Spring Security Architecture
Spring Security framework helps us to secure Java-based web applications. The main task of the Spring Security framework is managing who can access what. It is used to protect our application from common security threats such as CSRF and session fixation attacks. Spring Security makes it simple to set up user login systems and also ensures that the application is both secure and user-friendly.
Spring Security framework adds two important capabilities to web applications, which are listed below:
- Authentication
- Authorization/Access Control
This framework protects against popular security issues like CSRF attacks, or Fixation attacks. It provides a secure and standard way to set up user login functionality in web applications and thus provides quick user authentication and access control.
Authentication
Authentication is the process of verifying the identity of the computer user. It is the process of verifying the user and devices before allowing them to access the resources. In Java, the AuthenticationManager interface is responsible for handling authentication events.
Example:
The AuthenticationManager interface method "authenticate()" returns authentication (i.e if authentication= true )if it verifies the identity. The AuthenticationException is thrown if it identifies an invalid identity or principal. It returns null if he cannot decide the identity.
Authorization/Access Control
When a user or a device is authenticated, the next step is authorization which is the process of allowing the authority to perform certain tasks or operations. In Java, AccessDecisionManager and AccessDecsionVoter classes help in the authorization process.
Example:
The class ConfigAttribute provides the secure object metadata to provide the permission required to access it. The AccessDecisionVoter handles the Spring Expression Language (SpEL) expressions. ConfigAttribute is an interface that contains only one method that returns a string that defines the rules for access control.
Advantages
- Provides support for Java Configuration
- Provides support for integration with Spring MVC
- Provides protection against major security issues
- Provides efficient portability
Sample Java Configuration File:
// Configuration Java File
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableMethodSecurity;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
import org.springframework.security.web.SecurityFilterChain;
@Configuration
@EnableMethodSecurity
public class SecurityConfig {
// Bean for UserDetailsService to manage user authentication details
@Bean
public UserDetailsService userDetailsService(BCryptPasswordEncoder passwordEncoder) {
InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
manager.createUser(User.withUsername("AbhijeetRathore")
.password(passwordEncoder.encode("Abhijeet123"))
.roles("USER")
.build());
return manager;
}
// Bean for configuring HTTP security settings
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests(authz -> authz
.requestMatchers("/").hasRole("ADMIN")
.anyRequest().authenticated())
.httpBasic();
return http.build();
}
// Bean for customizing web security
@Bean
public WebSecurityCustomizer webSecurityCustomizer() {
return web -> web.ignoring().requestMatchers("/resources/**");
}
// Bean to provide a BCryptPasswordEncoder for securely encoding passwords
@Bean
public BCryptPasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
}
