Spring Security Overview
So, dear habrayuzer, I suggest you consider such aspects of Spring Security as:
Spring Security is a Java / JavaEE framework that provides mechanisms for building authentication and authorization systems, as well as other security features for enterprise applications created using the Spring Framework. The project was started by Ben Alex at the end of 2003 under the name Acegi Security, the first release was released in 2004. Subsequently, the project was absorbed by Spring and became its official subsidiary project. First publicly introduced under the new name Spring Security 2.0.0 in April 2008.
')
(1) The user will be prompted to log in by providing a name (login or email) and password. The username and password are combined into an instance of the UsernamePasswordAuthenticationToken class (an instance of the Authentication interface), after which it is passed to the AuthenticationManager instance for verification.
(2) If the password does not match the username, a BadCredentialsException exception is thrown with the message “Bad Credentials”.
(3) If the authentication is successful, it returns a fully populated instance of Authentication.
(4) A security context is established for the user by calling the SecurityContextHolder.getContext (). SetAuthentication (...) method, where the object that the AuthenticationManager returned is passed to.
1. pom.xml
2. web.xml
And of course, the security.xml configuration file itself
Explanation of security.xml code:
It is understood that the login.jsp page has a form with action = "/ j_spring_security_check" which contains input for the name and password with name = "j_username" and name = "j_password", as well as a checkbox with name = "_ spring_security_remember_me". These are all the special values ​​that Spring Security requires; otherwise, the parameters will simply not be passed to the security context. After successful authentication, the user will be redirected to the / index page where authorization rules are already applied. If you do not specify the form and url in http spring-security then default authentication will work by default, or you can enable basic authentication by force in http-basic /> in spring-security
At url / index *, users can have access with ROLE_USER rights, as well as guests (all connections that failed to authenticate are given the name guest and ROLE_ANONYMOUS rights).
Only users with ROLE_USER rights can access the url / add *. Only users with ROLE_ADMIN rights can access the url / delete *.
Also, the authorized access can be bolted to the methods, for this you need to add the following element in the security.xml :
and in the code itself:
In the example, users are stored in a list in the .xml file i. UsernamePasswordAuthenticationToken will be compared with this data. In order to compare with users in the database (using ORM), you must implement the loadUserByUsername method of the UserDetailsService interface and specify in <authentication-provider user-service-ref = "userDetailsService"> a link to the bean of your implementation UserDetailsService. If you are not using ORM and you just need to pull out the user database and their rights using JDBC, you need to determine the DataSource bean with the help of which Spring will know how to get to the database and in <authentication-provider> specify the link to this bean and define two the request for which the necessary data users-by-username-query and authorities-by-username-query will be pulled out.
You can also check hashed passwords:
That's all. More details here:
(1) Documentation
(2) Sample Application
- Key objects of the Spring Security context.
- The authentication process in Spring Security.
- Connecting Spring Security itself to the project.
Spring Security is a Java / JavaEE framework that provides mechanisms for building authentication and authorization systems, as well as other security features for enterprise applications created using the Spring Framework. The project was started by Ben Alex at the end of 2003 under the name Acegi Security, the first release was released in 2004. Subsequently, the project was absorbed by Spring and became its official subsidiary project. First publicly introduced under the new name Spring Security 2.0.0 in April 2008.
Key Spring Security Context Objects:
')
- SecurityContextHolder, it contains information about the current security context of the application, which includes detailed information about the user (Principal) currently working with the application. By default, SecurityContextHolder uses ThreadLocal to store such information, which means that a security context is always available for methods executing on the same thread. In order to change the storage strategy for this information, you can use the static class method SecurityContextHolder.setStrategyName (String strategy). More SecurityContextHolder
- SecurityContext, contains the Authentication object and, if necessary, the security information associated with the request from the user.
- Authentication represents the user (Principal) in terms of Spring Security.
- GrantedAuthority reflects permissions granted to the user throughout the entire application, such permissions (usually referred to as “roles”), for example, ROLE_ANONYMOUS, ROLE_USER, ROLE_ADMIN.
- UserDetails provides the necessary information to build an Authentication object from DAO application objects or other security data sources. The UserDetails object contains the user name, password, and flags: isAccountNonExpired, isAccountNonLocked, isCredentialsNonExpired, isEnabled, and Collection - the rights (roles) of the user.
- UserDetailsService is used to create a UserDetails object by implementing a single method of this interface.
UserDetails loadUserByUsername(String username) throws UsernameNotFoundException;
Allows you to get a user object from a data source and form a UserDetails object from it that will be used by the Spring Security context.
Authentication
(1) The user will be prompted to log in by providing a name (login or email) and password. The username and password are combined into an instance of the UsernamePasswordAuthenticationToken class (an instance of the Authentication interface), after which it is passed to the AuthenticationManager instance for verification.
