Sunday, 27 July 2014

Spring Security Using MySql and JDBC

                                         Spring  Security

Spring Security provides a comprehensive security solution for J2EE-based enterprise software applications.

As J2EE Servlet specification or EJB specification will lack the depth required for typical enterprise application and are not portable to EAR and WAR level. So after switching to the server environment we need to reconfigure our application's security in new target environment.

 Spring  security is a powerful and highly customizable authentication and access control framework.

 Features

 Comprehensive and extensible support for both Authentication and Authorization.

 Protection against attack like session fixation, click jacking,  cross site request etc.
Servlet  API integration.
Optional integration with Spring Web MVC.

Using Spring Security we will overcome all of these problems using customization security features.

Two major area of the Spring Security are  Authentication and Authorization.

Authentication

Authentication  is the process of establishing a principal is who they claim to be (user/ device/other system) can perform an action in your application.

Authorization

Authorization refers to the process of deciding whether a principal is allowed to perform an action within your application.

At an authentication level, Spring Security supports a wide range of authentication models. Most of these authentication models are either provided by third parties.

We can download the Spring security from Spring security site. Download the individual jars from the maven central repository. (http://projects.spring.io/spring-security/)

Maven Setup
  
A minimal Spring Security Maven set of dependencies for spring security project.


<dependencies>
  <!-- ... other dependency elements ... -->
<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-core</artifactId>
    <version>3.2.4.RELEASE</version>
  </dependency>
  <dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-web</artifactId>
    <version>3.2.4.RELEASE</version>
  </dependency>
  <dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-config</artifactId>
    <version>3.2.4.RELEASE</version>
  </dependency>
 <dependency>

    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-taglib</artifactId>
    <version>3.2.4.RELEASE</version>
  </dependency>

<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-ldap</artifactId>
    <version>3.2.4.RELEASE</version>
  </dependency>
 <dependency>

    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-acls</artifactId>
    <version>3.2.4.RELEASE</version>
  </dependency>

</dependencies>

Spring security core jar contains the core authentication and access control classes and interfaces, remoting support and API'S.

Spring security web will contain the filters and related web-security infrastructure code. This is used for spring security web and URL based access control

Spring security config is used for XML namespace configuration.

Spring security taglib is used to provide authentication in UI components.(JSP Page).

For LDAP we need to use LDAP authentication or LDAP user entities. We need to use org.springframework.security.ldap jar in the pom dependency.

 ACL implementation is used to apply the security to the domain object instances with in your application.  We need to use org.springframework.security.acls jar in pom dependency.

Namespace Configuration web.xml

web.xml file provides  a hook into spring security web infrastructure.

DelegatingFilterProxy is a spring spring framework class which delegates  to SpringSecurityFilterChain  defined as a spring bean in the application context.

SpringSecurityFilterChain is the internal infrastructure bean created by the namespace to handle web security.

Once we added to our web.xml file we can able to edit the application context XML file.(Adding http element).

web.xml 
<filter>
  <filter-name>springSecurityFilterChain</filter-name>
  <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
  <filter-name>springSecurityFilterChain</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

Namespace Configuration Spring-Context.xml

Namespace configuration for Spring Context contains Minimal <http> configuration, Using Authentication Provider and Adding password Encoder.

<http> configuration provides support for accessing URL's and redirecting to appropriate view.
Authentication Provider will validate the user credentials  for the specific logged in user.
Password Encoder will encode the password using hash algorithm.

http Configuration
The http element is responsible for creating the FilterChainProxy and the Filter bean which it uses.
It also allows incorrect filter ordering as the filter positions are already predefined.
http element is the parent of all web related namespace  functionality.

The <intercept-url> element defines a pattern which is matched against the URLs(pattern) of incoming requests using an ant path style syntax.

The access attribute defines the access requirements for requests matching the given pattern.
Access is the comma separated list of roles and one of the role will make the request.

We can use multiple <intercept-url> elements to define different access requirements for different sets of URLs, but they will be evaluated in the order listed and the first match will be used.

<sec:http auto-config="true">
    <sec:intercept-url pattern="/foo/**" access="ROLE_BASIC" />
</sec:http>

http can use user expression as true along with auto-config.  We need to append hasRole in access.

<sec:http auto-config="true"  user-expression="true">
    <sec:intercept-url pattern="/foo/**" access="hasRole("ROLE_BASIC") />
</sec:http>

Form  Login

Form Login  XML configuration


 <beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
          http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
          http://www.springframework.org/schema/security
          http://www.springframework.org/schema/security/spring-security-3.1.xsd">
           
    <http auto-config="true" user-expressions="true">
      <intercept-url pattern="/secured/*" access="hasRole("ROLE_USER" )/>
        <form-login login-page="/loginPage"
            username-parameter="username" password-parameter="password"
            default-target-url="/home" authentication-failure-url="/Login?error=1" />
        <logout logout-url="/logout" logout-success-url="/logoutPage" />        
    </http>
     
    <authentication-manager>
        <authentication-provider>
            <user-service>
                <user name="satya" ="satya@123" authorities="ROLE_USER" />
            </user-service>
        </authentication-provider>
    </authentication-manager>
</beans:beans>
form-login : form-login used to add UserNamePasswordAuthicationFilter to the filter stack and a LoginUrlAuthenticationEntryPoint to the application context to provide authentication.

If no attributes are supplied, a login page will be generated automatically at the URL /spring-security-login.

 login-page : login-page  URL is used to redirect to the login page. This will map to the login page though the mapping URL and Login Controller.

 default-target-url  : defaultTargetUrl  property is used by UserNamePasswordAuthenticationFilter   to redirect to the success page.

 authentication-failure-url : authenticationFailureUrl   property is used by UserNamePasswordAuthenticationFilter   to redirect to the failure page.

 authentication-success-handler-ref: This is an alternate to the default-target-url gives the full control over navigation flow after a success full authentication.

 User-expressions : Enables the EL expressions in the access attribute.

 log-out-url : The URL which will cause the logout. Defaults to "/j_spring_security_logout".

 Authentication Manager

Authentication Manager will automatically registered internally. 
This will create an instance of Spring Security's Provider Manager class, which needs to be configured with a list of one or more AuthenticationProvider instances. 

authentication-manager :  Authentication Provider class provides authentication to the application.

authentication-provider :   Authentication provider is the child element of the authentication provider. 

Multiple instances of the authentication provider be  included inside  authentication manager.

Authentication provider class uses the ref attribute to configure custom pro-vider(3rd party) loads the user information from User Service and compares the username and password combination with the values supplied at the login. 

 Method Level Security :tails

A secure web application will be more natural to secure the methods.  We will get Role based authorization in many internet application.

All the methods are defined as PreAuthorize annotations.

@PreAuthorize("hasRole('ROLE_USER')")
public void getUserDetails(String userID){ }

PreAuthorize will decide the method will actually invoke or not.

We need to enable the PreAuthorize  by the use of <global-method-security pre-post-annotations="enabled"/>  in the Spring  Context file

Login Page security continue to next blog..........................






at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Spring 3 Rest Web Service Batch Update with JQuery & Ajax Integration

                      Spring 3  Rest Web Service Batch Update with JQuery & Ajax Integration Hi     In this blog I will describe the...