spring security 3.0
DESCRIPTION
Jason Ferguson. Spring Security 3.0. Who I Am. “ Vell , Jason’s just zis guy, you know?” In the Air Force for 16.5 years Two trips to Afghanistan Can say “get to work” and “get in line” in Pashto and Dari Java Programmer for 6 years - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Spring Security 3.0](https://reader035.vdocuments.site/reader035/viewer/2022062501/56816363550346895dd43487/html5/thumbnails/1.jpg)
Spring Security 3.0Jason Ferguson
![Page 2: Spring Security 3.0](https://reader035.vdocuments.site/reader035/viewer/2022062501/56816363550346895dd43487/html5/thumbnails/2.jpg)
Who I Am
“Vell, Jason’s just zis guy, you know?” In the Air Force for 16.5 years
Two trips to Afghanistan▪ Can say “get to work” and “get in line” in Pashto
and Dari Java Programmer for 6 years A military programming shop is
NOTHING LIKE a commercial shop 12 weeks of training Morning PT
![Page 3: Spring Security 3.0](https://reader035.vdocuments.site/reader035/viewer/2022062501/56816363550346895dd43487/html5/thumbnails/3.jpg)
Obligatory Funny Picture
![Page 4: Spring Security 3.0](https://reader035.vdocuments.site/reader035/viewer/2022062501/56816363550346895dd43487/html5/thumbnails/4.jpg)
What I’m Assuming
You’re familiar with Java You’re at least somewhat familiar
with Spring You can read a Javadoc to get
information I am not covering You can create a database schema in
the database of your choice and configure JDBC/Hibernate/whatever
![Page 5: Spring Security 3.0](https://reader035.vdocuments.site/reader035/viewer/2022062501/56816363550346895dd43487/html5/thumbnails/5.jpg)
What I’ll Cover
What Spring Security Is And What It Does
Core Concepts Configuration Developing With Spring Security Method-Level Security JSP Tag Libraries
![Page 6: Spring Security 3.0](https://reader035.vdocuments.site/reader035/viewer/2022062501/56816363550346895dd43487/html5/thumbnails/6.jpg)
What I Won’t Cover
Core Security Filters Majority of the Security Namespace Session Management
![Page 7: Spring Security 3.0](https://reader035.vdocuments.site/reader035/viewer/2022062501/56816363550346895dd43487/html5/thumbnails/7.jpg)
What Is Spring Security?
Provides Enterprise-Level Authentication and Authorization Services
Authentication is based on implementation of GrantedAuthority interface Usually “ROLE_USER”,”ROLE_ADMIN”,
etc Authorization is based on Access
Control List Don’t have time to cover tonight
![Page 8: Spring Security 3.0](https://reader035.vdocuments.site/reader035/viewer/2022062501/56816363550346895dd43487/html5/thumbnails/8.jpg)
Supported Authentication Types Simple answer: “just about any”
Unless you’re “weird” Types:
Simple Form-Based HTTP Basic and Digest LDAP X.509 Client Certificate OpenID Etc, etc.
