Spring Book – Chapter 15 – Web Application Security with Spring

Advanced Spring Security

Some of the advanced Spring Security is discussed in this section with the help of some of the use cases which are very common in an enterprise application.

  • Enabling Spring Security debug logging – To enable debug logging, create a file named log4j.properties in src/main/resources/ directory and add the following line shown in Listing 15-32 below to the end.

Listing 15-32. Enabling debug logging of Spring Security in the log4j configuration file namely log4j.properties

  • Moving remember me to database – The below steps summarizes what needs to be done to move the “remember me” functionality to the database.
    • According to the database used, prepare the database with the relevant tables. Listing 15-33 below shows table creation syntax for the “Persistent_logins” table in Oracle database.

Listing 15-33. Table creation syntax in Oracle

  • Configuration to be done in the Spring Security configuration file as shown in Listing 15-34 below.

Listing 15-34. Configuration in Spring Security configuration file

  • Appropriate changes to be done in the JSP file if login page has been customized. If default generated login page is used automatically Remember me checkbox id added by the framework. If customized login page is used Listing 15-35 below shows the line to be included for checkbox to appear.

Listing 15-35. Checkbox of “Remember Me” in the JSP file

  • Securing site with SSL

The Secure Sockets Layer (SSL) protocol, and its successor, Transport Layer Security (TLS), are used to provide transport level security for HTTP transactions over the web—these are known as HTTP Secure (HTTPS) transactions.

wikipedia.org

The attribute “requires-channel” can be added to any <intercept-url> declaration to require that any URL matching the pattern is required to pass over a specific protocol (HTTP, HTTPS, or any) as shown in Listing 15-36 below.

Listing 15-36. Usage of attribute “requires-channel” to mandate use of appropriate protocols for security aspect

Secure port mapping – Certain environments may have HTTP or HTTPS ports other than the standard defaults of 80/443 or 8080/8443. In this case, you must augment your Spring Security application’s configuration to include explicit port mappings, so it can determine which port to use when redirecting users to secure or non-secure URL’s.

This is trivial to do with the additional configuration element <port-mappings>, which allows for specification of additional HTTP or HTTPS pairs in addition to the defaults as shown in the Listing 15-37 below.

Listing 15-37. Usage of different ports for secure and non-secure URL’s

The use of port mappings can be especially important if your application server is behind a reverse proxy.

Summary

Spring Security is a very powerful security framework and over the period of time it has become a de-facto in all the enterprise application requiring security. Highly pluggable and extensibility makes it easy to switch the authentication and authorization mechanisms according to various changing security requirement in the application.

In this Chapter, we started off with some basic security related terms and concepts. Later on we delved into the Spring Security Framework. We covered Spring Security Framework’s main motivations, its history and the various modules that it comprises off. We then went into its features and capabilities and looked into its various concepts with code samples.

After that we delved into nitty-gritties of setting up Spring Security in a typical web application, going through each step with sample code listings as necessary. We closed the Chapter with some advances S[ring Security features with the help of sample code listings for better understanding.

You should now have a clear idea of Spring Security Framework as a whole and you should be able to integrate you web application, written in any framework easily with the Spring Security Framework with ease.

Page Visitors: 9099

The following two tabs change content below.
Tomcy John

Tomcy John

Blogger & Author at javacodebook
He is an Enterprise Java Specialist holding a degree in Engineering (B-Tech) with over 10 years of experience in several industries. He's currently working as Principal Architect at Emirates Group IT since 2005. Prior to this he has worked with Oracle Corporation and Ernst & Young. His main specialization is on various web technologies and acts as chief mentor and Architect to facilitate incorporating Spring as Corporate Standard in the organization.
Tomcy John

Latest posts by Tomcy John (see all)

Leave a Reply

Your email address will not be published. Required fields are marked *