BT
Uploaded byBoy Tech
PPTX, PDF10,651 views

Spring Security

The document discusses Spring Security, a flexible security solution for enterprise software that supports applications using the Spring framework. It highlights its key features, including authentication, authorization, and integration with other security systems. Additionally, it details the infrastructure of Spring Security, such as its main components and capabilities, while emphasizing its widespread adoption in various high-demand environments.

TechnologyBusiness
In this document
Powered by AI

Introduction to the Java Work Group presentation on Spring Security taking place on June 18th, 2009.

Emphasizes that security is essential and should be distinct from application concerns, ensuring better management.

Discusses the popularity and evolution of Acegi Security, starting from 2003 and integrating with Spring Framework.

Describes Spring Security as a robust solution for enterprise software, highlighting its features like authentication and authorization.

Clarifies what Spring Security does not cover, including firewall responsibilities and the assumption of developer trust.

Presents adoption statistics including 231,000 downloads and usage in various sectors like banking, defense, and universities.

Lists systems that integrate well with Spring Security, demonstrating its versatility and compatibility across different platforms.

Outlines major functionalities of Spring Security including various types of authorizations and security measures.

Introduces fundamental security concepts within Spring Security such as filters, authentication, and authorization.

Describes core components of Spring Security including Security Interceptor, Access Decision Manager, and others.

Introduces the role of filters in Spring Security, highlighting their importance in securing application resources.

Details how Security Interceptors protect resources via authentication, discussing the underlying call mechanisms.

Enumerates various security filters used in Spring Security, describing their functions in request handling.

Further discussion on filters used within Spring Security emphasizes their integral role in security.

Illustrates the flow of requests through various security filters, outlining the processes involved.

Focuses on the authentication aspect of Spring Security, underlying the verification of credentials.

Details the role of Authentication Manager in verifying users, describing its various authentication strategies.

Explains the concept of authorization within Spring Security, emphasizing its critical importance.

Outlines the Access Decision Manager's role in assessing user access rights and securing resources.

Shows practical implementations of web authorization with code snippets for managing user roles and access.

Demonstrates method-level security using annotations, explaining role-based access control within methods.

Lists sources and recommended readings for further learning about Spring Security and its implementation.

Embed presentation

Downloaded 893 times
Java Work GroupJune 18th 2009 Spring Security
Application Security Security is a crucial aspect of most applications
Security is a concern that transcends an application’s functionality
An application should play no part in securing itself
It is better to keep security concerns separate from application concernsAcegi Security Started in 2003
Became extremely popular
Security Services for the Spring Framework
From version 1.1.0, Acegi becomes a Spring ModuleSpring Security“Spring Security is a powerful, flexible security solution for enterprise software, with a particular emphasis on applications that use Spring.”Spring Security provides declarative security for your Spring-based applications
handles authentication and authorization
takes full advantage of dependency injection (DI) and aspect-oriented techniques based on the Spring FrameworkWhat it is not ?• Firewall, proxy server, IDS (Intrusion Detection System)• Operating system security• JVM (sandbox) security• Developers are trusted to use it properly
Who uses it? • Over 231,000 downloads on SourceForge• At least 20,000 downloads per release• Over 14,000 posts in the community forum• Used in many demanding environments – Large banks and business – Defence and government – Universities – Independent software vendors – OSS like OpenNMS, OAJ, Roller, AtLeap,....
It plays nicely with others...• Spring Portfolio• AspectJ• JA-SIG CAS• JOSSO• NTLM via JCIFS• OpenID• SiteMinder• Atlassian Crowd• jCaptcha• JAAS• Jasypt• Grails • Mule• DWR• Appfuse• AndroMDA
Major capability areas• Authentication• Web URL authorization• Method invocation authorization• Domain instance based security (ACLs)• WS-Security (via Spring Web Services)• Flow Authorization (via Spring Web Flow)• Human user detection (Captcha)
Key concepts• Filters (Security Interceptor)• Authentication• Authorization• Web authorization• Method authorization
Fundamental elements of Spring SecuritySecurity InterceptorAuthenticationManagerAccess Decision ManagerRun-AsManagerAfter-InvocationManager
Spring SecurityFilters
Security Interceptor a latch that protects secured resources, to get past users typically enter a username and passwordCALLERSERVICESECURITYINTERCEPTORcallsecurity checkexceptioncall implementation depends on resource being secured
URLs - Servlet Filter
Methods - Aspects
delegates the responsibilities to the various managers Spring Security FiltersRequestResponseIntegration FilterAuthentication Processing FilterException Translation FilterFilter Security Interceptor Secured Web Resource
Spring Security Filters
Flow of a request through Spring Security’s core filtersServlet ContainerWebUserFilter XServletSecurity InterceptorSpring ContainerFilter ChainFilter 1Filter 3Filter 4Filter 5Filter 2

More Related Content

PPTX
Spring Security 5
byJesus Perez Franco
 
PDF
Spring Security
byKnoldus Inc.
 
PPTX
Spring security
bySaurabh Sharma
 
PDF
Spring Framework - Spring Security
byDzmitry Naskou
 
PDF
JSON WEB TOKEN
byKnoldus Inc.
 
PDF
Getting started with Spring Security
byKnoldus Inc.
 
PPTX
Spring boot - an introduction
byJonathan Holloway
 
PDF
OAuth2 and Spring Security
byOrest Ivasiv
 
Spring Security 5
byJesus Perez Franco
 
Spring Security
byKnoldus Inc.
 
Spring security
bySaurabh Sharma
 
Spring Framework - Spring Security
byDzmitry Naskou
 
JSON WEB TOKEN
byKnoldus Inc.
 
Getting started with Spring Security
byKnoldus Inc.
 
Spring boot - an introduction
byJonathan Holloway
 
OAuth2 and Spring Security
byOrest Ivasiv
 

What's hot

PPTX
Spring Boot Tutorial
byNaphachara Rattanawilai
 
PPTX
Rest API Security
byStormpath
 
PDF
Spring boot introduction
byRasheed Waraich
 
PPT
Spring Boot in Action
byAlex Movila
 
PDF
REST APIs with Spring
byJoshua Long
 
PPT
Spring Security Introduction
byMindfire Solutions
 
PDF
Spring Security
bySumit Gole
 
PPTX
Spring Boot
byJiayun Zhou
 
PDF
Microservices with Java, Spring Boot and Spring Cloud
byEberhard Wolff
 
PDF
OpenID Connect Explained
byVladimir Dzhuvinov
 
PPTX
Rest API with Swagger and NodeJS
byLuigi Saetta
 
ODP
Introduction to Swagger
byKnoldus Inc.
 
PDF
[2019] PAYCO 쇼핑 마이크로서비스 아키텍처(MSA) 전환기
byNHN FORWARD
 
PDF
Introduction to Spring Boot!
byJakub Kubrynski
 
PDF
API Security Best Practices & Guidelines
byPrabath Siriwardena
 
PPTX
Secure your app with keycloak
byGuy Marom
 
PPTX
User Management Life Cycle with Keycloak
byMuhammad Edwin
 
PDF
Clean architectures with fast api pycones
byAlvaro Del Castillo
 
PDF
Keycloak SSO basics
byJuan Vicente Herrera Ruiz de Alejo
 
PDF
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
byMikhail Egorov
 
Spring Boot Tutorial
byNaphachara Rattanawilai
 
Rest API Security
byStormpath
 
Spring boot introduction
byRasheed Waraich
 
Spring Boot in Action
byAlex Movila
 
REST APIs with Spring
byJoshua Long
 
Spring Security Introduction
byMindfire Solutions
 
Spring Security
bySumit Gole
 
Spring Boot
byJiayun Zhou
 
Microservices with Java, Spring Boot and Spring Cloud
byEberhard Wolff
 
OpenID Connect Explained
byVladimir Dzhuvinov
 
Rest API with Swagger and NodeJS
byLuigi Saetta
 
Introduction to Swagger
byKnoldus Inc.
 
[2019] PAYCO 쇼핑 마이크로서비스 아키텍처(MSA) 전환기
byNHN FORWARD
 
Introduction to Spring Boot!
byJakub Kubrynski
 
API Security Best Practices & Guidelines
byPrabath Siriwardena
 
Secure your app with keycloak
byGuy Marom
 
User Management Life Cycle with Keycloak
byMuhammad Edwin
 
Clean architectures with fast api pycones
byAlvaro Del Castillo
 
Keycloak SSO basics
byJuan Vicente Herrera Ruiz de Alejo
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
byMikhail Egorov
 

Similar to Spring Security

PDF
Spring security4.x
byZeeshan Khan
 
PPTX
Spring Security services for web applications
byStephenKoc1
 
PDF
Javacro 2014 Spring Security 3 Speech
byFernando Redondo Ramírez
 
PDF
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
byHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
PPTX
Spring Security Framework
byJayasree Perilakkalam
 
PDF
Building layers of defense for your application
byVMware Tanzu
 
PDF
Spring security jwt tutorial toptal
byjbsysatm
 
PPTX
Java Security Framework's
byMohammed Fazuluddin
 
PDF
Spring4 security
bySang Shin
 
PPTX
Spring Security 3
byJason Ferguson
 
PPTX
Introduction To Building Enterprise Web Application With Spring Mvc
byAbdelmonaim Remani
 
PPTX
springb security.pptxdsdsgfdsgsdgsdgsdgdsgdsgds
byzmulani8
 
PDF
Spring Security in Action 1st Edition Laurentiu Spilca Spilcă Laurenţiu
byticeyfedorvt
 
PDF
ADDRESSING TOMORROW'S SECURITY REQUIREMENTS IN ENTERPRISE APPLICATIONS
byelliando dias
 
PPTX
Comprehensive_SpringBoot_Auth.pptx wokring
byJayaPrakash579769
 
PDF
Anil saldhana securityassurancewithj_bosseap
byAnil Saldanha
 
PPTX
Building Layers of Defense with Spring Security
byJoris Kuipers
 
PPTX
Spring Security: Deep dive into basics. Ihor Polataiko.pptx
byIhor Polataiko
 
PPT
Top Ten Proactive Web Security Controls v5
byJim Manico
 
PDF
Introduction to PicketLink
byJBUG London
 
Spring security4.x
byZeeshan Khan
 
Spring Security services for web applications
byStephenKoc1
 
Javacro 2014 Spring Security 3 Speech
byFernando Redondo Ramírez
 
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
byHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Spring Security Framework
byJayasree Perilakkalam
 
Building layers of defense for your application
byVMware Tanzu
 
Spring security jwt tutorial toptal
byjbsysatm
 
Java Security Framework's
byMohammed Fazuluddin
 
Spring4 security
bySang Shin
 
Spring Security 3
byJason Ferguson
 
Introduction To Building Enterprise Web Application With Spring Mvc
byAbdelmonaim Remani
 
springb security.pptxdsdsgfdsgsdgsdgsdgdsgdsgds
byzmulani8
 
Spring Security in Action 1st Edition Laurentiu Spilca Spilcă Laurenţiu
byticeyfedorvt
 
ADDRESSING TOMORROW'S SECURITY REQUIREMENTS IN ENTERPRISE APPLICATIONS
byelliando dias
 
Comprehensive_SpringBoot_Auth.pptx wokring
byJayaPrakash579769
 
Anil saldhana securityassurancewithj_bosseap
byAnil Saldanha
 
Building Layers of Defense with Spring Security
byJoris Kuipers
 
Spring Security: Deep dive into basics. Ihor Polataiko.pptx
byIhor Polataiko
 
Top Ten Proactive Web Security Controls v5
byJim Manico
 
Introduction to PicketLink
byJBUG London
 

Recently uploaded

PPTX
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
PDF
API206-S: Transforming Supply Chains with Amazon Bedrock AgentCore - AWS re:I...
byChris Bingham
 
PDF
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
PDF
AI and Computer Architecture: 200 Years Together
byDmitry Zinoviev
 
PDF
The year in review - MarvelClient in 2025
bypanagenda
 
PDF
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
PDF
Knowing and Doing: Knowledge graphs, AI, and work
bymarainglezakis1
 
