Abstract image of a woman sitting on books and studying on a laptop

springb security.pptxdsdsgfdsgsdgsdgsdgdsgdsgds

Download as PPTX, PDF
Z
zmulani8

The document provides an overview of implementing security in Spring Boot applications, focusing on securing REST APIs with user authentication and role authorization. It covers key concepts like password storage (both plain-text and encrypted), the configuration of security filters, and the setup for database user management using JDBC. It emphasizes best practices for password storage using bcrypt hashing and outlines the role-based access control through specific HTTP methods and paths.

1 of 52
Download to read offline
syllabus… • Secure Spring Boot REST APIs • Define users and roles • Protect URLs based on role • Store users, passwords and roles in DB (plain-text -> encrypted)
Spring Security Model • Spring Security defines a framework for security • Implemented using Servlet filters in the background • Two methods of securing an app: declarative and programmatic
Spring Security with Servlet Filters • Servlet Filters are used to pre-process / post-process web requests • Servlet Filters can route web requests based on security logic • Spring provides a bulk of security functionality with servlet filters
Spring Security Overview Spring Security Filters Web Browser my app security configuration users passwords roles Protected Web Resource /mytopsecretstuff
Spring Security in Action Spring Security Filters
Spring Security Filters Check if user id and password are valid Spring Security in ActiDoones user have authorized role?
Security Concepts • Authentication • Check user id and password with credentials stored in app / db • Authorization • Check to see if user has an authorized role
Declarative Security • Define application’s security constraints in configuration • All Java config: @Configuration • Provides separation of concerns between application code and security
Programmatic Security • Spring Security provides an API for custom application coding • Provides greater customization for specific app requirements
Enabling Spring Security 1. Edit pom.xml and add spring-boot-starter-security 2.This will automagically secure all endpoints for application <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency>
Secured Endpoints • Now when you access your application • Spring Security will prompt for login Check console logs for password Default user name: user
Spring Security configuration • You can override default user name and generated password File: src/main/resources/application.properties spring.security.user.name=scott spring.security.user.password=test123
Authentication and Authorization • In-memory • JDBC • LDAP • Custom / Pluggable • others … users passwords roles We will cover password storage in DB as plain-text AND encrypted
m Configuring Basic Security
Our Users User ID Password Roles john test123 EMPLOYEE mary test123 EMPLOYEE, MANAGER susan test123 EMPLOYEE, MANAGER, ADMIN We can give ANY names for user roles
Development Process 1. Create Spring Security Configuration (@Configuration) 2. Add users, passwords and roles Step-By-Step
Step 1: Create Spring Security Configuration File: DemoSecurityConfig.java import org.springframework.context.annotation.Configuration; @Configuration public class DemoSecurityConfig { // add our security configurations here … }
Spring Security Password Storage • In Spring Security, passwords are stored using a specific format {id}encodedPassword ID Description noop Plain text passwords bcrypt BCrypt password hashing … …
Password Example {noop}test123 Let’s Spring Security know the passwords are stored as plain text (noop) The encoding algorithm id The password
Step 2: Add users, passwords and roles "ADMIN") UserDetails susan = User.builder() .username("susan") .password("{noop}test123") .roles("EMPLOYEE", "MANAGER", .build(); return new InMemoryUserDetailsManager(john, mary, susan); } } File: DemoSecurityConfig.java @Configuration public class DemoSecurityConfig { @Bean public InMemoryUserDetailsManager userDetailsManager() { UserDetails john = User.builder() .username("john") .password("{noop}test123") .roles("EMPLOYEE") .build(); UserDetails mary = User.builder() .username("mary") .password("{noop}test123") .roles("EMPLOYEE", "MANAGER") .build(); We will add DB support in later videos (plaintext and encrypted)
m Restrict Access Based on Roles
Our Example HTTP Method Endpoint CRUD Action Role GET /api/employees Read all EMPLOYEE GET /api/employees/{employeeId} Read single EMPLOYEE POST /api/employees Create MANAGER PUT /api/employees Update MANAGER DELETE /api/employees/{employeeId} Delete employee ADMIN
Restricting Access to Roles • General Syntax requestMatchers(<< add path to match on >>) .hasRole(<< authorized role >>) Single role “ADMIN” Restrict access to a given path “/api/employees”
Restricting Access to Roles requestMatchers(<< add HTTP METHOD to match on >>, << add path to match on >>) .hasRole(<< authorized roles >>) Specify HTTP method: GET, POST, PUT, DELETE … Single role Restrict access to a given path “/api/employees”
Restricting Access to Roles requestMatchers(<< add HTTP METHOD to match on >>, << add path to match on >>) .hasAnyRole(<< list of authorized roles >>) Comma-delimited list Any role
Authorize Requests for EMPLOYEE role requestMatchers(HttpMethod.GET, requestMatchers(HttpMethod.GET, "/api/employees").hasRole("EMPLOYEE") "/api/employees/**").hasRole("EMPLOYEE") The ** syntax: match on all sub-paths
Authorize Requests for MANAGER role "/api/employees").hasRole("MANAGER") requestMatchers(HttpMethod.POST, requestMatchers(HttpMethod.PUT, "/api/employees").hasRole("MANAGER")
Authorize Requests for ADMIN role requestMatchers(HttpMethod.DELETE, "/api/employees/**").hasRole("ADMIN")
Pull It Together @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http.authorizeHttpRequests(configurer -> configurer .requestMatchers(HttpMethod.GET, .requestMatchers(HttpMethod.GET, .requestMatchers(HttpMethod.POST, .requestMatchers(HttpMethod.PUT, "/api/employees").hasRole("EMPLOYEE") "/api/employees/**").hasRole("EMPLOYEE") "/api/employees").hasRole("MANAGER") "/api/employees").hasRole("MANAGER") .requestMatchers(HttpMethod.DELETE, "/api/employees/**").hasRole("ADMIN")); // use HTTP Basic authentication http.httpBasic(Customizer.withDefaults()); return http.build(); } Use HTTP Basic Authentication
