Spring Security provides security services for J2EE-based enterprise software applications.
Application Security Areas:
There are two main areas for application securities.
- Authentication: Process of checking the user, who they claim to be.
- Authorization: Process of deciding whether an user is allowed to perform an activity within the application.
Authentication Models supported by Spring Security:
Spring security supports more then 20 Models for authentication. Some of them are
- X.509 client certificate exchange
- LDAP Authentication
- OpenID authentication
- Java Open Source Single Sign On
Spring Security Modules
Spring security code has been divided in different JARs(Can be considers as modules)
- Core (spring-security-core.jar) : Required Module. Contains core authentication and access-contol classes and interfaces, remoting support and basic provisioning APIs.
- Web (spring-security-web.jar): Required* if web authentication services and URL-based access-control is required.Contains filters and related web-security infrastructure code.
- Remoting : Provides intergration with Spring Remoting.
- Config : Contains the security namespace parsing code. You need it if you are using the Spring Security XML namespace for configuration.
- LDAP : LDAP authentication and provisioning code. Required if you need to use LDAP authentication or manage LDAP user entries.
- ACL : Used to apply security to specific domain object instances within your application.
- CAS : If you want to use Spring Security web authentication with a CAS single sign-on server.
- OPENID :Used to authenticate users against an external OpenID server.
Note: Details extracted from Official doc for Spring
Spring Security Configuration
In order to enable spring security for your web application, you have to add below filter declaration in your web.xml.
<filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
All request now will go through “springSecurityFilterChain” filter which will apply app security.
As Spring security is enabled till now we can now configure the security XML for different security related options like “Authentication Model”, Login page, Access denied page etc..
Namespace configuration allows you to supplement the traditional Spring beans application context syntax with elements from additional XML schema. In order to use security namespace in application context, “spring-security-config” jar needs to be in classpath. Schema declaration that needs to be there in “application-context” XML.
<beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd"> ... </beans:beans>
With this configuration we can use “security” as the default namespace rather than “beans”.
Here we decide which authentication model you will use for your web application. Option could be any of the above(LDAP, Open ID..). Once decided same could be configured via “<authentication-manager></authentication-manager>” tag.
Ex 1 :
<authentication-manager> <authentication-provider> <user-service> <user name="user1" password="password" authorities="ROLE_USER, ROLE_ADMIN" /> <user name="user2" password="password" authorities="ROLE_USER" /> </user-service/> </authentication-provider> </authentication-manager>
Here user and their roles have been hard coded in XML itself and user will be authenticated and authorized on given basis. Two user has been created with password as “password” and there are roles are “ROLE_USER, ROLE_ADMIN”.
Ex. 2 :
<authentication-manager> <authentication-provider ref="ldapActiveDirectoryAuthProvider"></authentication-provider> </authentication-manager> <beans:bean id="ldapActiveDirectoryAuthProvider" class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider"> <beans:constructor-arg value="abc.xyz.com"></beans:constructor-arg> <beans:constructor-arg value="ldaps://abc.xyz.com:636"></beans:constructor-arg> </beans:bean>
Here user will be authenticated and authorized via LDAP server(In current Situation Active Directory)
Note : Port no will be 636 for secured connection and will 393 for non secured.
Ex 3 :
<authentication-manager> <authentication-provider> <jdbc-user-service data-source-ref="dataSource" /> </authentication-provider> </authentication-manager>
Here user will be authenticated and authorized on the basis of table(USERS & AUTHORIZATION) in DB. datasource will be used to access the given tables in DB. Structure of the tables should be.
CREATE TABLE USERS (USERNAME VARCHAR2, PASSWORD VARCHAR2,ENABLED VARCHAR2); CREATE TABLE AUTHORITIES(USERNAME VARCHAR2, AUTHORITY VARCHAR2);
Note*: You can have multiple <authentication-provider> elements to define different authentication sources and each will be consulted in turn.
Till now you have enabled the Spring security for your web application and configured the “Authentication- Manager” through which user can be authenticated and authorised. We might have to configure login, logout page and role based URL access.
At the basic we can configure all the basic thing(login, logout, role based) with this attribute. It is a shorthand of
<http> <form-login /> <http-basic /> <logout /> </http>
Login page configure
<form-login login-page='/login.jsp' default-target-url='/home.jsp' always-use-default-target='true' />
Here we have configured login page as “login.jsp” and user will be redirected to “home.jsp” after login(By default-target-url) always-use-default-target is used to set if user will be redirected to “default-target-url” at all time or not?
If true user will be redirected to home.jsp even user was on any other page when session timed-out.
If false user will not be redirected to home.jsp always means user will be on the same page where users session has timed out or on home.jsp when login for the first time.
Role based URL access configure
<intercept-url pattern="/**" access="ROLE_USER" />
Note*: Now all the URl can be accessed by only those who have the authority of “ROLE_USER”. Static part configuration to bypass all security.
<http pattern=”/login.jsp*” security=”none”/>
Complete configuration will be something like
<http pattern="/js/*" security="none" ></http>
<http use-expressions="true"> <intercept-url pattern="/secure/**" access="hasRole('ROLE_SUPERVISOR')"/> <intercept-url pattern="/*" access="isAuthenticated()" /> <intercept-url pattern="/**" access="isAuthenticated()"/> <intercept-url pattern="/" access="isAuthenticated()" /> </http>
Access denied page configuration
<access-denied-handler error-page="/accessdenied.jsp" />
Logout page & logout link configuration
<logout logout-url="/logout" logout-success-url="/logoutPage.jsp" />
Session Management Configuration
<session-management> <concurrency-control max-sessions="1" error-if-maximum-exceeded="false" /> </session-management>
Here we have defined that user can have 1 session at max.
error-if-maximum-exceeded is used to define what should be happend when user tries to create more then one session.
If it is true : User will get error page stating that user can not have more then one session if it already has one active session.
If it is false: User will not get any error while trying to login to application(Creating another session) but other session will get invalidated and user will have only have new session.