SlideShare a Scribd company logo

Spring security

Download as PPTX, PDF
Saurabh Sharma, profile picture
Saurabh Sharma

This document provides an overview of Spring Security, including what it is, how it handles authentication and authorization, and how to configure it. Spring Security provides comprehensive security services for Java enterprise applications, including authentication support for databases, LDAP, CAS, and custom authentication. It handles authentication through establishing a user's identity and authorization through controlling user access to resources. The document discusses configuring Spring Security through Java configuration and XML files, and covers topics like security filters, access control patterns, and the basic authentication process.

Education
1 of 20
Downloaded 63 times
1
2
Most read
3
4
5
6
7
8
9
10
11
12
Most read
13
14
15
16
17
18
19
20
Spring Security [ Security Reloaded ]
Topics • What is security? • Acquaring & integrating Spring Security • HTTP BASIC authentication (Basic & Form Login/Logout options) • Authorization • Security Interceptors, Filters • Authentication Manager & Provider, Authorization Manager & Provider • Advance concept of integration By: SAURABH SHARMA | http://javazone.techsharezone.com 2
What is security? • Spring Security provides comprehensive security services for J2EE-based enterprise software applications. Its powerful, flexible and pluggable. • Formerly known as “Acegi Security”. • Authentication – Database, LDAP, CAS, OpenID, Pre-Authentication, custom, etc. • Authorization – URL based, Method based (AOP) • Its not Firewall, proxy sever, instruction detection system, OS security, JVM security etc. By: SAURABH SHARMA | http://javazone.techsharezone.com 3
Major Operations • Authentication (Prove who you say you are!) – process of establishing a principal (user, system etc. which can perform an action in application) • Authorization (We know who you are but are you allowed to access what you want) – process of deciding whether a principal allowed to perform an action (access-control -> admin, leader, member, contractor, anonymous etc.) Authorization process establishes identity of the principal , which is used for authorizationdecision. By: SAURABH SHARMA | http://javazone.techsharezone.com 4
Servlet Filters By: SAURABH SHARMA | http://javazone.techsharezone.com 5
Security Use Case By: SAURABH SHARMA | http://javazone.techsharezone.com 6
Spring Security Setup • JARs • Schema By: SAURABH SHARMA | http://javazone.techsharezone.com 7
Basic Architecture By: SAURABH SHARMA | http://javazone.techsharezone.com 8
Configuration 1 • WEB-INF/web.xml Proxies requests to a bean with ID “springSecurityFilterChain” By: SAURABH SHARMA | http://javazone.techsharezone.com 9
Filter Proxy By: SAURABH SHARMA | http://javazone.techsharezone.com 10
FilterChainProxy (springSecurityFilterChain) Pseudocode By: SAURABH SHARMA | http://javazone.techsharezone.com 11
Unauthorized Request to Protect Resource By: SAURABH SHARMA | http://javazone.techsharezone.com 12
Configuration 2 • WEB-INF/spring-security.xml By: SAURABH SHARMA | http://javazone.techsharezone.com 13
Ant Patterns • Spring Security uses an “AntPathRequestMatcher” to determine if a URL matches the current URL. The following rules are used when matching: a.Query parameters are not included in the match. b.The contextPath is not included in the match. c.? Matches one character. d.* matches zero or more characters (not a directory delimiter i.e. /) e.**matches zero or more ‘directories’ in a path. By: SAURABH SHARMA | http://javazone.techsharezone.com 14
Ant patterns - Examples • Ant pattern examples that assume a context path of/messages By: SAURABH SHARMA | http://javazone.techsharezone.com 15
Cont… By: SAURABH SHARMA | http://javazone.techsharezone.com 16
Cont.. • Be careful when using pattern matching By: SAURABH SHARMA | http://javazone.techsharezone.com 17
Request log in page By: SAURABH SHARMA | http://javazone.techsharezone.com 18
Authenticating via username & password By: SAURABH SHARMA | http://javazone.techsharezone.com 19
By: SAURABH SHARMA | http://javazone.techsharezone.com 20

More Related Content

PDF
Spring Security
Knoldus Inc.
 
PPTX
Spring Security
Boy Tech
 
PPTX
Spring Security 5
Jesus Perez Franco
 
PDF
Spring Framework - Spring Security
Dzmitry Naskou
 
PDF
Spring Security
Sumit Gole
 
PDF
Getting started with Spring Security
Knoldus Inc.
 
PPTX
Spring Boot
Jiayun Zhou
 
PPTX
Building secure applications with keycloak
Abhishek Koserwal
 
Spring Security
Knoldus Inc.
 
Spring Security
Boy Tech
 
Spring Security 5
Jesus Perez Franco
 
Spring Framework - Spring Security
Dzmitry Naskou
 
Spring Security
Sumit Gole
 
Getting started with Spring Security
Knoldus Inc.
 
Spring Boot
Jiayun Zhou
 
Building secure applications with keycloak
Abhishek Koserwal
 

What's hot (20)

PPTX
Rest API Security
Stormpath
 
PDF
Spring Framework - Core
Dzmitry Naskou
 
PPT
Maven Introduction
Sandeep Chawla
 
PPTX
Docker 101 - Nov 2016
Docker, Inc.
 
PPSX
Spring - Part 1 - IoC, Di and Beans
Hitesh-Java
 
PDF
Spring Framework - AOP
Dzmitry Naskou
 
PDF
REST APIs with Spring
Joshua Long
 
PPTX
Maven ppt
natashasweety7
 
PDF
REST API and CRUD
Prem Sanil
 
PPTX
Web API authentication and authorization
Chalermpon Areepong
 
PDF
Selenium IDE LOCATORS
Mindfire Solutions
 
PDF
Spring security oauth2
axykim00
 
PDF
Spring Boot
HongSeong Jeon
 
PPT
Postman.ppt
ParrotBAD
 
PPTX
Rest API Security - A quick understanding of Rest API Security
Mohammed Fazuluddin
 
PDF
OAuth2 and Spring Security
Orest Ivasiv
 
PPTX
API Security Fundamentals
José Haro Peralta
 
PPT
Spring Boot in Action
Alex Movila
 
PPTX
Microservices Security
Aditi Anand
 
PDF
Finally, easy integration testing with Testcontainers
Rudy De Busscher
 
Rest API Security
Stormpath
 
Spring Framework - Core
Dzmitry Naskou
 
Maven Introduction
Sandeep Chawla
 
Docker 101 - Nov 2016
Docker, Inc.
 
Spring - Part 1 - IoC, Di and Beans
Hitesh-Java
 
Spring Framework - AOP
Dzmitry Naskou
 
REST APIs with Spring
Joshua Long
 
Maven ppt
natashasweety7
 
REST API and CRUD
Prem Sanil
 
Web API authentication and authorization
Chalermpon Areepong
 
Selenium IDE LOCATORS
Mindfire Solutions
 
Spring security oauth2
axykim00
 
Spring Boot
HongSeong Jeon
 
Postman.ppt
ParrotBAD
 
Rest API Security - A quick understanding of Rest API Security
Mohammed Fazuluddin
 
OAuth2 and Spring Security
Orest Ivasiv
 
API Security Fundamentals
José Haro Peralta
 
Spring Boot in Action
Alex Movila
 
Microservices Security
Aditi Anand
 
Finally, easy integration testing with Testcontainers
Rudy De Busscher
 
Ad

Viewers also liked (8)

PPTX
Spring Security
Manish Sharma
 
PDF
Design pattern is_everywhere_by_saurabh_sharma
Saurabh Sharma
 
PDF
What's New in spring-security-core 2.0
Burt Beckwith
 
PDF
Recharge api by_saurabh_sharma
Saurabh Sharma
 
PPTX
Spring security
Slimen Belhaj Ali
 
PPT
Spring Security Introduction
Mindfire Solutions
 
PDF
Fun With Spring Security
Burt Beckwith
 
PPTX
Spring Security 3
Jason Ferguson
 
Spring Security
Manish Sharma
 
Design pattern is_everywhere_by_saurabh_sharma
Saurabh Sharma
 
What's New in spring-security-core 2.0
Burt Beckwith
 
Recharge api by_saurabh_sharma
Saurabh Sharma
 
Spring security
Slimen Belhaj Ali
 
Spring Security Introduction
Mindfire Solutions
 
Fun With Spring Security
Burt Beckwith
 
Spring Security 3
Jason Ferguson
 
Ad

Similar to Spring security (20)

PPTX
Slides for the #JavaOne Session ID: CON11881
Masoud Kalali
 
PDF
Java EE 6 Security in practice with GlassFish
Markus Eisele
 
PPT
Top Ten Proactive Web Security Controls v5
Jim Manico
 
PPTX
Android pentesting the hackers-meetup
kunwaratul hax0r
 
PPTX
Web security
Padam Banthia
 
PPTX
Owasp top10salesforce
gbreavin
 
PDF
AWS Frederick Meetup 07192016
Gaurav "GP" Pal
 
PDF
Security in practice with Java EE 6 and GlassFish
Markus Eisele
 
PPTX
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
SecuRing
 
PPTX
Ten Commandments of Secure Coding
Mateusz Olejarka
 
PDF
Javantura v4 - Security architecture of the Java platform - Martin Toshev
HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
PDF
Javacro 2014 Spring Security 3 Speech
Fernando Redondo Ramírez
 