Cross-Site Request Forgery (CSRF) • Spring Security can protect against CSRF attacks • Embed additional authentication data/token into all HTML forms • On subsequent requests, web app will verify token before processing • Primary use case is traditional web applications (HTML forms etc …)
When to use CSRF Protection? • The Spring Security team recommends • Use CSRF protection for any normal browser web requests • Traditional web apps with HTML forms to add/modify data • If you are building a REST API for non-browser clients • you may want to disable CSRF protection • In general, not required for stateless REST APIs • That use POST, PUT, DELETE and/or PATCH
Pull It Together @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http.authorizeHttpRequests(configurer -> configurer .requestMatchers(HttpMethod.GET, .requestMatchers(HttpMethod.GET, .requestMatchers(HttpMethod.POST, .requestMatchers(HttpMethod.PUT, "/api/employees").hasRole("EMPLOYEE") "/api/employees/**").hasRole("EMPLOYEE") "/api/employees").hasRole("MANAGER") "/api/employees").hasRole("MANAGER") .requestMatchers(HttpMethod.DELETE, "/api/employees/**").hasRole("ADMIN")); // use HTTP Basic authentication http.httpBasic(Customizer.withDefaults()); // disable Cross Site Request Forgery (CSRF) http.csrf(csrf -> csrf.disable()); return http.build(); } In general, CSRF is not required for stateless REST APIs that use POST, PUT, DELETE and/or PATCH
Database Access • So far, our user accounts were hard coded in Java source code • We want to add database access Advanced
Recall Our User Roles User ID Password Roles john test123 EMPLOYEE mary test123 EMPLOYEE, MANAGER susan test123 EMPLOYEE, MANAGER, ADMIN
Database Support in Spring Security • Spring Security can read user account info from database • By default, you have to follow Spring Security’s predefined table schemas Spring Security JDBC Code Out-of-the-box
Customize Database Access with Spring Security • Can also customize the table schemas • Useful if you have custom tables specific to your project / custom • You will be responsible for developing the code to access the data • JDBC, JPA/Hibernate etc …
Database Support in Spring Security • Follow Spring Security’s predefined table schemas Spring Security JDBC Code Out-of-the-box
Development Process 1. Develop SQL Script to set up database tables 2. Add database support to Maven POM file 3.Create JDBC properties file 4. Update Spring Security Configuration to use JDBC Step-By-Step
Default Spring Security Database Schema “authorities” same as “roles”
Step 1: Develop SQL Script to setup database tables CREATE TABLE `users` ( `username` varchar(50) NOT NULL, `password` varchar(50) NOT NULL, `enabled` tinyint NOT NULL, PRIMARY KEY (`username`) ) ENGINE=InnoDB DEFAULT CHARSET=latin1;
Step 1: Develop SQL Script to setup database tables Let’s Spring Security know the passwords are stored as plain text (noop) The encoding algorithm id The password INSERT INTO `users` VALUES ('john','{noop}test 123',1), ('mary','{noop}test 123',1), ('susan','{noop}tes t123',1);
Step 1: Develop SQL Script to setup database tables CREATE TABLE `authorities` ( `username` varchar(50) NOT NULL, `authority` varchar(50) NOT NULL, UNIQUE KEY `authorities_idx_1` (`username`,`authority`), CONSTRAINT `authorities_ibfk_1` FOREIGN KEY (`username`) REFERENCES `users` (`username`) ) ENGINE=InnoDB DEFAULT CHARSET=latin1;
Step 1: Develop SQL Script to setup database tables “authorities” same as “roles” INSERT INTO `authorities` VALUES ('john','ROLE_EMPLOYEE'), ('mary','ROLE_EMPLOYEE'), ('mary','ROLE_MANAGER'), ('susan','ROLE_EMPLOYEE') , ('susan','ROLE_MANAGER'), ('susan','ROLE_ADMIN'); Internally Spring Security uses “ROLE_” prefix
Step 2: Add Database Support to Maven POM file <!-- MySQL --> <dependency> <groupId>com.mysql</groupId> <artifactId>mysql-connector-j</artifactId> <scope>runtime</scope> </dependency> JDBC Driver
Step 3: Create JDBC Properties File File: application.properties # # JDBC connection properties # spring.datasource.url=jdbc:mysql://localhost:3306/employee_directory spring.datasource.username=springstudent spring.datasource.password=springstudent
Step 4: Update Spring Security to use JDBC @Configuration public class DemoSecurityConfig { @Bean public UserDetailsManager userDetailsManager(DataSource dataSource) { return new JdbcUserDetailsManager(dataSource); } … } Inject data source Auto-configured by Spring Boot Tell Spring Security to use JDBC authentication with our data source No longer hard-coding users :-)
luv2code LLC m Spring Security Password Encryption
Password Storage • So far, our user passwords are stored in plaintext … yikes! • Ok for getting started … but not for production / real-time project :-(
Password Storage - Best Practice • The best practice is store passwords in an encrypted format Best Practice Encrypted version of password
Spring Security Team Recommendation luv2code LLC • Spring Security recommends using the popular bcrypt algorithm • bcrypt • Performs one-way encrypted hashing • Adds a random salt to the password for additional protection • Includes support to defeat brute force attacks
How to Get a Bcrypt password luv2code LLC You have a plaintext password and you want to encrypt using bcrypt • Option 1: Use a website utility to perform the encryption • Option 2: Write Java code to perform the encryption
Spring Security Login Process 1. Retrieve password from db for the user 2. Read the encoding algorithm id (bcrypt etc) 3. For case of bcrypt, encrypt plaintext password from login form (using salt from db password) 4. Compare encrypted password from login form WITH encrypted password from db 5. If there is a match, login successful 6. If no match, login NOT successful Note: The password from db is NEVER decrypted Because bcrypt is a one-way encryption algorithm

