Spring / Spring Security
Spring Security provides comprehensive security services for Java EE-based enterprise software applications.
There are two main areas that Spring Security targets. "Authentication" is the process of establishing a principal is who they claim to be (a "principal" generally means a user, device or some other system which can perform an action in your application)."Authorization" refers to the process of deciding whether a principal is allowed to perform an action within your application.
OAuth is an open standard for authorization. OAuth provides client applications a 'secure delegated access' to server resources on behalf of a resource owner. It specifies a process for resource owners to authorize third-party access to their server resources without sharing their credentials.
Security context in Spring Security includes details of the principal currently using the application. Security context is always available to methods in the same thread of execution, even if the security context is not explicitly passed around as an argument to those methods.
SecurityContextHolder stores the principal currently interacting with the application. The principal is the currently logged in user that you retrieve it through the security context.
Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal(); if (principal instanceof UserDetails) { String username = ((UserDetails)principal).getUsername(); } else { String username = principal.toString(); }
To enable Spring security in Java Web application, you need to do configure three things,
- declare a delegating proxy filter in web.xml,
- add ContextLoaderListener in web.xml,
- and provide actual security constraints on applicationContext-Security.xml file.
The DelegatingFilterProxy class from package org.springframework. web.filter is required.
Spring security 3.0 and jdk 1.5.
SecurityContextIntegrationFilter: establishes SecurityContext and maintains between HTTP requests.
LogoutFilter: clears SecurityContextHolder when logout requested.
UsernamePasswordAuthenticationFilter: places Authentication into the SecurityContext on login request.
ExceptionTranslationFilter: converts SpringSecurity exceptions into HTTP response or redirect.
FilterSecurityInterceptor: authorize web requests based on config attributes and authorities.
- HTTP Basic authentication,
- HTTP digest,
- Form based,
- Using LDAP,
- OAUTH,
- Automatic remember me authentication.
Basic authentication is a simple authentication scheme built into the HTTP protocol. The client sends HTTP requests with the Authorization header that contains the word Basic word followed by a space and a base64-encoded string username:password.
Digest authentication is an application of MD5 cryptographic hashing with usage of nonce values to prevent replay attacks. It uses the HTTP protocol.
Yes, Spring Security provides support for password hashing.
Salting secure your application from Dictionary-Attack. Using Salt you may add an extra string in password so hacker find it difficult for braking the password.
There are 2 salt methods,
- Global Salt.
- Per User Salt.
In Global Salt there is one single common word append to password. In Per User Salt we have to give one user attribute serve as Salt String.
The Ant matchers match against the request path and not the path of the resource on the filesystem.So ignore any request that starts with "/resources/".This is similar to configuring http@security=none when using the XML namespace configuration.
@Override public void configure(WebSecurity web) throws Exception { web .ignoring() .antMatchers("/resources/**"); }
Yes. We may need form login for web app and basic for rest services. In that case multiple http configuration is required.
Java Cryptography Architecture implements security functions for the Java platform. It provides a platform and gives architecture and APIs for encryption and decryption. JCA is used by the developer to combine the application with the security measure. A programmer uses the JCA to meet the security measure. It helps in performing the third party security rules. It uses the hash table, encryption message digest, etc to implement the security.
Mutual authentication, also called two-way authentication, is a process or technology in which both entities in a communications link authenticate each other.
Apache Shiro is an open-source software security framework that performs authentication, authorization, cryptography and session management.
Shiro is an intuitive and easy-to-use framework with robust security features.
Different OAuth Flows to allow better support for non-browser based applications. This is a main criticism against OAuth from client applications that were not browser based. For example, in OAuth 1.0, desktop applications or mobile phone applications had to direct the user to open their browser to the desired service, authenticate with the service, and copy the token from the service back to the application. The main criticism here is against the user experience. With OAuth 2.0, there are now new ways for an application to get authorization for a user.
OAuth 2.0 no longer requires client applications to have cryptography. This hearkens back to the old Twitter Auth API, which didn't require the application to HMAC hash tokens and request strings. With OAuth 2.0, the application can make a request using only the issued token over HTTPS.
OAuth 2.0 signatures are much less complicated. No more special parsing, sorting, or encoding.
OAuth 2.0 Access tokens are "short-lived". Typically, OAuth 1.0 Access tokens could be stored for a year or more (Twitter never let them expire). OAuth 2.0 has the notion of refresh tokens. While I'm not entirely sure what these are, my guess is that your access tokens can be short lived (i.e. session based) while your refresh tokens can be "life time". You'd use a refresh token to acquire a new access token rather than have the user re-authorize your application.
OAuth 2.0 is meant to have a clean separation of roles between the server responsible for handling OAuth requests and the server handling user authorization.
PKI refers to a collective ecosystem of roles, responsibilities, policies, and procedures for issuing, managing, and revoking digital certificates. The PKI ecosystem ensures the secure and private exchange of sensitive electronic information between known and unknown parties over untrusted networks.
An classical example of PKI is the management of X.509 digital certificates for HTTPS web services, offered by banks and other retailers to protect customers on the internet.
The Java platform provides many features to support the PKI model and trust management for Java.
Oracle's root certificate program: Organizations that wish to include a root within the JDK's trust store apply to the program. if the requester meets the qualifications and agrees to the terms. the root is included.
Java CertPath API: Application that participate in the PKI Model use the CertPath API to manage certificates, process certificate metadata, and test revocation status.
Revocation services: Sometimes certificates can be stolen and Java support features that work with industry CRL and OCSP responders to test for blacklisted certifcates.
DelegatingFilterProxy is the entry point of Spring Security in a Java web application. It is a generic bean that provides a link between web.xml and application-Context.xml. Spring security uses filters to implement cross-cutting concerns like authentication and authorization.
In Spring security, these filters are also Spring bean so that they can take advantage of Spring's dependency injection features, hence they are declared inside the Spring configuration file and a delegating filter proxy (DelegatingFilterProxy) is declared on their behalf on web.xml as filter as shown below:
<filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class> org.springframework.web.filter.DelegatingFilterProxy </filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
At runtime, delegating filter proxy delegates HTTP requests to a bean class for filtering.