SlideShare ist ein Scribd-Unternehmen logo

Spring Security 3.0 Authentication and Authorization

Als PPTX, PDF herunterladen
Jason Ferguson
Jason Ferguson

1) Spring Security provides authentication and authorization services for Java-based applications. It supports various authentication types including form-based, LDAP, and certificates. 2) Core concepts include the UserDetails interface for user information, UserDetailsService for retrieving user details, and the SecurityContext for holding authentication details. 3) Spring Security configuration is done primarily through the security namespace, defining things like the authentication manager, secured URLs, and form login details. 4) Method-level security and JSP tag libraries allow securing controller methods and restricting JSP content.

Technologie
1 von 38
Spring Security 3.0 Jason Ferguson
Who I Am “Vell, Jason’s just zis guy, you know?” In the Air Force for 16.5 years Two trips to Afghanistan Can say “get to work” and “get in line” in Pashto and Dari Java Programmer for 6 years A military programming shop is NOTHING LIKE a commercial shop 12 weeks of training Morning PT
Obligatory Funny Picture
What I’m Assuming You’re familiar with Java You’re at least somewhat familiar with Spring You can read a Javadoc to get information I am not covering You can create a database schema in the database of your choice and configure JDBC/Hibernate/whatever
What I’ll Cover What Spring Security Is And What It Does Core Concepts Configuration Developing With Spring Security Method-Level Security JSP Tag Libraries
What I Won’t Cover Core Security Filters Majority of the Security Namespace Session Management
What Is Spring Security? Provides Enterprise-Level Authentication and Authorization Services Authentication is based on implementation of GrantedAuthorityinterface Usually “ROLE_USER”,”ROLE_ADMIN”, etc Authorization is based on Access Control List Don’t have time to cover tonight
Supported Authentication Types Simple answer: “just about any” Unless you’re “weird” Types: Simple Form-Based HTTP Basic and Digest LDAP X.509 Client Certificate OpenID Etc, etc.
History Originally was the ACEGI project Configuration was “death by XML” Project lead liked it that way ACEGI was rebranded as “Spring Security” around the Spring 2.0 release With the Security Namespace and as additional modules became available, death by XML gave way to Configuration By Convention
What Are Authentication and Authorization? Authentication is the equivalent of logging in with a username and password Based on that username/password, an access control mechanism allows or disallows the user to perform certain tasks Authorization is the equivalent of an Access Control List (ACL) An AccessDecisionManager decides to allow/disallow access to a secure object based on the Authentication
The Authentication and SecurityContext Authentication represents the principal (person logging into the application) GrantedAuthority – what permissions the principal has SecurityContext holds the Authentication SecurityContextHolder provides access to the SecurityContext
UserDetails and UserDetailsService UserDetails provides information to build an Authentication UserDetailsService creates a UserDetails object from a passed String
Obtaining With Maven Add following to dependencies to pom.xml: spring-security-core spring-security-web spring-security-config Optional dependencies: spring-security-taglibs spring-security-ldap spring-security-acl spring-security-cas-client spring-security-openid
Recommended Database Schema The “simple” schema:create table users( username varchar_ignorecase(50) not null primary key, password varchar_ignorecase(50) not null, enabled boolean not null); create table authorities ( username varchar_ignorecase(50) not null, authority varchar_ignorecase(50) not null, constraint fk_authorities_users foreign key(username) references users(username)); create unique index ix_auth_username on authorities (username,authority);
Configuring web.xml Add to web.xml:<filter> <filter-name>springSecurityFilterChain </filter-name> <filter-class> org.springframework.web.filter.DelegatingFilterProxy </filter-class></filter><filter-mapping> <filter-name>springSecurityFilterChain </filter-name> <url-pattern>/*</url-pattern></filter-mapping>
The Security Namespace Specifying the Security Namespace:<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context" xmlns:security="http://www.springframework.org/schema/security" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
Enabling Web Security Web Security enabled via <http> tag: <security:http auto-config=“true” use-expressions=“true”> // blah blah we’ll get to this later</security:http>
Configuring an Authentication Manager Simplest way: create a class that implements UserDetailsService interface, then use it as the authentication provider <security:authentication-manager alias="authenticationManager"> <security:authentication-provider user-service-ref="userService" /> </security:authentication-manager>
Expression Based Access Control Common Expressions: hasRole(rolename) hasAnyRole(rolename, rolename,…) isAuthenticated() isFullyAuthenticated() permitAll()
