Adding Spring Security Authentication And Authorization In Spring Project
Posted By : Ranjan Mondal | 31-May-2018
Spring Security
Authentication and Authorization.
Authentication: means user or principal who is they claim to be.
You can use HTTP basic, form-based, LDAP
The process of identifying an individual using credentials like username & password, Tokens, and biometrics.
Authorization: if a user is allowed to perform the certain action.
The process of granting someone access to a resource like files, records, and databases.
Expanding security capabilities.
protecting web resources - requiring roles to access URLs.
requiring specific roles to methods
requiring specific roles to the domain level.
Additional features.
Cross-site Request Forgery (csrf) protection.
Session fixation prevention.
ClickJacking protection.
Cross Site Scripting (XSS) protection.
Password encoding via hash and salt.
Main Components to allow the user to authenticate an application.
UserDetailsService allows us to retrieve details about a user that we have stored in our database.
SecurityContextHolder allows us to retrieve information about the authenticated user in anywhere in our code.
UserDetails is spring security respresation of the user in within a framework. It works closely with UserDetailsService. We will see how to integrate UserDetails object with our custom user object.
AuthenticationProvider allows us to configure authentication logic within the application. We can provide custom authentication logic here to authenticate a user.
Authentication represents user credentials (username and password). Authentication Provider heavily relies on authentication object. We pass authentication object in authenticate method of AuthenticationProvider class.
authenticate method then returns back new Authentication Object, which contains authorities provided to a user.
Security Interceptors are of two types.
FilterSecurityInterceptor -> checks URLs and provides access to the resources.
MethodSecurityInterceptor -> checks the authority of principal and allow access to the method or method invocations.
All Security Interceptor are configured using config attribute
Process: when a principal request for authentication means authentication object contains credentials passed to AuthenticationManager which delegates to AuthenticationProvider.
AuthenticationProvider contains logic how to validate principal(User). It can use UserDetailsService to pull data(credentials) of the particular user and validate it.
When Principal is authenticated, it is placed in SecurityContextHolder, which allows extracting information about principal through controllers.
Authentication auth = new UsernamePasswordAuthenticationToken(user, user.getPassword(), user.getAuthorities());
SecurityContextHolder.getContext().setAuthentication(auth);
Cookies are important to the proper functioning of a site. To improve your experience, we use cookies to remember log-in details and provide secure log-in, collect statistics to optimize site functionality, and deliver content tailored to your interests. Click Agree and Proceed to accept cookies and go directly to the site or click on View Cookie Settings to see detailed descriptions of the types of cookies and choose whether to accept certain cookies while on the site.
About Author
Ranjan Mondal
Ranjan is a bright Web App Developer, and has good knowledge of Core java, Spring and hibernate.