iDev: Spring Security

Spring Security provides a very good security solution(s), handling authentication and authorization at the web request level and at the method invocation level by using the features of Dependency Injection (DI) & Aspect Oriented techniques.

Spring security targets two areas viz. 1. Authentication &
2. Authorization

1. Authentication: - is the assurance that the user is the actual user he is claiming to be.

E.g. Particular user logs into the application through his credentials means get authenticated himself.

Spring Supports following types of Authentication :

a. Http Basic Authentication

b. Form Based Authentication

2. Authorization: - is the assurance that the user is allowed to access only those resources that he is authorized to use.

E.g. Admin of the any website have access for some parts/pages & normal user done have access to these pages.

For authorization spring targets following areas,

a. Authorizing web requests

b. Authorizing whether methods can be invoked

c. Authorizing access to individual domain objects

Following jar’s need to be present in the class path of the project.

1. Core => spring-security-core.jar

2. Web => spring-security-web.jar

3. Config => spring-security-config.jar

Namespace Configuration :-

Spring Security comes with a security-specific namespace which simplifies security configuration in Spring. This new namespace, along with some default behavior, reduces a typical security configuration from over 100 lines of XML to a dozen or so. The namespace configuration of the Spring provides a shortcut that hides much of complexity of the framework.

E.g.

<security: …..>…..</security:…>

</beans>

For web security in Spring, we must set up the servlet filters that provide the various security features.

Proxying servlet filters :-

<filter-name>springSecurityFilterChain</filter-name> <filter-class>

org.springframework.web.filter.DelegatingFilterProxy </filter-class>

</filter>

<filter-mapping>

<filter-name> springSecurityFilterChain </filter-name>

<url-pattern>/*</url-pattern>

</filter-mapping>

In above code snippet DelegatingFilterProxy deligates the control to a filter implementation which is defined as bean named springSecurityFilterChain. This bean is an infrastructural bean to handle namespace configurations. Once this configuration is done, all the incoming requests enter the spring framework for security check. This special filter, by itself will not do much, it deligates to an implementation of javax.servlet.Filter which is registered as <bean> in spring application context.

It is not possible to inject beans into the servlet filters registered into the web.xml. But by using DelegatingFilterProxy, we can we can configure the actual filters.

<filter-name> given to the DelegatingFilterProxy is very significant & useful. This name is used to look up the filter bean from the Spring application context. Spring Security will automatically create a filter bean whose ID is springSecurityFilterChain, so that’s the name, given to DelegatingFilterProxy in web.xml.

springSecurityFilterChain bean itself is another special filter known as FilterChainProxy. It’s a single filter which chains one or more filters. Spring Security will automatically create those beans for us when we configure the <http> element.

Security Configuration :-

We can define security configuration file as applicationContext-security.xml & this file need to be loaded in web.xml. This is done by ContextLoadListner.

Following snippet needs to be added in web.xml before security filter definition.

<context-param>

<param-name>contextConfigLocation</param-name>

<param-value>WEB-INF/applicationContext-security.xml</param-value>

</context-param>

<listener-class>

org.springframework.web.context.ContextLoaderListener

</listener-class>

</listener>

applicationContext-security.xml

Whenever namespace configuration is used, spring-config.jar needs to be in class path. The first line in this file should be like,

<beans xmlns="http://www.springframework.org/schema/security"

xmlns:bean="http://www.springframework.org/schema/beans"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xsi:schemaLocation="http://www.springframework.org/schema/beans

http://www.springframework.org/schema/beans/spring-beans-3.0.xsd

http://www.springframework.org/schema/security

http://www.springframework.org/schema/security/spring-security-3.0.3.xsd">

...

</beans>

The minimal namespace configuration like:-

Following only three lines of XML configures spring security to intercept all requests for all URL’s and restrict access to only authenticated users who have “ROLE_USER” role. This <http> element automatically set up FilterChainProxy & all the filter beans in the chain shown in following diagram.