PPTX
Security testautomation
Linkesh Kanna Velu
 
PPTX
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
Martin Toshev
 
ODP
Introduction to OWASP & Web Application Security
OWASPKerala
 
PDF
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
Philippe Gamache
 
PDF
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
Philippe Gamache
 
PPTX
Spa Secure Coding Guide
Geoffrey Vandiest
 
PDF
THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS
Markus Eisele
 
PDF
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Slides for the #JavaOne Session ID: CON11881
Masoud Kalali
 
Java EE 6 Security in practice with GlassFish
Markus Eisele
 
Top Ten Proactive Web Security Controls v5
Jim Manico
 
Android pentesting the hackers-meetup
kunwaratul hax0r
 
Web security
Padam Banthia
 
Owasp top10salesforce
gbreavin
 
AWS Frederick Meetup 07192016
Gaurav "GP" Pal
 
Security in practice with Java EE 6 and GlassFish
Markus Eisele
 
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
SecuRing
 
Ten Commandments of Secure Coding
Mateusz Olejarka
 
Javantura v4 - Security architecture of the Java platform - Martin Toshev
HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Javacro 2014 Spring Security 3 Speech
Fernando Redondo Ramírez
 
Security testautomation
Linkesh Kanna Velu
 
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
Martin Toshev
 
Introduction to OWASP & Web Application Security
OWASPKerala
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
Philippe Gamache
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
Philippe Gamache
 
Spa Secure Coding Guide
Geoffrey Vandiest
 
THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS
Markus Eisele
 
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 

Recently uploaded (20)

DOCX
SAROCES Action-Plan FOR ARAL PROGRAM IN DEPED
Levenmartlacuna1
 
PPTX
How to Track Skills & Contracts Using Odoo 18 Employee
Celine George
 
PPTX
Kanban Cards _ Mass Action in Odoo 18.2 - Odoo Slides
Celine George
 
PPTX
Command Palatte in Odoo 18.1 Spreadsheet - Odoo Slides
Celine George
 
PPTX
Applications of matrices In Real Life_20250724_091307_0000.pptx
gehlotkrish03
 
PPTX
Artificial-Intelligence-in-Drug-Discovery by R D Jawarkar.pptx
Rahul Jawarkar
 
PDF
Virat Kohli- the Pride of Indian cricket
kushpar147
 
PPTX
HISTORY COLLECTION FOR PSYCHIATRIC PATIENTS.pptx
PoojaSen20
 
PPTX
CONCEPT OF CHILD CARE. pptx
AneetaSharma15
 
PPTX
Gupta Art & Architecture Temple and Sculptures.pptx
Virag Sontakke
 
PDF
Review of Related Literature & Studies.pdf
Thelma Villaflores
 
PDF
What is CFA?? Complete Guide to the Chartered Financial Analyst Program
sp4989653
 
PPTX
Sonnet 130_ My Mistress’ Eyes Are Nothing Like the Sun By William Shakespear...
DhatriParmar
 
PPTX
CARE OF UNCONSCIOUS PATIENTS .pptx
AneetaSharma15
 
PPTX
How to Apply for a Job From Odoo 18 Website
Celine George
 
DOCX
pgdei-UNIT -V Neurological Disorders & developmental disabilities
JELLA VISHNU DURGA PRASAD
 
PPTX
Care of patients with elImination deviation.pptx
AneetaSharma15
 
PPTX
CDH. pptx
AneetaSharma15
 
PPTX
Information Texts_Infographic on Forgetting Curve.pptx
Tata Sevilla
 
PDF
BÀI TẬP TEST BỔ TRỢ THEO TỪNG CHỦ ĐỀ CỦA TỪNG UNIT KÈM BÀI TẬP NGHE - TIẾNG A...
Nguyen Thanh Tu Collection
 
SAROCES Action-Plan FOR ARAL PROGRAM IN DEPED
Levenmartlacuna1
 
How to Track Skills & Contracts Using Odoo 18 Employee
Celine George
 
Kanban Cards _ Mass Action in Odoo 18.2 - Odoo Slides
Celine George
 
Command Palatte in Odoo 18.1 Spreadsheet - Odoo Slides
Celine George
 
Applications of matrices In Real Life_20250724_091307_0000.pptx
gehlotkrish03
 
Artificial-Intelligence-in-Drug-Discovery by R D Jawarkar.pptx
Rahul Jawarkar
 
Virat Kohli- the Pride of Indian cricket
kushpar147
 
HISTORY COLLECTION FOR PSYCHIATRIC PATIENTS.pptx
PoojaSen20
 
CONCEPT OF CHILD CARE. pptx
AneetaSharma15
 
Gupta Art & Architecture Temple and Sculptures.pptx
Virag Sontakke
 
Review of Related Literature & Studies.pdf
Thelma Villaflores
 
What is CFA?? Complete Guide to the Chartered Financial Analyst Program
sp4989653
 
