Baby Steps on Spring Security
Spring Security is a customizable authentication and access service framework for server side Java-based enterprise software applications. The Spring Security OAuth provides a method for making authenticated HTTP requests using a token – an identifier used to denote an access grant with specific scope, duration, and other attributes. Tokens are issued to third-party clients by an authorization server with the approval of the resource owner. Instead of sharing their credentials with the client, resource owners grant access by authenticating directly with the authorization server which in turn issues a token to the client. The client uses the token (and optional secret) to authenticate with the resource server and gain access.
In other words, Spring Security provides security services for J2EE-based enterprise software applications.
There are two main areas for application securities.
- Authentication:Process of checking the user. We are talking about user, device or some other system which can perform an action in our application.
- Authorization:Process of deciding whether an user is allowed to perform an activity within the application. A simple example can be given as, if that user is admin, he/she can see those pages and can take action on them like CRUD (Create, Read, Update, Delete) actions.
Most used Authentication Models supported by Spring Security
- 509 client certificate exchange
- LDAP Authentication
- OpenID authentication
- Java Open Source Single Sign On
There are a lot more Authentication Models that is supported by Spring Security, but these are the most used ones.
Spring Security Modules
Spring security code has been divided in different JARs(Can be considers as modules)
- Core (spring-security-core.jar) :Required Module. Contains core authentication and access-contol classes and interfaces, remoting support and basic provisioning APIs.
- Web (spring-security-web.jar):Required* if web authentication services and URL-based access-control is required.Contains filters and related web-security infrastructure code.
- Remoting: Provides intergration with Spring Remoting.
- Config :Contains the security namespace parsing code. You need it if you are using the Spring Security XML namespace for configuration.
- LDAP :LDAP authentication and provisioning code. Required if you need to use LDAP authentication or manage LDAP user entries.
- ACL :Used to apply security to specific domain object instances within your application.
- CAS :If you want to use Spring Security web authentication with a CAS single sign-on server.
- OPENID :Used to authenticate users against an external OpenID server.
Note: Details extracted from Official doc for Spring
Following are the some of the important facilities that Spring Security Framework provides to it’s users:
- User authentication and authorization.
- Role based authorization control.
- Easy to configure with database based authentication and authorization.
- Encrypted password.
- Form authentication.
- File bases user authentication and authorization.
Spring Security Configuration
To start using Spring Security for your web application, you have to add below filter declaration in your web.xml.
DelegatingFilterProxy is a Spring Framework class which delegates to a filter implementation which is defined as a Spring bean in your application context. In this case, the bean is named “springSecurityFilterChain“, which is an internal infrastructure bean created by the namespace to handle web security. Note that you should not use this bean name yourself. Once you’ve added this to your web.xml, you’re ready to start editing your application context file.
Since we enabled Spring Security for our application, now we can configure the Security XML for different security related options like “Login Page, Admin Page” etc.
In order to use security namespace in application context, “spring-security-config” jar needs to be in classpath. Schema declaration that needs to be there in “application-context” XML.
Then all you need to do is add the schema declaration to your application context file:
With this configuration we can use “security” as the default namespace rather than “beans”.
<user authorities="ROLE_USER, ROLE_ADMIN" name="orcun" password="1234">
<user authorities="ROLE_USER" name="Jamie" password="12345">
In the above example, we defined 2 users as “orcun” and “Jamie”. We hardcoded them in XML file and user will be authenticated and authorized on given basis. “ROLE_USER” and “ROLE_ADMIN” are the roles that we can assign to users to give authority to them as a regular user or Admin user.
There is one another way (Probably the mostly needed one) that we read the necessary user nad authority informations from the database table.
Here is the example:
<jdbc-user-service data-source-ref="dataSource" />
Here user will be authenticated and authorized on the basis of table(USERS & AUTHORIZATION) in Database. datasource will be used to access the given tables in DB.
Fort his example, we are going to need two tables in our database as USERS and AUTHORITIES. Since we are going to use DB to read our necessary informations, we might have to configure login, logout page and role based URL Access.
We can configure all the basic login, logout, role based with this attribute.
Login page configure
<form-login login-page='/login.jsp' default-target-url='/home.jsp' always-use-default-target='true' />
Here we have configured login page as “login.jsp” and user will be redirected to “home.jsp” after login(By default-target-url)
Role based URL access configure
<intercept-url pattern="/**" access="ROLE_USER" />
Now all the URl can be accessed by only those who have the authority of “ROLE_USER” in the database.
Logout page & logout link configuration
<logout logout-url="/logout" logout-success-url="/logoutPage.jsp" />