Spring Security framework adds two important capabilities to web applications,
- Authentication
- Authorization/Access Control
This framework provides protection against popular security issues like SCRF attacks, or Fixation attacks. It provides a secure and standard way to set up user login functionality in web applications and thus provides quick user authentication and access control.
Authentication
Authentication is the process of verifying the identity of the computer user. It is the process of verifying the user and devices before allowing them to access the resources. In Java, the AuthenticationManager interface is responsible for handling authentication events.
Example:
The AuthenticationManager interface method “authenticate()” returns authentication (i.e if authentication= true )if it verifies the identity. The AuthenticationException is thrown if it identifies an invalid identity or principal. It returns null if he cannot decide the identity.
Authorization/Access Control
When a user or a device is authenticated, the next step is authorization which is the process of allowing the authority to perform certain tasks or operations. In Java, AccessDecisionManager and AccessDecsionVoter classes help in the authorization process.
Example:
The class ConfigAttribute provides the secure object metadata to provide the permission required to access it. The AccessDecisionVoter handles the Spring Expression Language (SpEL) expressions. ConfigAttribute is an interface that contains only one method that returns a string that defines the rules for access control.
Advantages
- Provides support for Java Configuration
- Provides support for integration with Spring MVC
- Provides protection against major security issues
- Provides efficient portability
Sample Java Configuration File
Java
// Configuration Java File import org.springframework.context.annotation.*; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.*; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.provisioning.InMemoryUserDetailsManager; import org.springframework.web.servlet.config.annotation.WebMvcConfigurer; @EnableWebSecurity public class WebSecurityConfig implements WebMvcConfigurer { // method to authenticate by collecting user related // data @Bean public UserDetailsService userDetailsService() throws Exception { // Managing the users in the memory database InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager(); // Creating the new user with userid AbhijeetRathore // and Password Abhijeet123 manager.createUser(User.withDefaultPasswordEncoder() .username( "AbhijeetRathore" ) .password( "Abhijeet123" ) .roles( "USER" ) .build()); // returns User detail service return manager; } // configuring MVC Configuration with HTTP Security protected void configure(HttpSecurity http) throws Exception { // define the role of the user http.antMatcher( "/" ) .authorizeRequests() .anyRequest() .hasRole( "ADMIN" ) .and() .httpBasic(); } } |