Spring Security services for web applications
- 1. Spring Security Spring Security provides a set of servlet filters to perform various kinds of security services for web applications. In Spring Security 1.x, you had to configure these filters as Spring beans manually, so the configurations were very verbose and difficult to understand. Spring Security 2.0 significantly simplifies its configurations with an approach similar to that of the Spring framework 2.x: using XML schema-based and annotation-based configurations. This lecture will focus on Spring Security 2.0 only. Note that Spring Security 2.0 requires the Spring framework 2.0.8 for the 2.0 release, and 2.5.2 for the 2.5 release. When talking about security, there are several terms and concepts that you must understand. Authentication Authorization Access control
- 2. Authentication Authentication is the process of verifying a principal’s identity against what it claims to be. A principal can be a user, a device, or a system, but most typically it means a user. A principal has to provide evidence of its identity in order to be authenticated. This evidence is called a credential, which is usually a password when the target principal is a user.
- 3. Authorization Authorization is the process of granting authorities to an authenticated user so that this user is allowed to access particular resources of the target application. The authorization process must be performed after the authentication process. Typically, authorities are granted in terms of roles.
- 4. Access Control Access control means controlling access to an application’s resources. It entails making a decision on whether a user is allowed to access a resource. This decision is called an access control decision, and it’s made by comparing the resource’s access attributes with the user’s granted authorities or other characteristics.
- 5. 1. Securing URL Access Problem Many web applications have some particular URLs that are critically important and private. You must secure these URLs by preventing unauthorized access to them.
- 6. Solution Spring Security enables you to secure a web application’s URL access in a declarative way through simple configuration. It handles security by applying servlet filters to HTTP requests. You can configure these filters in Spring’s bean configuration files using XML elements defined in the Spring Security schema. However, as servlet filters must be registered in the web deployment descriptor to take effect, you have to register a DelegatingFilterProxy instance in the web deployment descriptor, which is a servlet filter that delegates request filtering to a filter in Spring’s application context. Spring Security allows you to configure web application security through the <http> element.
- 7. Solution If your web application’s security requirements are straightforward and typical, you can set this element’s auto-config attribute to true so that Spring Security will automatically register and configure several basic security services, including the following: Form-based login service: This provides a default page that contains a login form for users to log into this application. Logout service: This provides a handler mapped with a URL for users to log out of this application. HTTP Basic authentication: This can process the Basic authentication credentials presented in HTTP request headers. It can also be used for authenticating requests made with remoting protocols and web services. Anonymous login: This assigns a principal and grants authorities to an anonymous user so that you can handle an anonymous user like a normal user. Remember-me support: This can remember a user’s identity across multiple browser sessions, usually by storing a cookie in the user’s browser. Servlet API integration: This allows you to access security information in your web application via standard Servlet APIs, such as HttpServletRequest.isUserInRole() and HttpServletRequest.getUserPrincipal().
- 8. 2. Logging In to Web Applications Problem A secure application requires its users to log in before they can access certain secure functions. This is especially important for web applications running on the open Internet because hackers can easily reach them. Most web applications have to provide a way for users to input their credentials to log in.
- 9. Solution Spring Security supports multiple ways for users to log into a web application. It supports form-based login by providing a default web page that contains a login form. You can also provide a custom web page as the login page. In addition, Spring Security supports HTTP Basic authentication by processing the Basic authentication credentials presented in HTTP request headers. HTTP Basic authentication can also be used for authenticating requests made with remoting protocols and web services. Some parts of your application may allow for anonymous access (e.g., access to the welcome page). Spring Security provides an anonymous login service that can assign a principal and grant authorities to an anonymous user so that you can handle an anonymous user like a normal user when defining security policies. Spring Security also supports remember-me login, which is able to remember a user’s identity across multiple browser sessions so that a user needn’t log in again after logging in for the first time.
- 10. 3. Authenticating Users Problem When a user attempts to log into your application to access its secure resources, you have to authenticate the user’s principal and grant authorities to this user.