Securing By URL Securing By URL uses the <intercept-url> tag:<security:intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')"/> Pattern is the URL to secure, access is the expression to use to secure the URL
Implementing UserDetails An individual user is represented by a UserDetails Object API Link Sample Implementation of User object
Implementing UserDetailsService UserDetailsService implementations do one thing: return a UserDetails implementation API Link Sample Implementation of UserDetailsService
Form Based Authentication Form-based login is most common (really?) Uses the <form-login> tag Attributes: login-page specifies name of custom login page Generated automagically if we don’t create our own login-processing-url specifies URL to process the login action JSP default uses “j_username” and “j_password” fields
Password Hashing and Salting Steps to implement hashing/salting: Create a <password-encoder> tag within the <authentication-provider> tag MD5 or SHA-1: use the hash=“md5”or hash=“sha” attribute Stronger SHA: Create a bean named “saltSource” with a class of org.springframework.security.providers.encoding.ShaPasswordEncoder Use a <constructor-arg value=“XXX”> with XXX being the higher strength Use <salt-source> tag within <password-encoder> to specify user property to user for hashing
Hashing and Salting Example <security:authentication-manager alias="authenticationManager"> <security:authentication-provider user-service-ref="userService"> <security:password-encoder ref=“saltSource”> <security:salt-source user-property="email" /> </security:password-encoder> </security:authentication-provider><beans:bean id=“saltSource” class=“org.springframework.security.providers.encoding.ShaPasswordEncoder”> <constructor-arg value=“384” /></beans:bean>
More on Form-Based Authentication One problem: need a specific <intercept-url >tag specifically for the login page, or the login page will be secured as well Creates an infinite loop in the logs Example:<security:intercept-url pattern=“/login.jsp*” access=“permitAll()” />
LDAP Authentication Full support for LDAP authentication Process overview: Obtain DN from username Authenticate User Load GrantedAuthority collection for user
Configuration Elements LDAP Test Server <ldap-server root="dc=springframework,dc=org"/> Authentication Provider: <ldap-authentication-provider user-dn-pattern="uid={0},ou=people"/> Security Context Source Bean with class org.springframework.security.ldap.DefaultSpringSecurityContextSource Constructor argument for LDAP server address Properties for userDn and password
Connecting to LDAP Server Create a bean named “contextSource” with a class of org.springframework.security.ldap.DefaultSpringSecurityContextSource Pass the server as a constructor argument Pass userDn and password as properties
Example LDAP SecurityContext <bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource"> <constructor-arg value="ldap://monkeymachine:389/dc=springframework,dc=org"/> <property name="userDn" value="cn=manager,dc=springframework,dc=org"/> <property name="password" value="password"/> </bean>
Configuring Authentication Provider Create a bean named “ldapAuthProvider” of class org.springframework.security.ldap.authentication.LdapAuthenticationProvider Create a constructor argument of a bean w/ class org.springframework.security.ldap.authentication.BindAuthenticator Constructor argument of the context source Property “userDnPatterns”: list of userDn “wildcards” Continued…
Configuring Authentication Provider (Continued) Create another constructor argument bean of class org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator Constructor arg of the context source Constructor arg w/ the value “ou=groups” Property “groupRoleAttribute” w/ value “ou”
Example LDAP Authentication Provider Configuration <bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider"> <constructor-arg> <bean class="org.springframework.security.ldap.authentication.BindAuthenticator"> <constructor-arg ref="contextSource"/> <property name="userDnPatterns"> <list> <value>uid={0},ou=people</value> </list> </property> </bean> </constructor-arg> <constructor-arg> <bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator"> <constructor-arg ref="contextSource"/> <constructor-arg value="ou=groups"/> <property name="groupRoleAttribute" value="ou"/> </bean> </constructor-arg> </bean>
X.509 Client Certificate Authentication Using a X.509 client certificate is simple: <security:x509 subject-principal-regex="CN=(.*?)," user-service-ref="userService"/>
Method Level Security Spring Security can secure methods at the service layer Application Context configuration:<security:global-method-security pre-post-annotations="enabled" proxy-target-class="true"/> Methods are Secured With the @PreAuthorizeannotation
More On Method Security @PostAuthorize @PreFilter and @PostFilter Used with Domain Object (ACL) security Filters a returned collection based on a given expression (hasRole(), etc)
JSP Tag Library Spring Security Provides a Tag Library for accessing the SecurityContext and using security constraints in JSPs What can it do? Restrict display of certain content by GrantedAuthority
Using The JSP Tag Library Declaration in JSP:<%@ taglib prefix="security" uri="http://www.springframework.org/security/tags" %>