Sonnet 130_ My Mistress’ Eyes Are Nothing Like the Sun By William Shakespear...
DhatriParmar
 
CARE OF UNCONSCIOUS PATIENTS .pptx
AneetaSharma15
 
How to Apply for a Job From Odoo 18 Website
Celine George
 
pgdei-UNIT -V Neurological Disorders & developmental disabilities
JELLA VISHNU DURGA PRASAD
 
Care of patients with elImination deviation.pptx
AneetaSharma15
 
CDH. pptx
AneetaSharma15
 
Information Texts_Infographic on Forgetting Curve.pptx
Tata Sevilla
 
BÀI TẬP TEST BỔ TRỢ THEO TỪNG CHỦ ĐỀ CỦA TỪNG UNIT KÈM BÀI TẬP NGHE - TIẾNG A...
Nguyen Thanh Tu Collection
 

Spring security

  • 2. Topics • What is security? • Acquaring & integrating Spring Security • HTTP BASIC authentication (Basic & Form Login/Logout options) • Authorization • Security Interceptors, Filters • Authentication Manager & Provider, Authorization Manager & Provider • Advance concept of integration By: SAURABH SHARMA | http://javazone.techsharezone.com 2
  • 3. What is security? • Spring Security provides comprehensive security services for J2EE-based enterprise software applications. Its powerful, flexible and pluggable. • Formerly known as “Acegi Security”. • Authentication – Database, LDAP, CAS, OpenID, Pre-Authentication, custom, etc. • Authorization – URL based, Method based (AOP) • Its not Firewall, proxy sever, instruction detection system, OS security, JVM security etc. By: SAURABH SHARMA | http://javazone.techsharezone.com 3
  • 4. Major Operations • Authentication (Prove who you say you are!) – process of establishing a principal (user, system etc. which can perform an action in application) • Authorization (We know who you are but are you allowed to access what you want) – process of deciding whether a principal allowed to perform an action (access-control -> admin, leader, member, contractor, anonymous etc.) Authorization process establishes identity of the principal , which is used for authorizationdecision. By: SAURABH SHARMA | http://javazone.techsharezone.com 4
  • 5. Servlet Filters By: SAURABH SHARMA | http://javazone.techsharezone.com 5
  • 6. Security Use Case By: SAURABH SHARMA | http://javazone.techsharezone.com 6
  • 7. Spring Security Setup • JARs • Schema By: SAURABH SHARMA | http://javazone.techsharezone.com 7
  • 8. Basic Architecture By: SAURABH SHARMA | http://javazone.techsharezone.com 8
  • 9. Configuration 1 • WEB-INF/web.xml Proxies requests to a bean with ID “springSecurityFilterChain” By: SAURABH SHARMA | http://javazone.techsharezone.com 9
  • 10. Filter Proxy By: SAURABH SHARMA | http://javazone.techsharezone.com 10
  • 11. FilterChainProxy (springSecurityFilterChain) Pseudocode By: SAURABH SHARMA | http://javazone.techsharezone.com 11
  • 12. Unauthorized Request to Protect Resource By: SAURABH SHARMA | http://javazone.techsharezone.com 12
  • 13. Configuration 2 • WEB-INF/spring-security.xml By: SAURABH SHARMA | http://javazone.techsharezone.com 13
  • 14. Ant Patterns • Spring Security uses an “AntPathRequestMatcher” to determine if a URL matches the current URL. The following rules are used when matching: a.Query parameters are not included in the match. b.The contextPath is not included in the match. c.? Matches one character. d.* matches zero or more characters (not a directory delimiter i.e. /) e.**matches zero or more ‘directories’ in a path. By: SAURABH SHARMA | http://javazone.techsharezone.com 14
  • 15. Ant patterns - Examples • Ant pattern examples that assume a context path of/messages By: SAURABH SHARMA | http://javazone.techsharezone.com 15
  • 16. Cont… By: SAURABH SHARMA | http://javazone.techsharezone.com 16
  • 17. Cont.. • Be careful when using pattern matching By: SAURABH SHARMA | http://javazone.techsharezone.com 17
  • 18. Request log in page By: SAURABH SHARMA | http://javazone.techsharezone.com 18
  • 19. Authenticating via username & password By: SAURABH SHARMA | http://javazone.techsharezone.com 19
  • 20. By: SAURABH SHARMA | http://javazone.techsharezone.com 20