Sunday, August 9, 2015

Spring security - different options

Spring provides options to perform authentication and authorisation. 

Authenticating using Spring: 
Spring provides the following features as part of authentication: 
  • Basic Authentication: process authentication based on user credentials present int he urls. 
  • Form based login: This is a default form which is provided as popup box to enter user credentials. 
  • Custom form: You can also create your own forms, but need to follow some rules so that Spring knows which is the form, its userid and password fields. 
  • Logout service: The user can logout using the logout url, the user object maintained in the session is removed. 
  • Remember me support. 

The data for authentication can reside in different places. Spring authentication provider provides support for user details to be 
  • hardcoded in memory files 
  <authentication-provider>
    <user-service>
        <user name="admin" password="secret" authorities="ROLE_ADMIN,ROLE_USER" />
        <user name="user1" password="1111" authorities="ROLE_USER" />
        <user name="user2" password="2222" disabled="true" authorities="ROLE_USER" />
    </user-service>
  </authentication-provider>
  • in the user SQL database. 
    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.jdbcAuthentication()
                .dataSource(dataSource)
                .usersByUsernameQuery(
                        "SELECT username, password, 'true' as enabled FROM member WHERE username = ?")
                .authoritiesByUsernameQuery(
                        "SELECT member.username, member_role.role as authorities " +
                        "FROM member, member_role " +
                        "WHERE  member.username = ? AND member.id = member_role.member_id");
    }
  • Custom store - may be file or NOSQL storage. 
Create your own user details object and validate from wherever you want - DB, ftp etc., 
  • Identity store, you can retrieve using LDAP.
    <authentication-manager>
      <authentication-provider>
        <password-encoder hash="{sha}" />
        <ldap-user-service server-ref="ldapServer"
          user-search-filter="uid={0}" user-search-base="ou=people"
          group-search-filter="member={0}" group-search-base="ou=groups" />
      </authentication-provider>
    </authentication-manager>

    <ldap-server id="ldapServer"
        url="ldap://localhost:1389/dc=springrecipes,dc=com"
        manager-dn="cn=Directory Manager" manager-password="ldap" />

The configuration will also need to take care of what is the form page, what is the default successful url once logged in, the logout url, url signatures that need to be authenticated, userid and password field, action url of spring security. 

Securing URL Access

You can secure methods using different ways: 

@Configuration
@EnableGlobalMethodSecurity(securedEnabled = true)
public class ApplicationConfig { ... }

In the controller, 
  @Secured({"ROLE_USER", "ROLE_GUEST"})
    public List<Message> listMessages() {
        ...

    }
Posted by at
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)