Empfohlen

Spring Framework - Spring Security
Spring Framework - Spring SecuritySpring Framework - Spring Security
Spring Framework - Spring SecurityDzmitry Naskou
 
Spring Security 5
Spring Security 5Spring Security 5
Spring Security 5Jesus Perez Franco
 
Spring Boot
Spring BootSpring Boot
Spring BootJiayun Zhou
 
Spring data jpa
Spring data jpaSpring data jpa
Spring data jpaJeevesh Pandey
 
Practical non blocking microservices in java 8
Practical non blocking microservices in java 8Practical non blocking microservices in java 8
Practical non blocking microservices in java 8Michal Balinski
 
Getting Started with Spring Authorization Server
Getting Started with Spring Authorization ServerGetting Started with Spring Authorization Server
Getting Started with Spring Authorization ServerVMware Tanzu
 
Spring Security
Spring SecuritySpring Security
Spring SecurityBoy Tech
 
Jwt Security
Jwt SecurityJwt Security
Jwt SecuritySeid Yassin
 

Empfohlen

Spring Framework - Spring Security
Spring Framework - Spring SecuritySpring Framework - Spring Security
Spring Framework - Spring SecurityDzmitry Naskou
 
Spring Security 5
Spring Security 5Spring Security 5
Spring Security 5Jesus Perez Franco
 
Spring Boot
Spring BootSpring Boot
Spring BootJiayun Zhou
 
Spring data jpa
Spring data jpaSpring data jpa
Spring data jpaJeevesh Pandey
 
Practical non blocking microservices in java 8
Practical non blocking microservices in java 8Practical non blocking microservices in java 8
Practical non blocking microservices in java 8Michal Balinski
 
Getting Started with Spring Authorization Server
Getting Started with Spring Authorization ServerGetting Started with Spring Authorization Server
Getting Started with Spring Authorization ServerVMware Tanzu
 
Spring Security
Spring SecuritySpring Security
Spring SecurityBoy Tech
 
Jwt Security
Jwt SecurityJwt Security
Jwt SecuritySeid Yassin
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
Spring Boot
Spring BootSpring Boot
Spring BootPei-Tang Huang
 
Spring security
Spring securitySpring security
Spring securitySaurabh Sharma
 
Introduction to Spring Boot
Introduction to Spring BootIntroduction to Spring Boot
Introduction to Spring BootPurbarun Chakrabarti
 
Security Vulnerabilities
Security VulnerabilitiesSecurity Vulnerabilities
Security VulnerabilitiesMarius Vorster
 
Spring Security
Spring SecuritySpring Security
Spring SecuritySumit Gole
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySandip Chaudhari
 
Spring Boot in Action
Spring Boot in Action Spring Boot in Action
Spring Boot in Action Alex Movila
 
Spring Framework - Core
Spring Framework - CoreSpring Framework - Core
Spring Framework - CoreDzmitry Naskou
 
Spring Web MVC
Spring Web MVCSpring Web MVC
Spring Web MVCzeeshanhanif
 
Spring boot
Spring bootSpring boot
Spring bootsdeeg
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
Spring boot Introduction
Spring boot IntroductionSpring boot Introduction
Spring boot IntroductionJeevesh Pandey
 
Spring boot
Spring bootSpring boot
Spring bootBhagwat Kumar
 
Dom based xss
Dom based xssDom based xss
Dom based xssLê Giáp
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 
Spring Boot
Spring BootSpring Boot
Spring BootHongSeong Jeon
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
Spring Core
Spring CoreSpring Core
Spring CorePushan Bhattacharya
 
Spring boot introduction
Spring boot introductionSpring boot introduction
Spring boot introductionRasheed Waraich
 
Spring security
Spring securitySpring security
Spring securitySlimen Belhaj Ali
 
Spring Security Introduction
Spring Security IntroductionSpring Security Introduction
Spring Security IntroductionMindfire Solutions
 

Weitere ähnliche Inhalte

Was ist angesagt?

SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
Security Vulnerabilities
Security VulnerabilitiesSecurity Vulnerabilities
Security VulnerabilitiesMarius Vorster
 
Spring Security
Spring SecuritySpring Security
Spring SecuritySumit Gole
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySandip Chaudhari
 
Spring Boot in Action
Spring Boot in Action Spring Boot in Action
Spring Boot in Action Alex Movila
 
Spring Framework - Core
Spring Framework - CoreSpring Framework - Core
Spring Framework - CoreDzmitry Naskou
 
Spring boot
Spring bootSpring boot
Spring bootsdeeg
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
Spring boot Introduction
Spring boot IntroductionSpring boot Introduction
Spring boot IntroductionJeevesh Pandey
 
Dom based xss
Dom based xssDom based xss
Dom based xssLê Giáp
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
Spring boot introduction
Spring boot introductionSpring boot introduction
Spring boot introductionRasheed Waraich
 

Was ist angesagt? (20)

SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
 
Spring Boot
Spring BootSpring Boot
Spring Boot
 
Spring security
Spring securitySpring security
Spring security
 
Introduction to Spring Boot
Introduction to Spring BootIntroduction to Spring Boot
Introduction to Spring Boot
 
Security Vulnerabilities
Security VulnerabilitiesSecurity Vulnerabilities
Security Vulnerabilities
 
Spring Security
Spring SecuritySpring Security
Spring Security
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and Security
 
Spring Boot in Action
Spring Boot in Action Spring Boot in Action
Spring Boot in Action
 
Spring Framework - Core
Spring Framework - CoreSpring Framework - Core
Spring Framework - Core
 
Spring Web MVC
Spring Web MVCSpring Web MVC
Spring Web MVC
 
Spring boot
Spring bootSpring boot
Spring boot
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
 
Spring boot Introduction
Spring boot IntroductionSpring boot Introduction
Spring boot Introduction
 
Spring boot
Spring bootSpring boot
Spring boot
 
Dom based xss
Dom based xssDom based xss
Dom based xss
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
Spring Boot
Spring BootSpring Boot
Spring Boot
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
Spring Core
Spring CoreSpring Core
Spring Core
 
Spring boot introduction
Spring boot introductionSpring boot introduction
Spring boot introduction
 

Andere mochten auch

Fun With Spring Security
Fun With Spring SecurityFun With Spring Security
Fun With Spring SecurityBurt Beckwith
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring SecurityOrest Ivasiv
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
What's New in spring-security-core 2.0
What's New in spring-security-core 2.0What's New in spring-security-core 2.0
What's New in spring-security-core 2.0Burt Beckwith
 
Java security in the real world (Ryan Sciampacone)
Java security in the real world (Ryan Sciampacone)Java security in the real world (Ryan Sciampacone)
Java security in the real world (Ryan Sciampacone)Chris Bailey
 
Java Security Manager Reloaded - Devoxx 2014
Java Security Manager Reloaded - Devoxx 2014Java Security Manager Reloaded - Devoxx 2014
Java Security Manager Reloaded - Devoxx 2014Josef Cacek
 
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.jsRest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.jsCarol McDonald
 
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)Martin Toshev
 
The Present Future of OAuth
The Present Future of OAuthThe Present Future of OAuth
The Present Future of OAuthMichael Bleigh
 
Security via Java
Security via JavaSecurity via Java
Security via JavaBahaa Zaid
 
Spring Framework - Web Flow
Spring Framework - Web FlowSpring Framework - Web Flow
Spring Framework - Web FlowDzmitry Naskou
 

Andere mochten auch (20)

Spring security
Spring securitySpring security
Spring security
 
Spring Security Introduction
Spring Security IntroductionSpring Security Introduction
Spring Security Introduction
 