- 11. Solution In Spring Security, authentication is performed by one or more authentication providers, connected as a chain. If any of these providers authenticates a user successfully, that user will be able to log into the application. If any provider reports that the user is disabled or locked or that the credential is incorrect, or if no provider can authenticate the user, then the user will be unable to log into this application. Spring Security supports multiple ways of authenticating users and includes built-in provider implementations for them. You can easily configure these providers with the built-in XML elements. Most common authentication providers authenticate users against a user repository storing user details (e.g., in an application’s memory, a relational database, or an LDAP repository). When storing user details in a repository, you should avoid storing user passwords in clear text because they are vulnerable to hackers. Instead, you should always store encrypted passwords in your repository. A typical way of encrypting passwords is to use a one-way hash function to encode the passwords. When a user enters a password to log in, you apply the same hash function to this password and compare the result with the one stored in the repository. Spring Security supports several algorithms for encoding passwords (including MD5 and SHA), and provides built-in password encoders for these algorithms. If you retrieve a user’s details from a user repository every time a user attempts to log in, your application may incur a performance impact. This is because a user repository is usually stored remotely, and it has to perform some kinds of queries in response to a request. For this reason, Spring Security supports caching user details in local memory and storage to save you the overhead of performing remote queries.
- 12. 4.Making Access Control Decisions Problem In the authentication process, an application will grant a successfully authenticated user a set of authorities. When this user attempts to access a resource in the application, it has to make a decision on whether the resource is accessible with the granted authorities or other characteristics.
- 14. 5. Securing Method Invocations Problem As an alternative or a complement to securing URL access in the web layer, sometimes you may need to secure method invocations in the service layer. For example, in the case that a single controller has to invoke multiple methods in the service layer, you may wish to enforce fine-grained security controls on these methods.
- 15. Solution Spring Security enables you to secure method invocations in a declarative way. First, you can embed a <security:intercept-methods> element in a bean definition to secure its methods. Alternatively, you can configure a global <global-method-security> element to secure multiple methods. You can also annotate methods declared in a bean interface or an implementation class with the @Secured annotation, and then enable security for them in <global-method-security>.
- 16. 6.Handling Security in Views Problem Sometimes you may wish to display a user’s authentication information, such as the principal name and the granted authorities, in the views of your web application. In addition, you would like to render the view contents conditionally according to the user’s authorities.
- 17. Solution Although you can write JSP scriptlets in your JSP files to retrieve authentication and authorization information through the Spring Security API, it’s not an efficient solution. Spring Security provides a JSP tag library for you to handle security in JSP views. It includes tags that can display a user’s authentication information and render the view contents conditionally according to the user’s authorities.
- 21. 7.Handling Domain Object Security Problem Sometimes you may have complicated security requirements that require handling security at the domain object level. That means you have to allow each domain object to have different access attributes for different principals.
- 22. Solution Spring Security provides a module named ACL that allows each domain object to have its own access control list (ACL). An ACL contains a domain object’s object identity to associate with the object, and also holds multiple access control entries (ACEs), each of which contains the following two core parts: Permissions: An ACE’s permissions are represented by a particular bit mask, with each bit value for a particular type of permission. The BasePermission class predefines five basic permissions as constant values for you to use: READ (bit 0 or integer 1), WRITE (bit 1 or integer 2), CREATE (bit 2 or integer 4), DELETE (bit 3 or integer 8), and ADMINISTRATION (bit 4 or integer 16). You can also define your own using other unused bits. Security Identity (SID): Each ACE contains permissions for a particular SID. An SID can be a principal (PrincipalSid) or an authority (GrantedAuthoritySid) to associate with permissions. In addition to defining the ACL object model, Spring Security defines APIs for reading and maintaining the model, and provides high-performance JDBC implementations for these APIs. In order to simplify ACL’s usages, Spring Security also provides facilities, such as access decision voters and JSP tags, for you to use ACL consistently with other security facilities in your application.