(2) If the password does not match the username, a BadCredentialsException exception is thrown with the message “Bad Credentials”.
(3) If the authentication is successful, it returns a fully populated instance of Authentication.
(4) A security context is established for the user by calling the SecurityContextHolder.getContext (). SetAuthentication (...) method, where the object that the AuthenticationManager returned is passed to.
Enabling Security support for the SpringFramework application:
1. pom.xml
<properties> <spring.version>3.1.4.RELEASE</spring.version> </properties> <!-- Spring Security --> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-core</artifactId> <version>${spring.version}</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-web</artifactId> <version>${spring.version}</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-config</artifactId> <version>${spring.version}</version> </dependency> 2. web.xml
<filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> And of course, the security.xml configuration file itself
<beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd"> <http access-denied-page="/error403.jsp"> <intercept-url pattern="/index*" access="ROLE_USER,ROLE_ANONYMOUS"/> <intercept-url pattern="/add*" access="ROLE_USER"/> <intercept-url pattern="/delete/*" access="ROLE_ADMIN"/> <form-login login-page="/login.jsp" default-target-url="/index" authentication-failure-url="/login.jsp?error=true"/> <logout logout-url="/logout" logout-success-url="/index"/> <anonymous username="guest" granted-authority="ROLE_ANONYMOUS"/> <remember-me/> </http> <authentication-manager> <authentication-provider> <user-service> <user name="admin" password="pass" authorities="ROLE_ADMIN,ROLE_USER"/> <user name="user1" password="1111" authorities="ROLE_USER"/> <user name="user2" password="2222" disabled="true" authorities="ROLE_USER"/> </user-service> </authentication-provider> </authentication-manager> </beans:beans> Explanation of security.xml code:
It is understood that the login.jsp page has a form with action = "/ j_spring_security_check" which contains input for the name and password with name = "j_username" and name = "j_password", as well as a checkbox with name = "_ spring_security_remember_me". These are all the special values ​​that Spring Security requires; otherwise, the parameters will simply not be passed to the security context. After successful authentication, the user will be redirected to the / index page where authorization rules are already applied. If you do not specify the form and url in http spring-security then default authentication will work by default, or you can enable basic authentication by force in http-basic /> in spring-security
At url / index *, users can have access with ROLE_USER rights, as well as guests (all connections that failed to authenticate are given the name guest and ROLE_ANONYMOUS rights).
Only users with ROLE_USER rights can access the url / add *. Only users with ROLE_ADMIN rights can access the url / delete *.
Also, the authorized access can be bolted to the methods, for this you need to add the following element in the security.xml :
<global-method-security secured-annotations="enabled" /> and in the code itself:
public interface AdminService { @Secured("ROLE_ADMIN") public Account editAccount(Account account); } In the example, users are stored in a list in the .xml file i. UsernamePasswordAuthenticationToken will be compared with this data. In order to compare with users in the database (using ORM), you must implement the loadUserByUsername method of the UserDetailsService interface and specify in <authentication-provider user-service-ref = "userDetailsService"> a link to the bean of your implementation UserDetailsService. If you are not using ORM and you just need to pull out the user database and their rights using JDBC, you need to determine the DataSource bean with the help of which Spring will know how to get to the database and in <authentication-provider> specify the link to this bean and define two the request for which the necessary data users-by-username-query and authorities-by-username-query will be pulled out.
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd"> <bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource"> <property name="driverClassName" value="com.mysql.jdbc.Driver" /> <property name="url" value="jdbc:mysql://localhost:3306/<yourDataBaseName>" /> <property name="username" value="root" /> <property name="password" value="password" /> </bean> <authentication-provider> <jdbc-user-service data-source-ref="dataSource" users-by-username-query="select username, password, enabled from users where username = ?" authorities-by-username-query="select u.username, au.authority from users u, authorities au where u.id = au.user_id and u.username = ?" /> </authentication-provider> </beans> You can also check hashed passwords:
<authentication-manager> <authentication-provider> <password-encoder hash="sha"/> <user-service> <user name="jimi" password="d7e6351eaa13189a5a3641bab846c8e8c69ba39f" authorities="ROLE_USER, ROLE_ADMIN" /> <user name="bob" password="4e7421b1b8765d8f9406d87e7cc6aa784c4ab97f" authorities="ROLE_USER" /> </user-service> </authentication-provider> </authentication-manager> <password-encoder hash="sha"> <salt-source user-property="username"/> </password-encoder> That's all. More details here:
(1) Documentation
(2) Sample Application
Source: https://habr.com/ru/post/203318/
All Articles