Spring Security

1.1 Spring Security Model

  • Spring Security defines a framework for security

  • Implemented using Servlet filters in the background

  • Two methods of securing a Web app: declarative and programmatic

1.2. Spring Security with Servlet Filters

  • Servlet Filters are used to pre-process/post-process web requests

  • Servlet Filters can route web requests based on security logic

  • Spring provides a bulk of security functionality with servlet filters

1.3. Security Concepts

  • Authentication

    • Check user id and password with credentials stored in app/db

  • Authorization

    • Check to see if user has an authorized role

1.4 declarative and programmatic

  • Declarative Security

    • Define app's security constrains in configuration

      • All Java config(@Configuration, no XML)

      • or Spring XML config

    • Provides separation of concerns between application code and security

  • Programmatic Security

    • Spring Security provides an API for custom app coding

    • Provides greater customization for specific app requirements

1.5 Different Login Methods

  • HTTP Basic Authentication

  • Default login form

    • Spring Security provides a default login form

  • Custom login form

1.6 Customize Maven Build

Need to customize Maven build Since we are not using web.xml

Must add Maven WAR plugin

<plugin>
    <groupId>org.apache.maven.plugins</groupId>
    <artifactId>maven-war-plugin<artifactId>
    <version>3.2.0</version>
</plugin>

1.7 Enabling the MVC Java Config

@EnableWebMVC

  • Provides similar support to <mvc: annotation-driven /> in XML.

  • Adds conversion, formatting and validation support

  • Processing of @Controller classes and @RequestMapping etc ... methods

1.8 Web App Initializer

  • Spring MVC provides support for web app initialization

  • Makes sure your code is automatically detected

  • You code is used to initialize the servlet container 

AbstractAnnotationConfigDispatcherServletInitializer

  • Extend this abstract base class

  • Override required methods

  • Specify servlet mapping and location of your app config

Note:

spring-security-framework version 5.0.0 match spring-framework 5.0.2

if spring-security-framework version 5.0.1 not match

1.9 Development Process

  1. Add Maven dependencies for Spring MVC Web App

  2. Create Spring App Configuration(@Configuration)

  3. Create Spring Dispatcher Servlet Initializer

  4. Develop our Spring controller

  5. Develop our JSP view page

1.10 User login is based on a "web browser session", so when the jsp changed the user is still loged in statues.

This is only an issue during Dev and Testing, Not an issue when deployed to Production/Real-Time.

1.11 Development Process of Custom Login Form

  1. Modify Spring Security Configuration to reference custom login form

  2. Develop a Controller to show the custom login form

  3. Create custom login form(CSS, Spring MVC form tag<form:form>)

2.Cross Site Request Forgery(CSRF)

2.1 What is CSRF?

A security attack where an evil website tricks you into executing an action on a web application that you are currently logged in.

e.g: you are logged into your banking app tricked into sending money to another person

2.2 CSRF Protection

  • Embed additional authentication data/token into all HTML forms

  • On subsequent requests, web app will verify token before processing

2.3 Spring Security's CSRF Protection

  • CSRF protection is enabled by default in Spring Security

  • Spring Security used the Synchronizer Token Pattern

    • Each request includes a session cookie and randomly generated token

  • For request processing, Spring Security verifies token before processing

  • All of this is handled by Spring Security Filters

2.4 Use Spring Security CSRF Protection

  • For form submissions use POST instead of GET

  • Include CSRF token in form submission

  • <form:form> automagically adds CSRF token

  • If you don't use <form: form>, you must manually add CSRF token

3.authorization on role

    @Configuration
@EnableWebSecurity
public class DemoSecurityConfig extends WebSecurityConfigurerAdapter {

    ...

    @Override//config security of web paths in app, login, logout etc
    protected void configure(HttpSecurity http) throws Exception {
/** for any request
        http.authorizeRequests().anyRequest().authenticated()
        .and()
            .formLogin()
            .loginPage("/showMyLoginPage")
            .loginProcessingUrl("/authenticateTheUser")
            .permitAll()
        .and()
            .logout()
            .permitAll();
            */
        http.authorizeRequests()
        .antMatchers("/").hasRole("EMPLOYEE")
        .antMatchers("/leaders/**").hasRole("MANAGER")
        .antMatchers("/systems/**").hasRole("ADMIN")
        .and()
            .formLogin()
            .loginPage("/showMyLoginPage")
            .loginProcessingUrl("/authenticateTheUser")
            .permitAll()
        .and()
            .logout()
            .permitAll();
Previousspring mvc work flowNextJWT

Last updated