Spring Security
Last updated
Was this helpful?
Last updated
Was this helpful?
Spring Security defines a framework for security
Implemented using Servlet filters in the background
Two methods of securing a Web app: declarative and programmatic
Servlet Filters are used to pre-process/post-process web requests
Servlet Filters can route web requests based on security logic
Spring provides a bulk of security functionality with servlet filters
Authentication
Check user id and password with credentials stored in app/db
Authorization
Check to see if user has an authorized role
Declarative Security
Define app's security constrains in configuration
All Java config(@Configuration, no XML)
or Spring XML config
Provides separation of concerns between application code and security
Programmatic Security
Spring Security provides an API for custom app coding
Provides greater customization for specific app requirements
HTTP Basic Authentication
Default login form
Spring Security provides a default login form
Custom login form
Need to customize Maven build Since we are not using web.xml
Must add Maven WAR plugin
@EnableWebMVC
Provides similar support to <mvc: annotation-driven /> in XML.
Adds conversion, formatting and validation support
Processing of @Controller classes and @RequestMapping etc ... methods
Spring MVC provides support for web app initialization
Makes sure your code is automatically detected
You code is used to initialize the servlet container
Extend this abstract base class
Override required methods
Specify servlet mapping and location of your app config
Note:
spring-security-framework version 5.0.0 match spring-framework 5.0.2
if spring-security-framework version 5.0.1 not match
Add Maven dependencies for Spring MVC Web App
Create Spring App Configuration(@Configuration)
Create Spring Dispatcher Servlet Initializer
Develop our Spring controller
Develop our JSP view page
This is only an issue during Dev and Testing, Not an issue when deployed to Production/Real-Time.
Modify Spring Security Configuration to reference custom login form
Develop a Controller to show the custom login form
Create custom login form(CSS, Spring MVC form tag<form:form>)
A security attack where an evil website tricks you into executing an action on a web application that you are currently logged in.
e.g: you are logged into your banking app tricked into sending money to another person
Embed additional authentication data/token into all HTML forms
On subsequent requests, web app will verify token before processing
CSRF protection is enabled by default in Spring Security
Spring Security used the Synchronizer Token Pattern
Each request includes a session cookie and randomly generated token
For request processing, Spring Security verifies token before processing
All of this is handled by Spring Security Filters
For form submissions use POST instead of GET
Include CSRF token in form submission
<form:form> automagically adds CSRF token
If you don't use <form: form>, you must manually add CSRF token