Fun With Spring Security
Fun With Spring SecurityFun With Spring Security
Fun With Spring Security
 
Spring Security
Spring SecuritySpring Security
Spring Security
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring Security
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
 
Spring security
Spring securitySpring security
Spring security
 
What's New in spring-security-core 2.0
What's New in spring-security-core 2.0What's New in spring-security-core 2.0
What's New in spring-security-core 2.0
 
Java security in the real world (Ryan Sciampacone)
Java security in the real world (Ryan Sciampacone)Java security in the real world (Ryan Sciampacone)
Java security in the real world (Ryan Sciampacone)
 
Groovy & Grails
Groovy & GrailsGroovy & Grails
Groovy & Grails
 
Java Security Manager Reloaded - Devoxx 2014
Java Security Manager Reloaded - Devoxx 2014Java Security Manager Reloaded - Devoxx 2014
Java Security Manager Reloaded - Devoxx 2014
 
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.jsRest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
 
Spring transaction part4
Spring transaction part4Spring transaction part4
Spring transaction part4
 
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
 
Spring Ldap
Spring LdapSpring Ldap
Spring Ldap
 
The Present Future of OAuth
The Present Future of OAuthThe Present Future of OAuth
The Present Future of OAuth
 
Security via Java
Security via JavaSecurity via Java
Security via Java
 
Jmh
JmhJmh
Jmh
 
Spring & hibernate
Spring & hibernateSpring & hibernate
Spring & hibernate
 
Spring Framework - Web Flow
Spring Framework - Web FlowSpring Framework - Web Flow
Spring Framework - Web Flow
 

Ähnlich wie Spring Security 3.0 Authentication and Authorization

JavaEE Security
JavaEE SecurityJavaEE Security
JavaEE SecurityAlex Kim
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure codingHaitham Raik
 
Developing With JAAS
Developing With JAASDeveloping With JAAS
Developing With JAASrahmed_sct
 
Spring security4.x
Spring security4.xSpring security4.x
Spring security4.xZeeshan Khan
 
Implementing application security using the .net framework
Implementing application security using the .net frameworkImplementing application security using the .net framework
Implementing application security using the .net frameworkLalit Kale
 
Spring security jwt tutorial toptal
Spring security jwt tutorial toptalSpring security jwt tutorial toptal
Spring security jwt tutorial toptaljbsysatm
 
Getting Started with Enterprise Library 3.0 in ASP.NET
Getting Started with Enterprise Library 3.0 in ASP.NETGetting Started with Enterprise Library 3.0 in ASP.NET
Getting Started with Enterprise Library 3.0 in ASP.NETPhilWinstanley
 
The hidden gems of Spring Security
The hidden gems of Spring SecurityThe hidden gems of Spring Security
The hidden gems of Spring SecurityMassimiliano Dessì
 
Lesson07_Spring_Security_API.pdf
Lesson07_Spring_Security_API.pdfLesson07_Spring_Security_API.pdf
Lesson07_Spring_Security_API.pdfScott Anderson
 
SQLSecurity.ppt
SQLSecurity.pptSQLSecurity.ppt
SQLSecurity.pptCNSHacking
 
SQLSecurity.ppt
SQLSecurity.pptSQLSecurity.ppt
SQLSecurity.pptLokeshK66
 
A I R Presentation Dev Camp Feb 08
A I R Presentation Dev Camp Feb 08A I R Presentation Dev Camp Feb 08
A I R Presentation Dev Camp Feb 08Abdul Qabiz
 
Security: Odoo Code Hardening
Security: Odoo Code HardeningSecurity: Odoo Code Hardening
Security: Odoo Code HardeningOdoo
 
Seguranca em APP Rails
Seguranca em APP RailsSeguranca em APP Rails
Seguranca em APP RailsDaniel Lopes
 
Integrating Security Roles into Microsoft Silverlight Applications
Integrating Security Roles into Microsoft Silverlight ApplicationsIntegrating Security Roles into Microsoft Silverlight Applications
Integrating Security Roles into Microsoft Silverlight ApplicationsDan Wahlin
 