<intercept-url pattern=”/**” access=”ROLE_USER” />

</http>

<authentication-manager>

<authentication-provider>

<user-service>

<user name="testadmin" password="testadminpassword"

authorities="ROLE_USER, ROLE_ADMIN" />

<user name="testuser" password="testuserpassword"

authorities="ROLE_USER" />

</user-service>

</authentication-provider>

</authentication-manager>

The attribute auto-config=”true" defines three elements <form-login/>, <http-basic/> and <logout>.The default configuration always chooses http-basic authentication model. If the model needs to be changed to the form-login model, then the following configuration is needed.

<intercept-url pattern="/login.jsp*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>

<intercept-url pattern="/**" access="ROLE_USER" />

<form-login login-page=”/login.jsp”/>

</http>

This above configuration is done to enable form-login authentication model where the login page is login.jsp. Note that in the intercept tag, pattern for login.jsp is given and access rule is defined as IS_AUTHENTICATED_ANONYMOUSLY. That means login.jsp is not checked for security, which makes sense as login.jsp is the starting point from where the user is authenticated.
The tag <authentication-manager> processes the authentication information; <authentication-provider> defines the credential information and the roles given to each user (authentication information).

Spring Security framework is a chain of filters, with each filter having certain responsibility.

In following section the namespace configuration to bean configuration to understand the flow and responsibility of each filter.

The <http> block in namespace configuration invokes the chain of filters. DelegatingFilterProxy that is defined in web.xml invokes the

FilterChainProxy

class which in turn invokes the chain of filters defined for each URL pattern.

The chain of filters that FilterChainProxy calls are shown below:

To override the default behavior of login page, need to configure <form-login> element,

<http auto-config="true" use-expressions="false">

<form-login login-processing-url="/static/j_spring_security_check" login-page="/login" authentication-failure-url="/login?login_error=t"/>

</http>

login attribute specifies a new context-relative URL for the login page & it will reside at /login which is ultimately handled by a Spring MVC controller.

If authentication fails, the authentication-failure-url attribute is set to send the user back to the same login page.

Intercepting requests : -

<intercept-url> Element is the first line of defense in request level security. Its pattern attribute is given a URL pattern that will be matched against incoming requests. If any requests match the pattern, then that <intercept-url>’s security rules will be applied.

<intercept-url pattern="/**" access="ROLE_USER" />

/** => indicating that we want all requests, regardless of the URL, to require ROLE_USER access

For area for admin & restricted to others’ in this case following snippet need to put before previous <intercept_url>

<intercept-url pattern="/admin/**" access="ROLE_ADMIN" />

This will restricts the access to the /admin of site’s hierarchy to users’ with ROLE_ADMIN authority. We can use many <intercept-url> entries as we require securing various paths of application.

<intercept-url> rules are are applied top to bottom.

SECURING WITH SPRING EXPRESSIONS: -

Spring Expression Language (SpEL) as an advanced technique for wiring bean properties.

To enable it, we must set the use-expressions attribute of <http> to true:

……....

</http>

Use of SpEL expression:-

<intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')"/>

Securing view-level elements :-

To support security in the view layer, Spring Security comes with a JSP tag library. This tag library is small and includes only three tags,

<security:accesscontrollist> - Allows the body of the tag to be rendered if the currently authenticated user has one of the stipulated permissions in the specified domain object

<security:authentication> - Accesses properties of the current user’s authentication object

<security:authorize> - Allows the body of the tag to be rendered if a specified security constraint has been met

To use the JSP tag library, we’ll need to declare it in the JSP file,

<%@ taglib prefix="security" uri="http://www.springframework.org/security/tags" %>

Accessing authentication details :-

This tag library provide convenient access to user’s authentication information,

e.g. Welcome XYZ ! …. At the header of application.

Welcome <security:authentication property="principal.username" />!

iDev

Wednesday, April 20, 2011

Spring Security

No comments: