication-provider> ... </security:authentication-provider> <security:authentication-manager>
Login Page <form action=“<c:url value=’j_spring_security_check’/>” method=“POST”> <input type=“text” name=“j_username”/> <br/> <input type=“password” name=“j_password”/> <br/> <input type=“submit” name=“submit” value=“LOGIN”/> </form> The expected keys for generation of an authentication request token URL that indicates an authentication request Above example shows default values (j_spring_security_check, j_username, j_password). All of them can be redefined using <security:form-login/> login-example.jsp
User Service • Useful for development and testing – Note: must restart system to reload properties <security:authentication-manager> <security:authentication-provider> <security:user-service properties="/WEB-INF/users.properties" /> </security:authentication-provider> <security:authentication-manager> Spring configuration file admin=secret,ROLE_ADMIN,ROLE_MEMBER,ROLE_GUEST testuser1=pass,ROLE_MEMBER,ROLE_GUEST testuser2=pass,ROLE_MEMBER guest=guest,ROLE_GUEST List of roles separated by commas login password
user service (1/2) Queries RDBMS for users and their authorities • Provides default queries – SELECT username, password, enabled FROM users WHERE username = ? – SELECT username, authority FROM authorities WHERE username = ? • Groups also supported – groups, group_members, group_authorities tables – See online documentation for details • Advantage – Can modify user info whilst system is running
• Can encode passwords using a hash – sha, md5, … • Secure passwords using a well-known string – Known as a 'salt', makes brute force attacks harder <security:authentication-provider> <security:password-encoder hash="sha-256"> <security:salt-source system-wide="MySalt" /> </security:password-encoder> <security:user-service properties="/WEB-INF/users.properties" /> </security:authentication-provider> <security:authentication-provider> <security:password-encoder hash="sha-256" /> <security:user-service properties="/WEB-INF/users.properties" /> </security:authentication-provider> simple encoding encoding with salt bcrypt bcrypt
declaration • The Spring Security tag library is declared as follows <%@ taglib prefix="security" uri="http://www.springframework.org/security/tags" %> <%@ taglib prefix="security" uri="http://www.springframework.org/security/tags" %> available since Spring Security 2.0 jsp
Tag Library • Display properties of the Authentication object • Hide sections of output based on role You are logged in as: <security:authentication property=“principal.username”/> <security:authorize access=“hasRole('ROLE_MANAGER')”> TOP-SECRET INFORMATION Click <a href=“/admin/deleteAll”>HERE</a> to delete all records. </security:authorize> jsp jsp
Chain: Summary # Filter Name Main Purpose 1 SecurityContext IntegrationFilter Establishes SecurityContext and maintains between HTTP requests formerly: HttpSessionContextIntegrationFilter 2 LogoutFilter Clears SecurityContextHolder when logout requested 3 UsernamePassword Processing Filter Puts Authentication into the SecurityContext on login request formerly: AuthenticationProcessingFilter 4 Exception TranslationFilter Converts SpringSecurity exceptions into HTTP response or redirect 5 FilterSecurity Interceptor Authorizes web requests based on on config attributes and authorities
Chain • Filter on the stack may be replaced by a custom filter <security:http> <security:custom-filter position="FORM_LOGIN_FILTER" ref="myFilter” /> </security:http> <bean id="myFilter" class="com.mycompany.MySpecialAuthenticationFilter"/> <security:http> <security:custom-filter after="FORM_LOGIN_FILTER" ref="myFilter” /> </security:http> <bean id="myFilter" class="com.mycompany.MySpecialFilter"/> • Filter can be added to the chain
michaelisvy
o0h
kuroppe1819
konifar
akidon0000
kudoas
bob3bob3
kishida
bkuhlmann
lovee
upamune
ogurotakayuki
ttskch
lara
michaelherold
akmur
brianwarren
mongodb
sferik
revolveconf
hannesfritz
holman
sachag
addyosmani