Securing Portlets With Spring Security
Securing Portlets With Spring SecuritySecuring Portlets With Spring Security
Securing Portlets With Spring SecurityJohn Lewis
 
Play Framework: async I/O with Java and Scala
Play Framework: async I/O with Java and ScalaPlay Framework: async I/O with Java and Scala
Play Framework: async I/O with Java and ScalaYevgeniy Brikman
 

Ähnlich wie Spring Security 3.0 Authentication and Authorization (20)

Spring Security Framework
Spring Security FrameworkSpring Security Framework
Spring Security Framework
 
JavaEE Security
JavaEE SecurityJavaEE Security
JavaEE Security
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure coding
 
Developing With JAAS
Developing With JAASDeveloping With JAAS
Developing With JAAS
 
Spring security4.x
Spring security4.xSpring security4.x
Spring security4.x
 
Implementing application security using the .net framework
Implementing application security using the .net frameworkImplementing application security using the .net framework
Implementing application security using the .net framework
 
Spring security jwt tutorial toptal
Spring security jwt tutorial toptalSpring security jwt tutorial toptal
Spring security jwt tutorial toptal
 
Php frameworks
Php frameworksPhp frameworks
Php frameworks
 
Getting Started with Enterprise Library 3.0 in ASP.NET
Getting Started with Enterprise Library 3.0 in ASP.NETGetting Started with Enterprise Library 3.0 in ASP.NET
Getting Started with Enterprise Library 3.0 in ASP.NET
 
The hidden gems of Spring Security
The hidden gems of Spring SecurityThe hidden gems of Spring Security
The hidden gems of Spring Security
 
Lesson07_Spring_Security_API.pdf
Lesson07_Spring_Security_API.pdfLesson07_Spring_Security_API.pdf
Lesson07_Spring_Security_API.pdf
 
SQLSecurity.ppt
SQLSecurity.pptSQLSecurity.ppt
SQLSecurity.ppt
 
SQLSecurity.ppt
SQLSecurity.pptSQLSecurity.ppt
SQLSecurity.ppt
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web Security
 
A I R Presentation Dev Camp Feb 08
A I R Presentation Dev Camp Feb 08A I R Presentation Dev Camp Feb 08
A I R Presentation Dev Camp Feb 08
 
Security: Odoo Code Hardening
Security: Odoo Code HardeningSecurity: Odoo Code Hardening
Security: Odoo Code Hardening
 
Seguranca em APP Rails
Seguranca em APP RailsSeguranca em APP Rails
Seguranca em APP Rails
 
Integrating Security Roles into Microsoft Silverlight Applications
Integrating Security Roles into Microsoft Silverlight ApplicationsIntegrating Security Roles into Microsoft Silverlight Applications
Integrating Security Roles into Microsoft Silverlight Applications
 
Securing Portlets With Spring Security
Securing Portlets With Spring SecuritySecuring Portlets With Spring Security
Securing Portlets With Spring Security
 
Play Framework: async I/O with Java and Scala
Play Framework: async I/O with Java and ScalaPlay Framework: async I/O with Java and Scala
Play Framework: async I/O with Java and Scala
 

Kürzlich hochgeladen

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 

Kürzlich hochgeladen (20)

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 

Spring Security 3.0 Authentication and Authorization

  • 1. Spring Security 3.0 Jason Ferguson
  • 2. Who I Am “Vell, Jason’s just zis guy, you know?” In the Air Force for 16.5 years Two trips to Afghanistan Can say “get to work” and “get in line” in Pashto and Dari Java Programmer for 6 years A military programming shop is NOTHING LIKE a commercial shop 12 weeks of training Morning PT
  • 4. What I’m Assuming You’re familiar with Java You’re at least somewhat familiar with Spring You can read a Javadoc to get information I am not covering You can create a database schema in the database of your choice and configure JDBC/Hibernate/whatever
  • 5. What I’ll Cover What Spring Security Is And What It Does Core Concepts Configuration Developing With Spring Security Method-Level Security JSP Tag Libraries
  • 6. What I Won’t Cover Core Security Filters Majority of the Security Namespace Session Management
  • 7. What Is Spring Security? Provides Enterprise-Level Authentication and Authorization Services Authentication is based on implementation of GrantedAuthorityinterface Usually “ROLE_USER”,”ROLE_ADMIN”, etc Authorization is based on Access Control List Don’t have time to cover tonight
  • 8. Supported Authentication Types Simple answer: “just about any” Unless you’re “weird” Types: Simple Form-Based HTTP Basic and Digest LDAP X.509 Client Certificate OpenID Etc, etc.
  • 9. History Originally was the ACEGI project Configuration was “death by XML” Project lead liked it that way ACEGI was rebranded as “Spring Security” around the Spring 2.0 release With the Security Namespace and as additional modules became available, death by XML gave way to Configuration By Convention
  • 10. What Are Authentication and Authorization? Authentication is the equivalent of logging in with a username and password Based on that username/password, an access control mechanism allows or disallows the user to perform certain tasks Authorization is the equivalent of an Access Control List (ACL) An AccessDecisionManager decides to allow/disallow access to a secure object based on the Authentication
  • 11. The Authentication and SecurityContext Authentication represents the principal (person logging into the application) GrantedAuthority – what permissions the principal has SecurityContext holds the Authentication SecurityContextHolder provides access to the SecurityContext
  • 12. UserDetails and UserDetailsService UserDetails provides information to build an Authentication UserDetailsService creates a UserDetails object from a passed String
  • 13. Obtaining With Maven Add following to dependencies to pom.xml: spring-security-core spring-security-web spring-security-config Optional dependencies: spring-security-taglibs spring-security-ldap spring-security-acl spring-security-cas-client spring-security-openid
  • 14. Recommended Database Schema The “simple” schema:create table users( username varchar_ignorecase(50) not null primary key, password varchar_ignorecase(50) not null, enabled boolean not null); create table authorities ( username varchar_ignorecase(50) not null, authority varchar_ignorecase(50) not null, constraint fk_authorities_users foreign key(username) references users(username)); create unique index ix_auth_username on authorities (username,authority);
  • 15. Configuring web.xml Add to web.xml:<filter> <filter-name>springSecurityFilterChain </filter-name> <filter-class> org.springframework.web.filter.DelegatingFilterProxy </filter-class></filter><filter-mapping> <filter-name>springSecurityFilterChain </filter-name> <url-pattern>/*</url-pattern></filter-mapping>
  • 16. The Security Namespace Specifying the Security Namespace:<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context" xmlns:security="http://www.springframework.org/schema/security" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
  • 17. Enabling Web Security Web Security enabled via <http> tag: <security:http auto-config=“true” use-expressions=“true”> // blah blah we’ll get to this later</security:http>
  • 18. Configuring an Authentication Manager Simplest way: create a class that implements UserDetailsService interface, then use it as the authentication provider <security:authentication-manager alias="authenticationManager"> <security:authentication-provider user-service-ref="userService" /> </security:authentication-manager>
  • 19. Expression Based Access Control Common Expressions: hasRole(rolename) hasAnyRole(rolename, rolename,…) isAuthenticated() isFullyAuthenticated() permitAll()
  • 20. Securing By URL Securing By URL uses the <intercept-url> tag:<security:intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')"/> Pattern is the URL to secure, access is the expression to use to secure the URL
  • 21. Implementing UserDetails An individual user is represented by a UserDetails Object API Link Sample Implementation of User object
  • 22. Implementing UserDetailsService UserDetailsService implementations do one thing: return a UserDetails implementation API Link Sample Implementation of UserDetailsService
  • 23. Form Based Authentication Form-based login is most common (really?) Uses the <form-login> tag Attributes: login-page specifies name of custom login page Generated automagically if we don’t create our own login-processing-url specifies URL to process the login action JSP default uses “j_username” and “j_password” fields