More Related Content

PDF
Spring security jwt tutorial toptal
jbsysatm
 
PPTX
Spring Security 5
Jesus Perez Franco
 
PDF
Spring security4.x
Zeeshan Khan
 
PDF
Spring Security
Sumit Gole
 
PDF
Lesson07_Spring_Security_API.pdf
Scott Anderson
 
PPTX
Spring Security 3
Jason Ferguson
 
PPTX
Comprehensive_SpringBoot_Auth.pptx wokring
JayaPrakash579769
 
PDF
Spring Security
Knoldus Inc.
 
Spring security jwt tutorial toptal
jbsysatm
 
Spring Security 5
Jesus Perez Franco
 
Spring security4.x
Zeeshan Khan
 
Spring Security
Sumit Gole
 
Lesson07_Spring_Security_API.pdf
Scott Anderson
 
Spring Security 3
Jason Ferguson
 
Comprehensive_SpringBoot_Auth.pptx wokring
JayaPrakash579769
 
Spring Security
Knoldus Inc.
 

Similar to springb security.pptxdsdsgfdsgsdgsdgsdgdsgdsgds(20)

PDF
Lesson07-UsernamePasswordAuthenticationFilter.pdf
Scott Anderson
 
PPTX
Spring Security services for web applications
StephenKoc1
 
PPTX
Spring Security
Manish Sharma
 
PDF
Spring Security in Action 1st Edition Laurentiu Spilca Spilcă Laurenţiu
ticeyfedorvt
 
PDF
Spring5 hibernate5 security5 lab step by step
Rajiv Gupta
 
PDF
Lesson_07_Spring_Security_Register_NEW.pdf
Scott Anderson
 
PPTX
Spring security
Saurabh Sharma
 
PPTX
Spring Security
Boy Tech
 
PPTX
Building Layers of Defense with Spring Security
Joris Kuipers
 
PDF
Spring Framework - Spring Security
Dzmitry Naskou
 
PDF
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Matt Raible
 
PPTX
Spring Security Framework
Jayasree Perilakkalam
 
PDF
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Matt Raible
 
PDF
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
PDF
From 0 to Spring Security 4.0
robwinch
 
PPT
Spring Security Introduction
Mindfire Solutions
 
PPTX
Code your Own: Authentication Provider for Blackboard Learn
Dan Rinzel
 
PDF
Spring Security in Action 1st Edition Laurentiu Spilca
qbjpyqyprq1924
 
PPTX
Spring Security: Deep dive into basics. Ihor Polataiko.pptx
Ihor Polataiko
 
PDF
Lesson_07_Spring_Security_Login_NEW.pdf
Scott Anderson
 
Lesson07-UsernamePasswordAuthenticationFilter.pdf
Scott Anderson
 
Spring Security services for web applications
StephenKoc1
 
Spring Security
Manish Sharma
 
Spring Security in Action 1st Edition Laurentiu Spilca Spilcă Laurenţiu
ticeyfedorvt
 
Spring5 hibernate5 security5 lab step by step
Rajiv Gupta
 
Lesson_07_Spring_Security_Register_NEW.pdf
Scott Anderson
 
Spring security
Saurabh Sharma
 
Spring Security
Boy Tech
 
Building Layers of Defense with Spring Security
Joris Kuipers
 
Spring Framework - Spring Security
Dzmitry Naskou
 
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Matt Raible
 
Spring Security Framework
Jayasree Perilakkalam
 
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Matt Raible
 
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
From 0 to Spring Security 4.0
robwinch
 
Spring Security Introduction
Mindfire Solutions
 
Code your Own: Authentication Provider for Blackboard Learn
Dan Rinzel
 
Spring Security in Action 1st Edition Laurentiu Spilca
qbjpyqyprq1924
 
Spring Security: Deep dive into basics. Ihor Polataiko.pptx
Ihor Polataiko
 
Lesson_07_Spring_Security_Login_NEW.pdf
Scott Anderson
 

More from zmulani8(20)

PPTX
Lect6_TWIN_PHIS.pptxdsdwdwdjjdo2jdo2d2d2d2d
zmulani8
 
PPT
Lect1_3.pptjjjjedediodheiohdioeipojihiohi
zmulani8
 
PPTX
unit 2 hbase last part.pptxddcdcdcdcdcxfd
zmulani8
 
PPTX
cassandra.pptxsssssedededjjjedjededededed
zmulani8
 
PPTX
Unit 3 dw.pptxlkkljkluioluio878o78o8ojjl
zmulani8
 
PPTX
MongoDB-query_4.pptxgghjjhui7i78i709007u
zmulani8
 
PPTX
unit2_password_attacks_2fdgf.pdfgdgdghgptx
zmulani8
 
PPTX
unit 2_Authentication & Authorization vulnerabilities_4.pptx
zmulani8
 
PPTX
unit_4_network_cloud_forlensics_3_4.pptx
zmulani8
 
PPT
unit 1 _authentication protodfcols_2.ppt
zmulani8
 
PPT
unit1_last.pptsfsfsfsfsgeeyeeeyyeyeywwww
zmulani8
 
PPTX
iot attacks.pptxweewwewrwtwttwttttwrwtwt
zmulani8
 
PPTX
unit2_mongodb_1.pptxhlhhlhhjkhjkhjkhjkhjj
zmulani8
 
PPT
426_Fall10_lect08.pptuiuiguiguigqeqeqeaew
zmulani8
 
PPTX
unit 1 Entity Relationship sdsdsdsdsdsdsdsModelling.pptx
zmulani8
 
PPTX
Unit 1.pptxdasdasdasdasdasdqweqweeqweqww
zmulani8
 
PPTX
Chapter-9-MySQL.pptxxzrtyryrydfdsfdsfdsrter
zmulani8
 
PPTX
unit 2 Mastering-State-Management-in-React.pptx
zmulani8
 
PPTX
Lect 4.pptxdsdsdsdfgxgf xzffss sdsdsffff
zmulani8
 
PPTX
sql functions.pptxghghghghghghghbvnbghjj
zmulani8
 
Lect6_TWIN_PHIS.pptxdsdwdwdjjdo2jdo2d2d2d2d
zmulani8
 
Lect1_3.pptjjjjedediodheiohdioeipojihiohi
zmulani8
 
unit 2 hbase last part.pptxddcdcdcdcdcxfd
zmulani8
 
cassandra.pptxsssssedededjjjedjededededed
zmulani8
 
Unit 3 dw.pptxlkkljkluioluio878o78o8ojjl
zmulani8
 
MongoDB-query_4.pptxgghjjhui7i78i709007u
zmulani8
 
unit2_password_attacks_2fdgf.pdfgdgdghgptx
zmulani8
 
unit 2_Authentication & Authorization vulnerabilities_4.pptx
zmulani8
 
unit_4_network_cloud_forlensics_3_4.pptx
zmulani8
 
unit 1 _authentication protodfcols_2.ppt
zmulani8
 
unit1_last.pptsfsfsfsfsgeeyeeeyyeyeywwww
zmulani8
 
iot attacks.pptxweewwewrwtwttwttttwrwtwt
zmulani8
 
unit2_mongodb_1.pptxhlhhlhhjkhjkhjkhjkhjj
zmulani8
 
426_Fall10_lect08.pptuiuiguiguigqeqeqeaew
zmulani8
 
unit 1 Entity Relationship sdsdsdsdsdsdsdsModelling.pptx
zmulani8
 
Unit 1.pptxdasdasdasdasdasdqweqweeqweqww
zmulani8
 
Chapter-9-MySQL.pptxxzrtyryrydfdsfdsfdsrter
zmulani8
 
unit 2 Mastering-State-Management-in-React.pptx
zmulani8
 
Lect 4.pptxdsdsdsdfgxgf xzffss sdsdsffff
zmulani8
 
sql functions.pptxghghghghghghghbvnbghjj
zmulani8
 

Recently uploaded(20)

PDF
IARC_Technical_Report_No10-9.pdf eyes is
kalaiselvankalai4488
 
PDF
BD1TL - TNTEU - Teaching and Learning - Unit - 1.pdf
Dr Raja Mohammed T
 
PPTX
Here Constitution of ethiopia by Andulem-1.pptx
AbelDaniel11
 
PDF
Catalysis: Introduction, Mechanistic insights, Applications
Dr. Santosh Gaonkar
 
PDF
2003-theological-education-v39-n1-tai lieu
ranve86
 
PPTX
788191603-Inclusiveness-Ppt-2022-Dereje-3.pptx
TilahunWami1
 
PDF
MEDICAL ETHICS PRESENTATION health professional.pdf
MutambaOscarNecmiah
 
PDF
Introduction to Responsible AI & Ethics.pdf
Shiwani Gupta
 
PPT
Chemical_Kinetics_and_Chemical_Dynamics.ppt
wangchencai0726
 
PPTX
PERSONAL DEVELOPMENT POWER POINT PRESENTATION
BaeJasminSalaman
 
PDF
DavidsonMedicine24th.pdf for medicine 4th year
Astha752103
 
PPTX
Smart Curriculum Activity & Attendance App
peerless1507
 
PDF
18Presentation_Skills.pdf English grammar book
Butterfly education
 
PDF
Tech_Gr8_Eng_TG_2017ED_lowres.pdf.notes and memo
KEFILWEREABETSWE
 
PDF
CLASS X INFORMATION TECHNOLOGY LESSON PLAN CHAPTER - 2-1.pdf
minhajnisha912
 
PPTX
Industrial Pharmacy - 1 (Unit 2: Tablets) | B.Pharm 5th Sem | Tablet Formulat...
Vrushabh Hete
 
DOCX
Ms.SajjdaLodhi Notes Based on Teaching Of Pak.Std (B.Ed)Chap 1 To Chapter 9 I...
lodhisaajjda
 
