Category Archives: Spring Security

Spring Book – Chapter 15 – Web Application Security with Spring

Security is one of the very important services which any application needs to have in a comprehensive manner taking care of all the essential parts in a very elegant and simple manner. Spring Security framework is used in several domains including government, banking and military applications. Although written in Java, due to its high adoption and success, its architecture is ported to other platforms such as Microsoft .NET and Python to name few.

Spring Security provides declarative security especially for Spring based application. Having said that it has appropriate extension points and pluggability built into it using which it can be even plugged and used with other standard frameworks available in the software industry. Spring Security provides enterprise level authentication and authorization services at the web request level and at the method invocation level for JEE based enterprise software applications.

Security Concepts

Before diving deep into the Security and Spring Security in detail in this Chapter, there are certain terms in the Security world which should be understood in all aspects. This section aims to do just that and armor you with adequate concepts and terminologies which will be used throughout the Chapter.

Principal

Any user, system or a device which performs an action is called as a “Principal”. In simple terms in the case an application, anything which would like to interact with the application can be called as a “Principal”.

Authentication

The process by which the application checks or validates if the interacting “Principal” is who or what it claims to be is called authentication. There are various ways by which authentication process can take place like basic, form, digest, etc.

Credentials

The application does the process of authentication by challenging the principal. The challenge is usually a request by the application to get the principal to pass on valid credentials, usually a username/password combination already stored in a persistent store of any nature as the application please to be. There are various storage mechanisms by which to store the credentials and various authority details like a database, LDAP, etc.

Authorization

After a principal is successfully authenticated, it still needs necessary access rights to perform an action on the application like creating a new record, viewing a page etc. This process makes sure that the principal has necessary access to perform the action.

Secured Item

Any resource or item in an application which requires appropriate access rights to perform action on it is called “Secured Item” or “Secured Resource”.

GrantedAuthority

Spring Security related term and is used to refer to application-wide permissions/access rights granted to a principal.

SecurityContext

It’s the Spring Security object which is responsible for holding authentication and other security related details.

SecurityContextHolder

It’s the Spring Security object which is responsible for providing access to the SecurityContext object. It uses various strategies like ThreadLocal, inherited ThreadLocal and Global to provide the SecurityContext object within an application.

Spring Security Motivation

Spring Security was developed keeping in mind certain considerations. These considerations have become the core motivation on which Spring Security thrives and competes. These motivations can be summarized as shown below:

  • Portability – Spring Security is portable across different containers both commercial and open-source alike in all aspects. Web application using Spring Security can be deployed as is in different containers and can also run in standalone environments. Non-portability in servlet specification security is overcome by Spring Security by not having container specific adapters and role mappings.
  • Flexibility – Spring Security supports almost all the common authentication mechanisms and also keeps adding new supports as new technologies arises making it up-to-date almost all the time. It also provides configurable storage options for user credentials and authorities. Being built on top of Spring, we can do all of these by mere configuration, making it simple and easy.
  • Extensibility – This is high level of extensibility which Spring Security provides in the form of how the principal is defined, where the authentication information stored, how authorization decisions made, where security constraints stored etc. making is highly customizable in nature according to various application requirements.
  • Separation of Concerns – one of the very important motivations on which Spring Security is built on is the level of separation of concerns it provides allowing business logic to completely decouple from the security code. Also security concerns like authentication and authorization is also decoupled from each other making it possible to change authentication process without affecting authorization.
  • Consistency – regardless of mechanisms followed to achieve both authentication and authorization, Spring Security keeps the consistency in all aspects.

Spring Security History

Spring Security was originally called Acegi Security created by Ben Alex in the year 2003. Version 1.0 got release in March 2003. Acegi Security provided declarative security and was extremely powerful and flexible in numerous aspects. Although it had advantages in many aspects it had a big inherent problem in having all configurations in XML making it really cumbersome and sometimes troublesome in various aspects.

In Spring Framework 2.0 version Acegi Security was adopted into it and was renamed as Spring Security. With advances in Spring Framework, came advances in Spring Security. Additional modules kept added on and with Spring namespace configurations slowly became easy and more manageable and paved way to configuration by convention. It applies security rules by extensive use of Servlet filters and Spring AOP. Although Spring Security is Spring-based, it can be used with non-Spring based web applications with ease.

Page Visitors: 5920

Spring Security – Multiple authentication providers

An AuthenticationManager is responsible for passing requests through a chain of AuthenticationProviders. It is very much similar to the filter chain in a typical web application.

These authentication providers are tried in the order shown (which is implied by the use of a List instead of a Set), with each provider able to attempt authentication, or skip authentication by simply returning null. If all implementations return null, the ProviderManager will throw a suitable exception.

Below is the spring bean configuration which can be used for setting up multiple authentication providers in your Spring application using Spring Security.

spring-security.xml

Sample 1:-

Sample 2:-

In the above sample configuration, both the declared authentication providers will be registered with authentication manager.

Page Visitors: 2919