Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Introduction to Spring Security

Introduction to Spring Security

Slides used at the Singapore Spring User Group on July 3rd

Michael Isvy

July 03, 2014
Tweet

More Decks by Michael Isvy

Other Decks in Programming

Transcript

  1. 1
    © Copyright 2014 Pivotal. All rights reserved. 1
    © Copyright 2014 Pivotal. All rights reserved.
    Spring Security
    Web Application Security
    Vinit Kumar
    Michael Isvy

    View full-size slide

  2. 2
    © Copyright 2014 Pivotal. All rights reserved.
    Configuration in the Application Context
    • Spring configuration
    • Using Spring Security's "Security" namespace


    access="hasAnyRole('ROLE_ADMIN', 'ROLE_USER')" />




    Match all URLs starting with
    /accounts/ (ANT-style path)
    Spring configuration file

    View full-size slide

  3. 3
    © Copyright 2014 Pivotal. All rights reserved.
    Configuration in web.xml
    • Define the single proxy filter
    – springSecurityFilterChain is a mandatory name
    – Refers to an existing Spring bean with same name

    springSecurityFilterChain

    org.springframework.web.filter.DelegatingFilterProxy



    springSecurityFilterChain
    /*

    web.xml

    View full-size slide

  4. 4
    © Copyright 2014 Pivotal. All rights reserved.
    Intercept-url and
    Expression Language
    • Expression Language provides more flexibility
    – Many built-in expressions available


    access="hasRole('ROLE_ADMIN')" />
    access="hasAnyRole('ROLE_ADMIN', 'ROLE_USER')" />
    access="isAuthenticated() and hasIpAddress('192.168.1.0/24')" />

    Spring configuration file
    Expression Language needs
    to be enabled explicitly

    View full-size slide

  5. 5
    © Copyright 2014 Pivotal. All rights reserved.



    default-target-url="/accounts/home"/>
    access="hasAnyRole('ROLE_ADMIN', 'ROLE_MANAGER')" />
    access="hasRole('ROLE_ADMIN')" />

    ... Spring configuration file
    Specifying login and logout
    Must be declared explicitly
    or no logout possible
    Exempt login page
    (Spring Security 3.1)
    Specify login options

    View full-size slide

  6. 6
    © Copyright 2014 Pivotal. All rights reserved.
    Configure Authentication
    • DAO Authentication provider is default
    – Expects a UserDetailsService implementation to provide
    credentials and authorities
    • Built-in: In-memory (properties), JDBC (database), LDAP
    • Custom
    • Or define your own Authentication provider
    – Example: to get pre-authenticated user details
    when using single sign-on
    • CAS, TAM, SiteMinder ...
    – See online examples

    View full-size slide

  7. 7
    © Copyright 2014 Pivotal. All rights reserved.
    Setting up User Login
    • Default auth. provider
    assumes form-based
    login
    – This is web security after
    all
    – Must specify form-login
    element
    – A basic form is provided
    – Configure to use your
    own login-page






    ...


    View full-size slide

  8. 8
    © Copyright 2014 Pivotal. All rights reserved.
    An Example Login Page
    ” method=“POST”>








    The expected keys
    for generation of
    an authentication
    request token
    URL that indicates an
    authentication request
    Above example shows default values (j_spring_security_check, j_username,
    j_password). All of them can be redefined using
    login-example.jsp

    View full-size slide

  9. 9
    © Copyright 2014 Pivotal. All rights reserved.
    The In-Memory User Service
    • Useful for development and testing
    – Note: must restart system to reload properties





    Spring configuration file
    admin=secret,ROLE_ADMIN,ROLE_MEMBER,ROLE_GUEST
    testuser1=pass,ROLE_MEMBER,ROLE_GUEST
    testuser2=pass,ROLE_MEMBER
    guest=guest,ROLE_GUEST
    List of roles separated by commas
    login password

    View full-size slide

  10. 10
    © Copyright 2014 Pivotal. All rights reserved.
    The JDBC user service (1/2)
    Queries RDBMS for users and their authorities
    • Provides default queries
    – SELECT username, password, enabled FROM users
    WHERE username = ?
    – SELECT username, authority FROM authorities WHERE
    username = ?
    • Groups also supported
    – groups, group_members, group_authorities tables
    – See online documentation for details
    • Advantage
    – Can modify user info whilst system is running

    View full-size slide

  11. 11
    © Copyright 2014 Pivotal. All rights reserved.
    The JDBC user service (2/2)
    • Configuration:








    Spring configuration file
    Can customize queries using attributes:
    users-by-username-query
    authorities-by-username-query
    group-authorities-by-username-query

    View full-size slide

  12. 12
    © Copyright 2014 Pivotal. All rights reserved.
    Password Encoding
    • Can encode passwords using a hash
    – sha, md5, …
    • Secure passwords using a well-known string
    – Known as a 'salt', makes brute force attacks harder










    simple encoding
    encoding with salt
    bcrypt
    bcrypt

    View full-size slide

  13. 13
    © Copyright 2014 Pivotal. All rights reserved.
    Tag library declaration
    • The Spring Security tag library is declared as follows
    <%@ taglib prefix="security"
    uri="http://www.springframework.org/security/tags" %>
    <%@ taglib prefix="security"
    uri="http://www.springframework.org/security/tags" %>
    available since Spring Security 2.0
    jsp

    View full-size slide

  14. 14
    © Copyright 2014 Pivotal. All rights reserved.
    Spring Security’s Tag Library
    • Display properties of the Authentication object
    • Hide sections of output based on role
    You are logged in as:


    TOP-SECRET INFORMATION
    Click HERE to delete all records.

    jsp
    jsp

    View full-size slide

  15. 15
    © Copyright 2014 Pivotal. All rights reserved.
    The Filter Chain: Summary
    # Filter Name Main Purpose
    1 SecurityContext
    IntegrationFilter
    Establishes SecurityContext and maintains
    between HTTP requests
    formerly: HttpSessionContextIntegrationFilter
    2 LogoutFilter
    Clears SecurityContextHolder when logout
    requested
    3 UsernamePassword
    Processing Filter
    Puts Authentication into the
    SecurityContext on login request
    formerly: AuthenticationProcessingFilter
    4 Exception
    TranslationFilter
    Converts SpringSecurity exceptions into
    HTTP response or redirect
    5
    FilterSecurity
    Interceptor
    Authorizes web requests based on on
    config attributes and authorities

    View full-size slide

  16. 16
    © Copyright 2014 Pivotal. All rights reserved.
    Custom Filter Chain
    • Filter on the stack may be replaced by a custom filter




    • Filter can be added to the chain

    View full-size slide