Spring Security

1. Overview

Spring Security is a separate module of the Spring framework that focuses on providing authentication and authorization methods in Java applications. It also takes care of most of the common security vulnerabilities such as CSRF attacks.

To use Spring Security in web applications, you can get started with a simple annotation: @EnableWebSecurity.

Spring Security is a powerful and highly customizable authentication and access-control framework. It is the de-facto standard for securing Spring-based applications.

Spring Security is a framework that focuses on providing both authentication and authorization to Java applications. Like all Spring projects, the real power of Spring Security is found in how easily it can be extended to meet custom requirements

Two main functionalities namely, Authentication and Authorization are provided by Spring Security for the security of applications. 

 

2.1 Features

• Comprehensive and extensible support for both Authentication and Authorization
• Protection against attacks like session fixation, clickjacking, cross site request forgery, etc
• Servlet API integration
• Optional integration with Spring Web MVC
• Much more…

2.2 Components

Features	Description
Authentication	Check the validity of the request
Password hashing	Replacing plaintext password to a hash value using a hash function
Authorization	Verify being allowed to use a resource using an access control process

2.3 Advantages

• Comprehensive support for authentication and authorization
• Protection against common tasks
• Servlet API integration
• Integration with Spring MVC
• Portability
• CSRF protection
• Java configuration support

3. Authentication

The main strategy interface for authentication is AuthenticationManager which only has one method:

public interface AuthenticationManager {

  Authentication authenticate(Authentication authentication)
    throws AuthenticationException;

}

An AuthenticationManager can do one of 3 things in its authenticate() method:

• return an Authentication (normally with authenticated=true) if it can verify that the input represents a valid principal.
• throw an AuthenticationException if it believes that the input represents an invalid principal.
• return null if it can’t decide.

4. Authorization (Access Control)

Once authentication is successful, we can move on to authorization, and the core strategy here is AccessDecisionManager. There are three implementations provided by the framework and all three delegate to a chain of AccessDecisionVoter, a bit like the ProviderManager delegates to AuthenticationProviders.

@Configuration
public class ApplicationSecurity extends WebSecurityConfigurerAdapter {

   ... // web stuff here

  @Autowired
  public void initialize(AuthenticationManagerBuilder builder, DataSource dataSource) {
    builder.jdbcAuthentication().dataSource(dataSource).withUser("dave")
      .password("secret").roles("USER");
  }

}

5. Web Security

Spring Security is installed as a single Filter in the chain, and its concrete type is FilterChainProxy.

There can be multiple filter chains all managed by Spring Security in the same top-level FilterChainProxy and all unknown to the container. The Spring Security filter contains a list of filter chains and dispatches a request to the first chain that matches it. The picture below shows the dispatch happening based on matching the request path (/foo/** matches before /**). This is very common but not the only way to match a request. The most important feature of this dispatch process is that only one chain ever handles a request

5.1 Custom Filter

@Configuration
@Order(SecurityProperties.BASIC_AUTH_ORDER - 10)
public class ApplicationConfigurerAdapter extends WebSecurityConfigurerAdapter {
  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http.antMatcher("/foo/**")
     ...;
  }
}

6. Description

6.1 Features

Features	Description
LDAP	Lightweight Directory Access Protocol. Open application protocol for maintaining and accessing distributed directory information services over an Internet Protocol
SSO	Allows a user to access multiple applications with the help of a single account(user name and password)
JAAS	Java Authentication and Authorization Service LoginModule. Pluggable Authentication Module implemented in Java. Supporting it for its authentication process.
Basic Access Authentication	is used to provide user name and password while making a request over the network
Digest Access Authentication	Allowing to make the authentication process more secure than Basic Access Authentication. Asking the browser to confirm the identity of the user before sending sensitive data over the network
Remember-me	Supporting this feature with the help of HTTP Cookies. It remembers to the user and avoids login again from the same machine until the user logout.
Web Form Authentication	Web form collects and authenticates user credentials from the web browser
Authorization	Authorize the user before accessing resources. also allowing developers to define access policies against the resources.
Software Localization	Allowing developers to make application user interface in any language
HTTP Authorization	Provide this feature for HTTP authorization of web request URLs using Apache Ant paths or regular expressions.
OAuth 2.0 Login	Added in Spring Security 5.0. Provides the facility to the user to login into the application by using their existing account at GitHub or Google. Being implemented by using the Authorization Code Grant that is specified in the OAuth 2.0 Authorization
Reactive Support	Added in Spring Security 5.0. Providing reactive programming and reactive web runtime support and even able to integrate with Spring WebFlux
Modernized Password Encoding	Added in Spring Security 5.0. DelegatingPasswordEncoder which is more modernize and solve all the problems of previous encoder NoOpPasswrdEncoder

6.2 Modules

Class	Name	Description
Core	spring-security-core.jar	core jar file and required for every application that wants to use Spring Security. Including core access-control and core authentication classes and interfaces. Being able to use it in standalone applications or remote clients applications
Remoting	spring-security-remoting.jar	being used to integrate security feature into Spring remote application. No need it until or unless creating a remote application.
Web	spring-security-web.jar	Useful for Spring Security web authentication and URL-based access control. Including filters and web-security infrastructure.
Config	spring-security-config.jar	Being required for Spring Security configuration using XML and Java both. Including Java configuration code and security namespace parsing code.
LDAP	spring-security-ldap.jar	Being required for only if wanting to use LDAP. Including authentication and provisioning code
OAuth 2.0 Core	spring-security-oauth2-core.jar	Being required to integrate Oauth 2.0 Authorization Framework and OpenID Connect Core 1.0 into the application.
OAuth 2.0 Client	spring-security-oauth2-client.jar	Being required to get client support for OAuth 2.0 Authorization Framework and OpenID Connect Core 1.0
OAuth 2.0 JOSE	spring-security-oauth2-jose.jar	Providing Spring Security's support for the JOSE (Javascript Object Signing and Encryption) framework. The JOSE framework provides methods to establish a secure connection between clients. It contains the following the collection of specifications: JWT (JSON Web Token) JWS (JSON Web Signature) JWE (JSON Web Encryption) JWK (JSON Web Key)
ACL	spring-security-acl.jar	being used to apply security to domain object in the application
CAS	spring-security-cas.jar	being required for Spring Security's CAS client integration. We can use it to integrate Spring Security web authentication with CAS single sign-on server
OpenID	spring-security-openid.jar	Being used for OpenID web authentication support. We can use it to authenticate users against an external OpenID server.
Test	spring-security-test.jar	Providing support for testing Spring Security application.

7. References

https://spring.io/guides/topicals/spring-security-architecture

https://www.youtube.com/watch?v=sm-8qfMWEV8

https://terasolunaorg.github.io/guideline/1.0.x/en/Security/SpringSecurity.html

https://www.javatpoint.com/spring-security-tutorial