Saturday, December 28, 2024
Google search engine
HomeLanguagesJavaSpring Security Architecture

Spring Security Architecture

Spring Security framework adds two important capabilities to web applications,

  1. Authentication 
  2. Authorization/Access Control

This framework provides protection against popular security issues like SCRF attacks, or Fixation attacks. It provides a secure and standard way to set up user login functionality in web applications and thus provides quick user authentication and access control.

Spring Security Architecture

 

Authentication

Authentication is the process of verifying the identity of the computer user. It is the process of verifying the user and devices before allowing them to access the resources. In Java, the AuthenticationManager interface is responsible for handling authentication events. 

Example:

Java AuthenticationManager Interface

 

The AuthenticationManager interface method “authenticate()” returns authentication (i.e if authentication= true )if it verifies the identity. The AuthenticationException is thrown if it identifies an invalid identity or principal. It returns null if he cannot decide the identity.

Authorization/Access Control

When a user or a device is authenticated, the next step is authorization which is the process of allowing the authority to perform certain tasks or operations. In Java, AccessDecisionManager and AccessDecsionVoter classes help in the authorization process. 

Example:

Authorization / Access Control

 

The class ConfigAttribute provides the secure object metadata to provide the permission required to access it. The AccessDecisionVoter handles the Spring Expression Language (SpEL) expressions. ConfigAttribute is an interface that contains only one method that returns a string that defines the rules for access control.

Advantages

  • Provides support for Java Configuration
  • Provides support for integration with Spring MVC
  • Provides protection against major security issues
  • Provides efficient portability

Sample Java Configuration File 

Java




// Configuration Java File
import org.springframework.context.annotation.*;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.*;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
  
@EnableWebSecurity
public class WebSecurityConfig implements WebMvcConfigurer {
    // method to authenticate by collecting user related
    // data
    @Bean
    public UserDetailsService userDetailsService()
        throws Exception
    {
        // Managing the users in the memory database
        InMemoryUserDetailsManager manager
            = new InMemoryUserDetailsManager();
  
        // Creating the new user with userid AbhijeetRathore
        // and Password Abhijeet123
        manager.createUser(User.withDefaultPasswordEncoder()
                               .username("AbhijeetRathore")
                               .password("Abhijeet123")
                               .roles("USER")
                               .build());
  
        // returns User detail service
        return manager;
    }
  
    // configuring MVC Configuration with HTTP Security
    protected void configure(HttpSecurity http)
        throws Exception
    {
        // define the role of the user
        http.antMatcher("/")
            .authorizeRequests()
            .anyRequest()
            .hasRole("ADMIN")
            .and()
            .httpBasic();
    }
}


RELATED ARTICLES

Most Popular

Recent Comments