PDF
Ethics apply in our daily lives and professions
Universidad Espíritu Santo
 
PDF
Book Nutrition.pdf......................
worldislamic028
 
PDF
17649-Learning By Doing_text-tailieu.pdf
ranve86
 
IARC_Technical_Report_No10-9.pdf eyes is
kalaiselvankalai4488
 
BD1TL - TNTEU - Teaching and Learning - Unit - 1.pdf
Dr Raja Mohammed T
 
Here Constitution of ethiopia by Andulem-1.pptx
AbelDaniel11
 
Catalysis: Introduction, Mechanistic insights, Applications
Dr. Santosh Gaonkar
 
2003-theological-education-v39-n1-tai lieu
ranve86
 
788191603-Inclusiveness-Ppt-2022-Dereje-3.pptx
TilahunWami1
 
MEDICAL ETHICS PRESENTATION health professional.pdf
MutambaOscarNecmiah
 
Introduction to Responsible AI & Ethics.pdf
Shiwani Gupta
 
Chemical_Kinetics_and_Chemical_Dynamics.ppt
wangchencai0726
 
PERSONAL DEVELOPMENT POWER POINT PRESENTATION
BaeJasminSalaman
 
DavidsonMedicine24th.pdf for medicine 4th year
Astha752103
 
Smart Curriculum Activity & Attendance App
peerless1507
 
18Presentation_Skills.pdf English grammar book
Butterfly education
 
Tech_Gr8_Eng_TG_2017ED_lowres.pdf.notes and memo
KEFILWEREABETSWE
 
CLASS X INFORMATION TECHNOLOGY LESSON PLAN CHAPTER - 2-1.pdf
minhajnisha912
 
Industrial Pharmacy - 1 (Unit 2: Tablets) | B.Pharm 5th Sem | Tablet Formulat...
Vrushabh Hete
 
Ms.SajjdaLodhi Notes Based on Teaching Of Pak.Std (B.Ed)Chap 1 To Chapter 9 I...
lodhisaajjda
 
Ethics apply in our daily lives and professions
Universidad Espíritu Santo
 
Book Nutrition.pdf......................
worldislamic028
 
17649-Learning By Doing_text-tailieu.pdf
ranve86
 

springb security.pptxdsdsgfdsgsdgsdgsdgdsgdsgds

  • 1.
    syllabus… • Secure SpringBoot REST APIs • Define users and roles • Protect URLs based on role • Store users, passwords and roles in DB (plain-text -> encrypted)
  • 2.
    Spring Security Model •Spring Security defines a framework for security • Implemented using Servlet filters in the background • Two methods of securing an app: declarative and programmatic
  • 3.
    Spring Security withServlet Filters • Servlet Filters are used to pre-process / post-process web requests • Servlet Filters can route web requests based on security logic • Spring provides a bulk of security functionality with servlet filters
  • 4.
    Spring Security Overview Spring Security Filters Web Browser myapp security configuration users passwords roles Protected Web Resource /mytopsecretstuff
  • 5.
    Spring Security inAction Spring Security Filters
  • 6.
    Spring Security Filters Check if userid and password are valid Spring Security in ActiDoones user have authorized role?
  • 7.
    Security Concepts • Authentication •Check user id and password with credentials stored in app / db • Authorization • Check to see if user has an authorized role
  • 8.
    Declarative Security • Defineapplication’s security constraints in configuration • All Java config: @Configuration • Provides separation of concerns between application code and security
  • 9.
    Programmatic Security • SpringSecurity provides an API for custom application coding • Provides greater customization for specific app requirements
  • 10.
    Enabling Spring Security 1.Edit pom.xml and add spring-boot-starter-security 2.This will automagically secure all endpoints for application <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency>
  • 11.
    Secured Endpoints • Nowwhen you access your application • Spring Security will prompt for login Check console logs for password Default user name: user
  • 12.
    Spring Security configuration • Youcan override default user name and generated password File: src/main/resources/application.properties spring.security.user.name=scott spring.security.user.password=test123
  • 13.
    Authentication and Authorization •In-memory • JDBC • LDAP • Custom / Pluggable • others … users passwords roles We will cover password storage in DB as plain-text AND encrypted
  • 14.
  • 15.
    Our Users User IDPassword Roles john test123 EMPLOYEE mary test123 EMPLOYEE, MANAGER susan test123 EMPLOYEE, MANAGER, ADMIN We can give ANY names for user roles
  • 16.
    Development Process 1. CreateSpring Security Configuration (@Configuration) 2. Add users, passwords and roles Step-By-Step
  • 17.
    Step 1: CreateSpring Security Configuration File: DemoSecurityConfig.java import org.springframework.context.annotation.Configuration; @Configuration public class DemoSecurityConfig { // add our security configurations here … }
  • 18.
    Spring Security PasswordStorage • In Spring Security, passwords are stored using a specific format {id}encodedPassword ID Description noop Plain text passwords bcrypt BCrypt password hashing … …
  • 19.
    Password Example {noop}test123 Let’s SpringSecurity know the passwords are stored as plain text (noop) The encoding algorithm id The password
  • 20.
    Step 2: Addusers, passwords and roles "ADMIN") UserDetails susan = User.builder() .username("susan") .password("{noop}test123") .roles("EMPLOYEE", "MANAGER", .build(); return new InMemoryUserDetailsManager(john, mary, susan); } } File: DemoSecurityConfig.java @Configuration public class DemoSecurityConfig { @Bean public InMemoryUserDetailsManager userDetailsManager() { UserDetails john = User.builder() .username("john") .password("{noop}test123") .roles("EMPLOYEE") .build(); UserDetails mary = User.builder() .username("mary") .password("{noop}test123") .roles("EMPLOYEE", "MANAGER") .build(); We will add DB support in later videos (plaintext and encrypted)
  • 21.
  • 22.
    Our Example HTTP MethodEndpoint CRUD Action Role GET /api/employees Read all EMPLOYEE GET /api/employees/{employeeId} Read single EMPLOYEE POST /api/employees Create MANAGER PUT /api/employees Update MANAGER DELETE /api/employees/{employeeId} Delete employee ADMIN
  • 23.
    Restricting Access to Roles •General Syntax requestMatchers(<< add path to match on >>) .hasRole(<< authorized role >>) Single role “ADMIN” Restrict access to a given path “/api/employees”
  • 24.
    Restricting Access to Roles requestMatchers(<<add HTTP METHOD to match on >>, << add path to match on >>) .hasRole(<< authorized roles >>) Specify HTTP method: GET, POST, PUT, DELETE … Single role Restrict access to a given path “/api/employees”
  • 25.
    Restricting Access to Roles requestMatchers(<<add HTTP METHOD to match on >>, << add path to match on >>) .hasAnyRole(<< list of authorized roles >>) Comma-delimited list Any role
  • 26.
    Authorize Requests forEMPLOYEE role requestMatchers(HttpMethod.GET, requestMatchers(HttpMethod.GET, "/api/employees").hasRole("EMPLOYEE") "/api/employees/**").hasRole("EMPLOYEE") The ** syntax: match on all sub-paths
  • 27.
    Authorize Requests forMANAGER role "/api/employees").hasRole("MANAGER") requestMatchers(HttpMethod.POST, requestMatchers(HttpMethod.PUT, "/api/employees").hasRole("MANAGER")
  • 28.
    Authorize Requests forADMIN role requestMatchers(HttpMethod.DELETE, "/api/employees/**").hasRole("ADMIN")
  • 29.
    Pull It Together @Bean publicSecurityFilterChain filterChain(HttpSecurity http) throws Exception { http.authorizeHttpRequests(configurer -> configurer .requestMatchers(HttpMethod.GET, .requestMatchers(HttpMethod.GET, .requestMatchers(HttpMethod.POST, .requestMatchers(HttpMethod.PUT, "/api/employees").hasRole("EMPLOYEE") "/api/employees/**").hasRole("EMPLOYEE") "/api/employees").hasRole("MANAGER") "/api/employees").hasRole("MANAGER") .requestMatchers(HttpMethod.DELETE, "/api/employees/**").hasRole("ADMIN")); // use HTTP Basic authentication http.httpBasic(Customizer.withDefaults()); return http.build(); } Use HTTP Basic Authentication
