Security
Table of contents
Spring Security
Spring Security is essentially just a bunch of servlet filters that enable Java applications to include authentication and authorization functionality. It is one of the most powerful, and highly customizable access-control frameworks (security framework) that provide authentication, authorization, and other security features for Java EE (Enterprise edition) based enterprise applications. The real power of Spring Security lies in its ability to be extended to meet custom needs. Its main responsibility is to authenticate and authorize incoming requests for accessing any resource, including rest API endpoints, MVC (Model-View-Controller) URLs, static resources, etc.
Features of Spring Security
Some essential features of Spring Security include:
- Supports authentication and authorization in a flexible and comprehensive manner.
- Detection and prevention of attacks including session fixation, clickjacking, cross-site request forgery, etc.
- Integrate with Servlet API.
- Offers optional integration with Spring Web MVC (Model-View-Controller).
- Java Authentication and Authorization Service (JAAS) is used for authentication purposes.
- Allows Single Sign-On so that users can access multiple applications with just one account (username and password).
Authentication and Authorization
Authentication:
This refers to the process of verifying the identity of the user, using the credentials provided when accessing certain restricted resources. Two steps are involved in authenticating a user, namely identification and verification. An example is logging into a website with a username and a password. This is like answering the question Who are you? #### Authorization:
It is the ability to determine a user's authority to perform an action or to view data, assuming they have successfully logged in. This ensures that users can only access the parts of a resource that they are authorized to access. It could be thought of as an answer to the question Can a user do/read this?
Authentication Types
Basic authentication
RESTful web services can be authenticated in many ways, but the most basic one is basic authentication. For basic authentication, we send a username and password using the HTTP [Authorization] header to enable us to access the resource. Usernames and passwords are encoded using base64 encoding (not encryption) in Basic Authentication. The encoding is not secure since it can be easily decoded.
Syntax:
Value = username:password
Encoded Value = base64(Value)
Authorization Value = Basic <Encoded Value>
//Example: Authorization: Basic VGVzdFVzZXI6dGVzdDEyMw==
//Decode it'll give back the original username:password UserName:user123
digest authentication
RESTful web services can be authenticated in many ways, but advanced authentication methods include digest authentication. It applies a hash function to username, password, HTTP method, and URI in order to send credentials in encrypted form. It generates more complex cryptographic results by using the hashing technique which is not easy to decode.
Syntax:
Hash1=MD5(username:realm:password)
Hash2=MD5(method:digestURI)
response=MD5(Hash1:nonce:nonceCount:cnonce:qop:Hash2)
//Example, this got generated by running this example
Authorization: Digest username="TestAdmin", realm="admin-digest-realm", nonce="MTYwMDEwMTUyMDM4OToxM2M1Y2I4MGFjMjk4OGI1ODQzZjc3NDUzOGFlMjZjYw==", uri="/admin/hello?name=User", response="2f080edbec53be2bdf3853d477e4a543", qop=auth, nc=00000002, cnonce="11ecd9bf947dbcf4"
Spring Security Modules
In Spring Security, the Security module comprises separate jar files based on its functionality. The primary use is to allow the user to integrate according to the requirements. To include minimal spring security for your Maven project, include below dependencies in your pom.xml.
Core – spring-security-core.jar
- This module contains core authentication and access-control related classes, basic provisioning APIs. This is mandatory for providing spring security to any J2EE based enterprise application. This module supports non-web applications, too.
Web – spring-security-web.jar –This module contains filters and web-based authentication, like access control for URLs in a Servlet environment. This module is responsible to provide security to your Spring MVC or any other web application.
Config- spring-security-config.jar –This module used to use the Spring Security XML name-space. It also supports.
LDAP – Modules supporting the LDAP authentication. We may need this if you want to have LDAP authentication for our application.
OAuth 2.0 Core – Provides support for the OAuth 2.0 authorization.
OAuth 2.0 Client – Spring Security’s client support for OAuth 2.0 Authorization Framework and OpenID Connect Core 1.0.
Secure:
Spring has provided a separate module for securing the application. Spring Security is a Java SE/Java EE security framework to provide Authentication, Authorization, SSO and other Security features for Web Applications or Enterprise Applications. Spring Security supports the various types of security such as :
- Authentication and Authorization.
- BASIC,Digest and Form-Based Authentication.
- LDAP Authentication.
- OpenID Authentication.
- SSO (Single Sign-On) Implementation.
- Cross-Site Request Forgery (CSRF) Implementation.
Remember-Me
Feature through HTTP Cookies.- Implementation of ACLs.
Channel Security
that means automatically switching between HTTP and HTTPS.- JAAS (Java Authentication and Authorization Service).
- Flow Authorization using Spring WebFlow Framework.
- WS-Security using Spring Web Services.