Wednesday 9 January 2019

spring security architecture

spring security architecture

Application Security Areas:

There are two main areas for application securities.
1.     Authentication: Process of checking the user, who they claim to be.
2.     Authorization: Process of deciding whether a user is allowed to perform an activity within the application.

Authentication Models supported by Spring Security:

Spring security supports more than 20 Models for authentication. Some of them are
1.     X.509 client certificate exchange
2.     LDAP Authentication
3.     OpenID authentication
4.     Java Open Source Single Sign On
…..

Spring Security Modules

Spring security code has been divided in different JARs(Can be considers as modules)
1.     Core (spring-security-core.jar) : Required Module. Contains core authentication and access-contol classes and interfaces, remoting support and basic provisioning APIs.
2.     Web (spring-security-web.jar): Required* if web authentication services and URL-based access-control is required.Contains filters and related web-security infrastructure code.
3.     Remoting : Provides intergration with Spring Remoting.
4.     Config : Contains the security namespace parsing code. You need it if you are using the Spring Security XML namespace for configuration.
5.     LDAP : LDAP authentication and provisioning code. Required if you need to use LDAPauthentication or manage LDAP user entries.
6.     ACL : Used to apply security to specific domain object instances within your application.
7.     CAS : If you want to use Spring Security web authentication with a CAS single sign-on server.
8.     OPENID :Used to authenticate users against an external OpenID server.
Note: Details extracted from Official doc for Spring


Spring Security Configuration

Web.xml Configuration:

In order to enable spring security for your web application, you have to add below filter declaration in your web.xml.
1.     <filter>
2.     <filter-name>springSecurityFilterChain</filter-name>
3.     <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
4.     </filter>
5.     <filter-mapping>
6.     <filter-name>springSecurityFilterChain</filter-name>
7.     <url-pattern>/*</url-pattern>
8.     </filter-mapping>
All request now will go through “springSecurityFilterChain” filter which will apply app security.

ApplicationContext-security.xml Configuration:

As Spring security is enabled till now we can now configure the security XML for different security related options like “Authentication Model”, Login page, Access denied page etc..

Namespace

Namespace configuration allows you to supplement the traditional Spring beans application context syntax with elements from additional XML schema. In order to use security namespace in application context, “spring-security-config” jar needs to be in classpath. Schema declaration that needs to be there in “application-context” XML.
1.     <beans:beans xmlns="http://www.springframework.org/schema/security"
2.     xmlns:beans="http://www.springframework.org/schema/beans"
3.     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
4.     xsi:schemaLocation="http://www.springframework.org/schema/beans
5.     http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
6.     http://www.springframework.org/schema/security
7.     http://www.springframework.org/schema/security/spring-security-3.1.xsd">
8.     ...
9.     </beans:beans>
With this configuration we can use “security” as the default namespace rather than “beans”.

Authentication Model:

Here we decide which authentication model you will use for your web application. Option could be any of the above(LDAP, Open ID..). Once decided same could be configured via “<authentication-manager></authentication-manager>” tag.
Ex 1 :
1.     <authentication-manager>
2.     <authentication-provider>
3.     <user-service>
4.     <user name="user1" password="password" authorities="ROLE_USER, ROLE_ADMIN" />
5.     <user name="user2" password="password" authorities="ROLE_USER" />
6.     </user-service/>
7.     </authentication-provider>
8.     </authentication-manager>
Here user and their roles have been hard coded in XML itself and user will be authenticated and authorized on given basis. Two user has been created with password as “password” and there are roles are “ROLE_USER, ROLE_ADMIN”.
Ex. 2 :
1.     <authentication-manager>
2.     <authentication-provider ref="ldapActiveDirectoryAuthProvider"></authentication-provider>
3.     </authentication-manager>
4.      
5.     <beans:bean id="ldapActiveDirectoryAuthProvider" class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
6.     <beans:constructor-arg value="abc.xyz.com"></beans:constructor-arg>
7.     <beans:constructor-arg value="ldaps://abc.xyz.com:636"></beans:constructor-arg>
8.     </beans:bean>
Here user will be authenticated and authorized via LDAP server(In current Situation Active Directory)
Note : Port no will be 636 for secured connection and will 393 for non secured.
Ex 3 :
1.     <authentication-manager>
2.     <authentication-provider>
3.     <jdbc-user-service data-source-ref="dataSource" />
4.     </authentication-provider>
5.     </authentication-manager>
Here user will be authenticated and authorized on the basis of table(USERS & AUTHORIZATION) in DB. datasource will be used to access the given tables in DB. Structure of the tables should be.
1.     CREATE TABLE USERS (USERNAME VARCHAR2, PASSWORD VARCHAR2,ENABLED VARCHAR2);
2.      
3.     CREATE TABLE AUTHORITIES(USERNAME VARCHAR2, AUTHORITY VARCHAR2);
Note*: You can have multiple <authentication-provider> elements to define different authentication sources and each will be consulted in turn.
Till now you have enabled the Spring security for your web application and configured the “Authentication- Manager” through which user can be authenticated and authorised. We might have to configure login, logout page and role based URL access.


These are the relevant links to provide custom authentication provider and to add multiple authentication providers in Spring Security.

https://www.baeldung.com/spring-security-authentication-provider
https://www.baeldung.com/spring-security-multiple-auth-providers

Session Management Configuration
1.     <session-management>
2.     <concurrency-control max-sessions="1" error-if-maximum-exceeded="false" />
3.     </session-management>
Here we have defined that user can have 1 session at max.
error-if-maximum-exceeded is used to define what should be happend when user tries to create more then one session.
If it is true : User will get error page stating that user can not have more then one session if it already has one active session.
If it is false: User will not get any error while trying to login to application(Creating another session) but other session will get invalidated and user will have only have new session.


Spring as they say is truly a one stop shop for all. It is no less when it comes to securing applications.
There are other available frameworks and APIs to secure web application like Apache CXF, IBM’s WSS and so on but these could be considered only as per requirement. In the current scenario, the required features are all available with Spring and therefore it makes Spring the best candidate to win security implementation.

By at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)