  • 24. Password Hashing and Salting Steps to implement hashing/salting: Create a <password-encoder> tag within the <authentication-provider> tag MD5 or SHA-1: use the hash=“md5”or hash=“sha” attribute Stronger SHA: Create a bean named “saltSource” with a class of org.springframework.security.providers.encoding.ShaPasswordEncoder Use a <constructor-arg value=“XXX”> with XXX being the higher strength Use <salt-source> tag within <password-encoder> to specify user property to user for hashing
  • 25. Hashing and Salting Example <security:authentication-manager alias="authenticationManager"> <security:authentication-provider user-service-ref="userService"> <security:password-encoder ref=“saltSource”> <security:salt-source user-property="email" /> </security:password-encoder> </security:authentication-provider><beans:bean id=“saltSource” class=“org.springframework.security.providers.encoding.ShaPasswordEncoder”> <constructor-arg value=“384” /></beans:bean>
  • 26. More on Form-Based Authentication One problem: need a specific <intercept-url >tag specifically for the login page, or the login page will be secured as well Creates an infinite loop in the logs Example:<security:intercept-url pattern=“/login.jsp*” access=“permitAll()” />
  • 27. LDAP Authentication Full support for LDAP authentication Process overview: Obtain DN from username Authenticate User Load GrantedAuthority collection for user
  • 28. Configuration Elements LDAP Test Server <ldap-server root="dc=springframework,dc=org"/> Authentication Provider: <ldap-authentication-provider user-dn-pattern="uid={0},ou=people"/> Security Context Source Bean with class org.springframework.security.ldap.DefaultSpringSecurityContextSource Constructor argument for LDAP server address Properties for userDn and password
  • 29. Connecting to LDAP Server Create a bean named “contextSource” with a class of org.springframework.security.ldap.DefaultSpringSecurityContextSource Pass the server as a constructor argument Pass userDn and password as properties
  • 30. Example LDAP SecurityContext <bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource"> <constructor-arg value="ldap://monkeymachine:389/dc=springframework,dc=org"/> <property name="userDn" value="cn=manager,dc=springframework,dc=org"/> <property name="password" value="password"/> </bean>
  • 31. Configuring Authentication Provider Create a bean named “ldapAuthProvider” of class org.springframework.security.ldap.authentication.LdapAuthenticationProvider Create a constructor argument of a bean w/ class org.springframework.security.ldap.authentication.BindAuthenticator Constructor argument of the context source Property “userDnPatterns”: list of userDn “wildcards” Continued…
  • 32. Configuring Authentication Provider (Continued) Create another constructor argument bean of class org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator Constructor arg of the context source Constructor arg w/ the value “ou=groups” Property “groupRoleAttribute” w/ value “ou”
  • 33. Example LDAP Authentication Provider Configuration <bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider"> <constructor-arg> <bean class="org.springframework.security.ldap.authentication.BindAuthenticator"> <constructor-arg ref="contextSource"/> <property name="userDnPatterns"> <list> <value>uid={0},ou=people</value> </list> </property> </bean> </constructor-arg> <constructor-arg> <bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator"> <constructor-arg ref="contextSource"/> <constructor-arg value="ou=groups"/> <property name="groupRoleAttribute" value="ou"/> </bean> </constructor-arg> </bean>
  • 34. X.509 Client Certificate Authentication Using a X.509 client certificate is simple: <security:x509 subject-principal-regex="CN=(.*?)," user-service-ref="userService"/>
  • 35. Method Level Security Spring Security can secure methods at the service layer Application Context configuration:<security:global-method-security pre-post-annotations="enabled" proxy-target-class="true"/> Methods are Secured With the @PreAuthorizeannotation
  • 36. More On Method Security @PostAuthorize @PreFilter and @PostFilter Used with Domain Object (ACL) security Filters a returned collection based on a given expression (hasRole(), etc)
  • 37. JSP Tag Library Spring Security Provides a Tag Library for accessing the SecurityContext and using security constraints in JSPs What can it do? Restrict display of certain content by GrantedAuthority
  • 38. Using The JSP Tag Library Declaration in JSP:<%@ taglib prefix="security" uri="http://www.springframework.org/security/tags" %>
  • 39. Restricting JSP Display The <security:authorize> tag is used to restrict the display of content based on GrantedAuthority Example:<security:authorize access=“hasRole(‘ROLE_ADMIN’)> <h1>Admin Menu</h1></security:authorize>
  • 40. Other JSP Tags <security:authentication> used to access the current Authentication object in the Security Context <security:authentication property=“principal.username” /> <security:accesscontrollist> display content based on permissions granted to a Domain Object <security:accesscontrollisthasPermission=“1” domainObject=“whatever”>