Advanced Spring Security
Some of the advanced Spring Security is discussed in this section with the help of some of the use cases which are very common in an enterprise application.
- Enabling Spring Security debug logging – To enable debug logging, create a file named log4j.properties in src/main/resources/ directory and add the following line shown in Listing 15-32 below to the end.
Listing 15-32. Enabling debug logging of Spring Security in the log4j configuration file namely log4j.properties
|
1 |
log4j.logger.org.springframework.security=DEBUG |
- Moving remember me to database – The below steps summarizes what needs to be done to move the “remember me” functionality to the database.
- According to the database used, prepare the database with the relevant tables. Listing 15-33 below shows table creation syntax for the “Persistent_logins” table in Oracle database.
Listing 15-33. Table creation syntax in Oracle
|
1 2 3 4 5 6 7 8 9 10 11 |
CREATE TABLE PERSISTENT_LOGINS ( USERNAME VARCHAR2(50) not null, SERIES VARCHAR2(64) primary key, TOKEN VARCHAR2(64) not null, LAST_USED TIMESTAMP not null ); |
- Configuration to be done in the Spring Security configuration file as shown in Listing 15-34 below.
Listing 15-34. Configuration in Spring Security configuration file
|
1 2 3 4 5 6 7 8 9 |
<http auto-config="true" access-denied-page="/auth/denied"> ... <remember-me key="springsecurity" token-validity-seconds="3600" data-source-ref="dataSource"/> ... </http> |
- Appropriate changes to be done in the JSP file if login page has been customized. If default generated login page is used automatically Remember me checkbox id added by the framework. If customized login page is used Listing 15-35 below shows the line to be included for checkbox to appear.
Listing 15-35. Checkbox of “Remember Me” in the JSP file
|
1 |
<input type="checkbox" name="_spring_security_remember_me"/>Remember me on this computer. |
- Securing site with SSL
The Secure Sockets Layer (SSL) protocol, and its successor, Transport Layer Security (TLS), are used to provide transport level security for HTTP transactions over the web—these are known as HTTP Secure (HTTPS) transactions.
wikipedia.org
The attribute “requires-channel” can be added to any <intercept-url> declaration to require that any URL matching the pattern is required to pass over a specific protocol (HTTP, HTTPS, or any) as shown in Listing 15-36 below.
Listing 15-36. Usage of attribute “requires-channel” to mandate use of appropriate protocols for security aspect
|
1 2 3 4 5 6 7 8 9 |
<http auto-config="true" access-denied-page="/auth/denied"> ... <intercept-url pattern="/main/admin" access="ROLE_ADMIN" requires-channel="https"/> ... </http> |
Secure port mapping – Certain environments may have HTTP or HTTPS ports other than the standard defaults of 80/443 or 8080/8443. In this case, you must augment your Spring Security application’s configuration to include explicit port mappings, so it can determine which port to use when redirecting users to secure or non-secure URL’s.
This is trivial to do with the additional configuration element <port-mappings>, which allows for specification of additional HTTP or HTTPS pairs in addition to the defaults as shown in the Listing 15-37 below.
Listing 15-37. Usage of different ports for secure and non-secure URL’s
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
<http auto-config="true" access-denied-page="/auth/denied"> ... <port-mappings> <port-mapping http="9080" https="9443"/> </port-mappings> ... </http> |
The use of port mappings can be especially important if your application server is behind a reverse proxy.
Summary
Spring Security is a very powerful security framework and over the period of time it has become a de-facto in all the enterprise application requiring security. Highly pluggable and extensibility makes it easy to switch the authentication and authorization mechanisms according to various changing security requirement in the application.
In this Chapter, we started off with some basic security related terms and concepts. Later on we delved into the Spring Security Framework. We covered Spring Security Framework’s main motivations, its history and the various modules that it comprises off. We then went into its features and capabilities and looked into its various concepts with code samples.
After that we delved into nitty-gritties of setting up Spring Security in a typical web application, going through each step with sample code listings as necessary. We closed the Chapter with some advances S[ring Security features with the help of sample code listings for better understanding.
You should now have a clear idea of Spring Security Framework as a whole and you should be able to integrate you web application, written in any framework easily with the Spring Security Framework with ease.
Page Visitors: 11024
Tomcy John
Latest posts by Tomcy John (see all)
- A Guide to Continuous Improvement for Architects - February 2, 2023
- Cloud-first Architecture Strategy - January 26, 2023
- Architecture Strategy and how to create One - January 24, 2023