![Page 9: Spring Security 3.0](https://reader035.vdocuments.site/reader035/viewer/2022062501/56816363550346895dd43487/html5/thumbnails/9.jpg)
History
Originally was the ACEGI project Configuration was “death by XML”
Project lead liked it that way ACEGI was rebranded as “Spring
Security” around the Spring 2.0 release
With the Security Namespace and as additional modules became available, death by XML gave way to Configuration By Convention
![Page 10: Spring Security 3.0](https://reader035.vdocuments.site/reader035/viewer/2022062501/56816363550346895dd43487/html5/thumbnails/10.jpg)
What Are Authentication and Authorization? Authentication is the equivalent of
logging in with a username and password Based on that username/password, an access
control mechanism allows or disallows the user to perform certain tasks
Authorization is the equivalent of an Access Control List (ACL) An AccessDecisionManager decides to
allow/disallow access to a secure object based on the Authentication
![Page 11: Spring Security 3.0](https://reader035.vdocuments.site/reader035/viewer/2022062501/56816363550346895dd43487/html5/thumbnails/11.jpg)
The Authentication and SecurityContext Authentication represents the
principal (person logging into the application)
GrantedAuthority – what permissions the principal has
SecurityContext holds the Authentication
SecurityContextHolder provides access to the SecurityContext
![Page 12: Spring Security 3.0](https://reader035.vdocuments.site/reader035/viewer/2022062501/56816363550346895dd43487/html5/thumbnails/12.jpg)
UserDetails and UserDetailsServiceUserDetails provides information to
build an AuthenticationUserDetailsService creates a UserDetails object from a passed String
![Page 13: Spring Security 3.0](https://reader035.vdocuments.site/reader035/viewer/2022062501/56816363550346895dd43487/html5/thumbnails/13.jpg)
Obtaining With Maven Add following to dependencies to pom.xml:
spring-security-core spring-security-web spring-security-config
Optional dependencies: spring-security-taglibs spring-security-ldap spring-security-acl spring-security-cas-client spring-security-openid
![Page 14: Spring Security 3.0](https://reader035.vdocuments.site/reader035/viewer/2022062501/56816363550346895dd43487/html5/thumbnails/14.jpg)
Recommended Database Schema The “simple” schema:
create table users( username varchar_ignorecase(50) not null primary
key, password varchar_ignorecase(50) not null, enabled
boolean not null);
create table authorities ( username varchar_ignorecase(50) not null, authority
varchar_ignorecase(50) not null, constraint fk_authorities_users foreign key(username) references users(username));
create unique index ix_auth_username on authorities (username,authority);
![Page 15: Spring Security 3.0](https://reader035.vdocuments.site/reader035/viewer/2022062501/56816363550346895dd43487/html5/thumbnails/15.jpg)
Configuring web.xml Add to web.xml:
<filter> <filter-name>springSecurityFilterChain </filter-name> <filter-class> org.springframework.web.filter.DelegatingFilterProxy </filter-class></filter>
<filter-mapping> <filter-name>springSecurityFilterChain </filter-name> <url-pattern>/*</url-pattern></filter-mapping>
![Page 16: Spring Security 3.0](https://reader035.vdocuments.site/reader035/viewer/2022062501/56816363550346895dd43487/html5/thumbnails/16.jpg)
The Security Namespace
Specifying the Security Namespace:
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context" xmlns:security="http://www.springframework.org/schema/security" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-
3.0.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-
context-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-
security-3.0.xsd">
![Page 17: Spring Security 3.0](https://reader035.vdocuments.site/reader035/viewer/2022062501/56816363550346895dd43487/html5/thumbnails/17.jpg)
Enabling Web Security
Web Security enabled via <http> tag:
<security:http auto-config=“true” use-expressions=“true”>
// blah blah we’ll get to this later</security:http>
![Page 18: Spring Security 3.0](https://reader035.vdocuments.site/reader035/viewer/2022062501/56816363550346895dd43487/html5/thumbnails/18.jpg)
Configuring an Authentication Manager Simplest way: create a class that
implements UserDetailsService interface, then use it as the authentication provider
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider user-service-ref="userService" />
</security:authentication-manager>
![Page 19: Spring Security 3.0](https://reader035.vdocuments.site/reader035/viewer/2022062501/56816363550346895dd43487/html5/thumbnails/19.jpg)
Expression Based Access Control Common Expressions:
hasRole(rolename) hasAnyRole(rolename, rolename,…) isAuthenticated() isFullyAuthenticated() permitAll()
![Page 20: Spring Security 3.0](https://reader035.vdocuments.site/reader035/viewer/2022062501/56816363550346895dd43487/html5/thumbnails/20.jpg)
Securing By URL
Securing By URL uses the <intercept-url> tag:<security:intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')"/>
Pattern is the URL to secure, access is the expression to use to secure the URL
![Page 21: Spring Security 3.0](https://reader035.vdocuments.site/reader035/viewer/2022062501/56816363550346895dd43487/html5/thumbnails/21.jpg)
Form Based Authentication Form-based login is most common (really?) Uses the <form-login> tag Attributes:
login-page specifies name of custom login page▪ Generated automagically if we don’t create our own
login-processing-url specifies URL to process the login action
JSP default uses “j_username” and “j_password” fields
![Page 22: Spring Security 3.0](https://reader035.vdocuments.site/reader035/viewer/2022062501/56816363550346895dd43487/html5/thumbnails/22.jpg)
Password Hashing and Salting Steps to implement hashing/salting:
Create a <password-encoder> tag within the <authentication-provider> tag▪ MD5 or SHA-1: use the hash=“md5” or hash=“sha”
attribute▪ Stronger SHA: ▪ Create a bean named “saltSource” with a class of org.springframework.security.providers.encoding.ShaPasswordEncoder
▪ Use a <constructor-arg value=“XXX”> with XXX being the higher strength
Use <salt-source> tag within <password-encoder> to specify user property to user for hashing
![Page 23: Spring Security 3.0](https://reader035.vdocuments.site/reader035/viewer/2022062501/56816363550346895dd43487/html5/thumbnails/23.jpg)
Hashing and Salting Example
<security:authentication-manager alias="authenticationManager"> <security:authentication-provider user-service-
ref="userService"> <security:password-encoder ref=“saltSource”> <security:salt-source user-property="email" /> </security:password-encoder> </security:authentication-provider>
<beans:bean id=“saltSource” class=“org.springframework.security.providers.encoding.ShaPasswordEncoder”> <constructor-arg value=“384” /></beans:bean>
![Page 24: Spring Security 3.0](https://reader035.vdocuments.site/reader035/viewer/2022062501/56816363550346895dd43487/html5/thumbnails/24.jpg)
More on Form-Based Authentication One problem: need a specific <intercept-url > tag specifically for the login page, or the login page will be secured as well Creates an infinite loop in the logs
Example:<security:intercept-url pattern=“/login.jsp*” access=“permitAll()” />
![Page 25: Spring Security 3.0](https://reader035.vdocuments.site/reader035/viewer/2022062501/56816363550346895dd43487/html5/thumbnails/25.jpg)
LDAP Authentication
Full support for LDAP authentication Process overview:
Obtain DN from username Authenticate User Load GrantedAuthority collection for
user
![Page 26: Spring Security 3.0](https://reader035.vdocuments.site/reader035/viewer/2022062501/56816363550346895dd43487/html5/thumbnails/26.jpg)
Connecting to LDAP Server Create a bean named
“contextSource” with a class of org.springframework.security.ldap.DefaultSpringSecurityContextSource
Pass the server as a constructor argument
Pass userDn and password as properties
![Page 27: Spring Security 3.0](https://reader035.vdocuments.site/reader035/viewer/2022062501/56816363550346895dd43487/html5/thumbnails/27.jpg)
Example LDAP SecurityContext
<bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource"> <constructor-arg value="ldap://monkeymachine:389/dc=springframework,dc=org"/> <property name="userDn" value="cn=manager,dc=springframework,dc=org"/>
<property name="password" value="password"/></bean>
![Page 28: Spring Security 3.0](https://reader035.vdocuments.site/reader035/viewer/2022062501/56816363550346895dd43487/html5/thumbnails/28.jpg)
Configuring Authentication Provider Create a bean named “ldapAuthProvider” of
class org.springframework.security.ldap.authentication.LdapAuthenticationProvider
Create a constructor argument of a bean w/ class org.springframework.security.ldap.authentication.BindAuthenticator Constructor argument of the context source Property “userDnPatterns”: list of userDn
“wildcards” Continued…
![Page 29: Spring Security 3.0](https://reader035.vdocuments.site/reader035/viewer/2022062501/56816363550346895dd43487/html5/thumbnails/29.jpg)
Configuring Authentication Provider (Continued) Create another constructor
argument bean of class org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator Constructor arg of the context source Constructor arg w/ the value
“ou=groups” Property “groupRoleAttribute” w/ value
“ou”
![Page 30: Spring Security 3.0](https://reader035.vdocuments.site/reader035/viewer/2022062501/56816363550346895dd43487/html5/thumbnails/30.jpg)
Example LDAP Authentication Provider Configuration<bean id="ldapAuthProvider"
class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<constructor-arg> <bean
class="org.springframework.security.ldap.authentication.BindAuthenticator"> <constructor-arg ref="contextSource"/> <property name="userDnPatterns"> <list> <value>uid={0},ou=people</value> </list> </property> </bean> </constructor-arg> <constructor-arg> <bean
class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
<constructor-arg ref="contextSource"/> <constructor-arg value="ou=groups"/> <property name="groupRoleAttribute" value="ou"/> </bean> </constructor-arg> </bean>
![Page 31: Spring Security 3.0](https://reader035.vdocuments.site/reader035/viewer/2022062501/56816363550346895dd43487/html5/thumbnails/31.jpg)
X.509 Client Certificate Authentication Using a X.509 client certificate is
simple: <security:x509 subject-principal-regex="CN=(.*?)," user-service-ref="userService"/>
![Page 32: Spring Security 3.0](https://reader035.vdocuments.site/reader035/viewer/2022062501/56816363550346895dd43487/html5/thumbnails/32.jpg)
Method Level Security
Spring Security can secure methods at the service layer
Application Context configuration:
<security:global-method-security pre-post-annotations="enabled" proxy-target-class="true"/>
Methods are Secured With the @PreAuthorize annotation
![Page 33: Spring Security 3.0](https://reader035.vdocuments.site/reader035/viewer/2022062501/56816363550346895dd43487/html5/thumbnails/33.jpg)
More On Method Security @PostAuthorize @PreFilter and @PostFilter
Used with Domain Object (ACL) security Filters a returned collection based on a
given expression (hasRole(), etc)
![Page 34: Spring Security 3.0](https://reader035.vdocuments.site/reader035/viewer/2022062501/56816363550346895dd43487/html5/thumbnails/34.jpg)
JSP Tag Library
Spring Security Provides a Tag Library for accessing the SecurityContext and using security constraints in JSPs
What can it do? Restrict display of certain content by
GrantedAuthority
![Page 35: Spring Security 3.0](https://reader035.vdocuments.site/reader035/viewer/2022062501/56816363550346895dd43487/html5/thumbnails/35.jpg)
Using The JSP Tag Library Declaration in JSP:
<%@ taglib prefix="security" uri="http://www.springframework.org/security/tags" %>
![Page 36: Spring Security 3.0](https://reader035.vdocuments.site/reader035/viewer/2022062501/56816363550346895dd43487/html5/thumbnails/36.jpg)
Restricting JSP Display
The <security:authorize> tag is used to restrict the display of content based on GrantedAuthority
Example:
<security:authorize access=“hasRole(‘ROLE_ADMIN’)>
<h1>Admin Menu</h1></security:authorize>
![Page 37: Spring Security 3.0](https://reader035.vdocuments.site/reader035/viewer/2022062501/56816363550346895dd43487/html5/thumbnails/37.jpg)
Other JSP Tags <security:authentication> used to access
the current Authentication object in the Security Context <security:authentication property=“principal.username” />
<security:accesscontrollist> display content based on permissions granted to a Domain Object <security:accesscontrollist hasPermission=“1” domainObject=“whatever”>
![Page 38: Spring Security 3.0](https://reader035.vdocuments.site/reader035/viewer/2022062501/56816363550346895dd43487/html5/thumbnails/38.jpg)
That’s All Folks!