451 likes | 1.76k Views
Spring Security. A Brief Introduction 2012. What is it?. Security toolkit for Java applications Primarily intended for web applications Open Source from Spring Source ( http://www.springsource.org/spring-security ) Current version is 3.1.1 Requires Java 1.5+ and Spring 3.0.7+.
E N D
Spring Security A Brief Introduction 2012
What is it? • Security toolkit for Java applications • Primarily intended for web applications • Open Source from Spring Source (http://www.springsource.org/spring-security) • Current version is 3.1.1 • Requires Java 1.5+ and Spring 3.0.7+
Authentication Support • Integrates with a wide variety of authentication mechanisms • HTTP (Basic/Digest/X.509 certificates) • LDAP (and Active Directory) • Distributed authentication / Single Sign-On • OAuth 1.0, OpenID, SAML, JA-SIG CAS • JEE Container-managed authentication • Header-based authentication (e.g., Siteminder) • Custom implementations • And many more… (> 30) • Can support multiple mechanisms simultaneously
Authorization Support • Supports authorization based on URL / URL pattern • Similar to url-pattern in web.xml file • Supports authorization based on method invocation • Done via Aspects • Supports the use of annotations • Both Spring-specific and JSR-250 • Can use all three mechanisms at the same time • Also allows you to modify value returned, if needed
Simple Example (1) web.xml <filter> <filter-name>springSecFilter</filter-name> <filter-class>…DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecFilter</filter-name> <url-pattern>/*</url-pattern> </filter-pattern> • Still need Spring config…
Simple Example (2) applicationContext.xml (Spring configuration file) <http pattern=“/css/*” security=“none”/> <http pattern=‘/login.jsp’ security=‘none’/> <http auto-config=‘true’> <intercept-url pattern=‘/**’ access=‘ROLE_USER’/> <form-login login-page=‘/login.jsp’/> </http> • Will expect to have users defined in the XML this way…
Slightly More Complex… applicationContext.xml <http pattern=“/css/*” security=“none”/> <http pattern=‘/login.jsp’ security=‘none’/> <http auto-config=‘true’> <intercept-url pattern=‘/**’ access=‘ROLE_USER’ requires-channel=‘https’/> <form-login login-page=‘/login.jsp’/> <authentication-manager> <authentication-provider> <jdbc-user-service data-source-ref=‘securityDS’/> </authentication-provider> </authentication-manager> </http>
Other Features • Can configure Spring Security to detect timeouts • Detects requests submitted with expired session and redirects to another location • Can be used to limit the number of concurrent logins by a user • Limit applies to all users not to specific one(s) • Supports steps to eliminate session fixation attacks • Via session-fixation-protection attribute on session-management element. • Allows for user-defined filters to be included in the security checking filter chain • Can specify both the additional filter and where in the chain to execute it
Authorization Checking Support • Default (simple examples) authorization based on: • intercept-url • protect-pointcut • Annotations using: • Spring @Secured (e.g., @Secured(“ROLE_ADMIN”) ) • JSR-250 annotations • Spring Pre/Post annotation (e.g., @PreAuthorize(“hasAuthority(‘ROLE_ADMIN’)”) • Annotations only effective when Spring used to instantiate annotated classes! • More complex models supported by subclassingAccessDecisionManager class
Questions? • Questions?