  • 30.
    Cross-Site Request Forgery(CSRF) • Spring Security can protect against CSRF attacks • Embed additional authentication data/token into all HTML forms • On subsequent requests, web app will verify token before processing • Primary use case is traditional web applications (HTML forms etc …)
  • 31.
    When to useCSRF Protection? • The Spring Security team recommends • Use CSRF protection for any normal browser web requests • Traditional web apps with HTML forms to add/modify data • If you are building a REST API for non-browser clients • you may want to disable CSRF protection • In general, not required for stateless REST APIs • That use POST, PUT, DELETE and/or PATCH
  • 32.
    Pull It Together @Bean publicSecurityFilterChain filterChain(HttpSecurity http) throws Exception { http.authorizeHttpRequests(configurer -> configurer .requestMatchers(HttpMethod.GET, .requestMatchers(HttpMethod.GET, .requestMatchers(HttpMethod.POST, .requestMatchers(HttpMethod.PUT, "/api/employees").hasRole("EMPLOYEE") "/api/employees/**").hasRole("EMPLOYEE") "/api/employees").hasRole("MANAGER") "/api/employees").hasRole("MANAGER") .requestMatchers(HttpMethod.DELETE, "/api/employees/**").hasRole("ADMIN")); // use HTTP Basic authentication http.httpBasic(Customizer.withDefaults()); // disable Cross Site Request Forgery (CSRF) http.csrf(csrf -> csrf.disable()); return http.build(); } In general, CSRF is not required for stateless REST APIs that use POST, PUT, DELETE and/or PATCH
  • 33.
    Database Access • Sofar, our user accounts were hard coded in Java source code • We want to add database access Advanced
  • 34.
    Recall Our UserRoles User ID Password Roles john test123 EMPLOYEE mary test123 EMPLOYEE, MANAGER susan test123 EMPLOYEE, MANAGER, ADMIN
  • 35.
    Database Support inSpring Security • Spring Security can read user account info from database • By default, you have to follow Spring Security’s predefined table schemas Spring Security JDBC Code Out-of-the-box
  • 36.
    Customize Database Access withSpring Security • Can also customize the table schemas • Useful if you have custom tables specific to your project / custom • You will be responsible for developing the code to access the data • JDBC, JPA/Hibernate etc …
  • 37.
    Database Support inSpring Security • Follow Spring Security’s predefined table schemas Spring Security JDBC Code Out-of-the-box
  • 38.
    Development Process 1. DevelopSQL Script to set up database tables 2. Add database support to Maven POM file 3.Create JDBC properties file 4. Update Spring Security Configuration to use JDBC Step-By-Step
  • 39.
    Default Spring Security DatabaseSchema “authorities” same as “roles”
  • 40.
    Step 1: DevelopSQL Script to setup database tables CREATE TABLE `users` ( `username` varchar(50) NOT NULL, `password` varchar(50) NOT NULL, `enabled` tinyint NOT NULL, PRIMARY KEY (`username`) ) ENGINE=InnoDB DEFAULT CHARSET=latin1;
  • 41.
    Step 1: DevelopSQL Script to setup database tables Let’s Spring Security know the passwords are stored as plain text (noop) The encoding algorithm id The password INSERT INTO `users` VALUES ('john','{noop}test 123',1), ('mary','{noop}test 123',1), ('susan','{noop}tes t123',1);
  • 42.
    Step 1: DevelopSQL Script to setup database tables CREATE TABLE `authorities` ( `username` varchar(50) NOT NULL, `authority` varchar(50) NOT NULL, UNIQUE KEY `authorities_idx_1` (`username`,`authority`), CONSTRAINT `authorities_ibfk_1` FOREIGN KEY (`username`) REFERENCES `users` (`username`) ) ENGINE=InnoDB DEFAULT CHARSET=latin1;
  • 43.
    Step 1: DevelopSQL Script to setup database tables “authorities” same as “roles” INSERT INTO `authorities` VALUES ('john','ROLE_EMPLOYEE'), ('mary','ROLE_EMPLOYEE'), ('mary','ROLE_MANAGER'), ('susan','ROLE_EMPLOYEE') , ('susan','ROLE_MANAGER'), ('susan','ROLE_ADMIN'); Internally Spring Security uses “ROLE_” prefix
  • 44.
    Step 2: AddDatabase Support to Maven POM file <!-- MySQL --> <dependency> <groupId>com.mysql</groupId> <artifactId>mysql-connector-j</artifactId> <scope>runtime</scope> </dependency> JDBC Driver
  • 45.
    Step 3: CreateJDBC Properties File File: application.properties # # JDBC connection properties # spring.datasource.url=jdbc:mysql://localhost:3306/employee_directory spring.datasource.username=springstudent spring.datasource.password=springstudent
  • 46.
    Step 4: UpdateSpring Security to use JDBC @Configuration public class DemoSecurityConfig { @Bean public UserDetailsManager userDetailsManager(DataSource dataSource) { return new JdbcUserDetailsManager(dataSource); } … } Inject data source Auto-configured by Spring Boot Tell Spring Security to use JDBC authentication with our data source No longer hard-coding users :-)
  • 47.
    luv2code LLC m Spring SecurityPassword Encryption
  • 48.
    Password Storage • Sofar, our user passwords are stored in plaintext … yikes! • Ok for getting started … but not for production / real-time project :-(
  • 49.
    Password Storage -Best Practice • The best practice is store passwords in an encrypted format Best Practice Encrypted version of password
  • 50.
    Spring Security TeamRecommendation luv2code LLC • Spring Security recommends using the popular bcrypt algorithm • bcrypt • Performs one-way encrypted hashing • Adds a random salt to the password for additional protection • Includes support to defeat brute force attacks
  • 51.
    How to Geta Bcrypt password luv2code LLC You have a plaintext password and you want to encrypt using bcrypt • Option 1: Use a website utility to perform the encryption • Option 2: Write Java code to perform the encryption
  • 52.
    Spring Security LoginProcess 1. Retrieve password from db for the user 2. Read the encoding algorithm id (bcrypt etc) 3. For case of bcrypt, encrypt plaintext password from login form (using salt from db password) 4. Compare encrypted password from login form WITH encrypted password from db 5. If there is a match, login successful 6. If no match, login NOT successful Note: The password from db is NEVER decrypted Because bcrypt is a one-way encryption algorithm