Spring Security - Explained

Spring security primarily focuses on providing authentication and authorization to the applications. 

Spring security enables security as layers. 1st at the URL level and then at the method level. So, even if some security intrusion passes at the URL level. It can be blocked 
at the method level later.

We can enable this Spring security either by using XML namespaces or annotations.
In this post, I have mentioned the steps to enable the spring security at the URL level in an application.

Basic setup:

 public class SpringSecurityInitializer
 extends AbstractSecurityWebApplicationInitializer {  
 }

Extending a class with AbstractSecurityWebApplicationInitializer creates the below filter mapping in web.xml and also add security.xml to ContextConfigLocation. 

 <filter>  
 <filter-name>springSecurityFilterChain</filter-name>  
 <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>  
 </filter>  
 <filter-mapping>  
 <filter-name>springSecurityFilterChain</filter-name>  
 <url-pattern>/*</url-pattern>  
 </filter-mapping>



How filters works??


The general behaviour of Servlet filter is to intercept the request before reaching the Servlet. As this behaviour is analogous to AOP. Spring has choosen this to build its security framework

In the above xml, springSecurityFilterChain is configured as a Servlet Filter.
It works as an interceptor(proxy) for all our Controlllers. It means every requests made to an application has to go through this filter before reaching the controller. 
So, before reaching controllers Spring can check the authenticity of the request and delegates the request to the Controller if the request is authenticated.

In Spring Security framework,  springSecurityFilterChain is not the only filter which handles Spring security. Internally, springSecurityFilterChain calls a set of filters (which are responsible for URL interception, form authentication, logout handling, appending CSRF token, etc.,) before delegating the user's request  to the controller. 

Going back to where we have started, we have a web component registered from spring security f/w and spring security is plugged in to our application.

Basically, spring security provides security infrastructure to our application. For the infrastructure to work,we have to provide certain i/ps which spring security expects. 

This is how we provide the i/p!!!!!

 
  @EnableWebSecurity   
  public class SecurityConfig extends WebSecurityConfigurerAdapter {   
    @Override   
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {   
       auth   
       .inMemoryAuthentication()   
       .withUser("naresh")   
       .password("naresh")   
       .roles("USER");   
    }      
    @Override   
    protected void configure(HttpSecurity http) throws Exception {   
       http.authorizeRequests()   
         .antMatchers("/admin/**").hasRole("ADMIN")   
         .anyRequest().authenticated()   
            .and()   
         //.httpBasic();   
         .formLogin()   
         //.loginPage("/customLogin")   
         //.permitAll()   
            .and()   
         .logout().logoutSuccessUrl("/login?logout").invalidateHttpSession(true)   
            .and()   
         //csrf()   
    }   
  }


1. Location of the user details/repository


protected void configure(AuthenticationManagerBuilder auth) throws Exception 
Builds the authentication details of the user using AuthenticationManagerBuilder. However, this can be configured at the memory, database, LDAP, etc., level also.
In the above example we used in-memory authentication.

XML look a like of the configure(AuthenticationManagerBuilder auth) method

 <authentication-manager >  
     <authentication-provider>  
       <user-service>  
         <user name="naresh" password="naresh" authorities="USER" />  
       </user-service>  
     </authentication-provider>  
 </authentication-manager>


2. Which URLs/resources to authenticate?


protected void configure(HttpSecurity http) throws Exception 
Builds the security information of URLs/resources using HttpSecurity Class.

How Spring decodes this method??
http.authorizeRequests() - Authorize the request
antMatchers("/admin/**").hasRole("ADMIN") - Restrict the  access to /admin page(s) only for the admin role users
anyRequest().authenticated() - Authenticate every other request which does not match with the /admin.
httpBasic() - Authenticate user using basic authentication
formLogin() - Authenticate user using form based login and also provide a login page for authentication iccase a non login user access the application.
logout() - provides logout support 
csrf() -authentication should be done with the help of CSRF token to prevent CRSF(Cross site request forgery) attack

XML look a like of the configure(HttpSecurity http) method
<http>
<intercept-url pattern="/**" access="authenticated"/>
<form-login />
<http-basic />

</http>

 And finally, we include import the security.xml bean definitions to an existing servlet-context.xml using the below code.

 
 @EnableWebMvc  
 @Configuration  
 @ComponentScan(basePackages ={"com.javarephrased.springsecurity.*"})  
 @Import({SecurityConfig.class})  
 public class ApplicationConfigClass {  
      @Bean  
      public InternalResourceViewResolver viewResolver(){  
           InternalResourceViewResolver viewResolver =   
                     new InternalResourceViewResolver();  
           viewResolver.setViewClass(JstlView.class);  
           viewResolver.setPrefix("/WEB-INF/views/");  
           viewResolver.setSuffix(".jsp");  
           return viewResolver;  
      }  
 }

The above code creates a servlet-context.xml which is mvc enabled and looks for the controller annotations in com.javarephrased.springsecurity.*
@Import({SecurityConfig.class}) annotation in the above class imports security.xml beans to servlet-context.xml

In the next post, I will target some more features of Spring security......

 Happy Reading!!!!

Comments

Post a Comment

Popular posts from this blog

Distributed database design using CAP theorem

Image
CAP is a theorem/standard which can be applied while designing distributed systems like distributed databases. A distributed database is a set of databases(nodes) which are spread across the network.  These set of databases(nodes) in the distributed database can be either designed as either a  master/slave  or a  sharded model . Consistency -  Database should return the latest write on the DB. Availability -  Database should return data in a decent amount of time .  But, the data might not be latest. Partition tolerant - I n spite of n/w failure, the database should always be available. A distributed database can be designed either as a CP, AP, CA but not with all the 3 capabilities.  AP - Available and Partition tolerant  -  Sharded model (Data is distributed, No Master)  -      Availability  - Because, the data is distributed, any of the nodes can return the data. So, always availabl...
Continue Reading »

SQL Analytical Functions - Partition by (to split resultset into groups)

Partition by:  Splits the resultset into groups.  Employees -Table EMPLOYEE_ID FIRST_NAME SALARY ----------- -------------------- ---------- 100 Steven 24000 101 Neena 17000 102 Lex 17000 103 Alexander 9000 104 Bruce 6000 105 David 4800 106 Valli 4800 107 Diana 4200 select e.employee_id, e.department_id, salary, row_number() over (partition by department_id order by salary desc) as rownumber from employees e; The above query splits the result into small subgroups for every department.  Syntax :  Function(arg1,..., argn) OVER ( [PARTITION BY <..>] [ORDER BY <....>]  [<window_clause>] ) partition by  - create  subgroups for e...
Continue Reading »

Easy approach to work with files in Java - Java NIO(New input output)

  NIO - New IO package. Introduced in 1.4. It is buffer based and non-blocking. Hence, faster than IO package. It supports symbolic links, posix file attributes(works only on OS's which are POSIX compliant), ACL (Access control list). Paths and Files are the main classes Creating a potential file reference: Path path = Paths.get("c:/demo/"); //possible file reference Creating a directory, file, write to the file, read from the file: //create all the non existing directories in the path. Ignores creating a directory, if that directory already exists Path directories = Files.createDirectories("c:/demo/example1/properties/"); Path newFilePath = Files.createFile("c:/demo/README.txt"); //Creating a file //Writting bytes to the file Files.write(newFilePath, "This is a dummy text".getBytes(StandardCharsets.UTF_8)); //Reading bytes from file String readFile = new String(Files.readAllBytes(newFilePath), "UTF-8"); Files.readAllBytes reads all...
Continue Reading »