PPTX
cybercrime in Information security .pptx
byismaeelsahib032
 
PDF
DIGITAL FORENSICS - Notes for Everything.pdf
bypankajkumavatbeit
 
PDF
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
PDF
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
PDF
Energy Storage Landscape Clean Energy Ministerial
bySurajitBanerjee38
 
PDF
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
PPTX
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
PDF
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
PDF
Hybrid Cloud vs Multi-Cloud Strategy 2025
byTeleglobal International
 
PDF
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
DOCX
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
PDF
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
PDF
December Patch Tuesday
byIvanti
 
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
API206-S: Transforming Supply Chains with Amazon Bedrock AgentCore - AWS re:I...
byChris Bingham
 
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
AI and Computer Architecture: 200 Years Together
byDmitry Zinoviev
 
The year in review - MarvelClient in 2025
bypanagenda
 
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
Knowing and Doing: Knowledge graphs, AI, and work
bymarainglezakis1
 
cybercrime in Information security .pptx
byismaeelsahib032
 
DIGITAL FORENSICS - Notes for Everything.pdf
bypankajkumavatbeit
 
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
Energy Storage Landscape Clean Energy Ministerial
bySurajitBanerjee38
 
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
Hybrid Cloud vs Multi-Cloud Strategy 2025
byTeleglobal International
 
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
December Patch Tuesday
byIvanti
 

Spring Security

  • 1.
    Java Work GroupJune18th 2009 Spring Security
  • 2.
    Application Security Securityis a crucial aspect of most applications
  • 3.
    Security isa concern that transcends an application’s functionality
  • 4.
    An application shouldplay no part in securing itself
  • 5.
    It is betterto keep security concerns separate from application concernsAcegi Security Started in 2003
  • 6.
  • 7.
    Security Servicesfor the Spring Framework
  • 8.
    From version 1.1.0,Acegi becomes a Spring ModuleSpring Security“Spring Security is a powerful, flexible security solution for enterprise software, with a particular emphasis on applications that use Spring.”Spring Security provides declarative security for your Spring-based applications
  • 9.
    handles authenticationand authorization
  • 10.
    takes fulladvantage of dependency injection (DI) and aspect-oriented techniques based on the Spring FrameworkWhat it is not ?• Firewall, proxy server, IDS (Intrusion Detection System)• Operating system security• JVM (sandbox) security• Developers are trusted to use it properly
  • 11.
    Who uses it?• Over 231,000 downloads on SourceForge• At least 20,000 downloads per release• Over 14,000 posts in the community forum• Used in many demanding environments – Large banks and business – Defence and government – Universities – Independent software vendors – OSS like OpenNMS, OAJ, Roller, AtLeap,....
  • 12.
    It plays nicelywith others...• Spring Portfolio• AspectJ• JA-SIG CAS• JOSSO• NTLM via JCIFS• OpenID• SiteMinder• Atlassian Crowd• jCaptcha• JAAS• Jasypt• Grails • Mule• DWR• Appfuse• AndroMDA
  • 13.
    Major capability areas•Authentication• Web URL authorization• Method invocation authorization• Domain instance based security (ACLs)• WS-Security (via Spring Web Services)• Flow Authorization (via Spring Web Flow)• Human user detection (Captcha)
  • 14.
    Key concepts• Filters(Security Interceptor)• Authentication• Authorization• Web authorization• Method authorization
  • 15.
    Fundamental elements ofSpring SecuritySecurity InterceptorAuthenticationManagerAccess Decision ManagerRun-AsManagerAfter-InvocationManager
  • 16.
  • 17.
    Security Interceptor alatch that protects secured resources, to get past users typically enter a username and passwordCALLERSERVICESECURITYINTERCEPTORcallsecurity checkexceptioncall implementation depends on resource being secured
  • 18.
    URLs -Servlet Filter
  • 19.
    Methods -Aspects
  • 20.
    delegates theresponsibilities to the various managers Spring Security FiltersRequestResponseIntegration FilterAuthentication Processing FilterException Translation FilterFilter Security Interceptor Secured Web Resource
  • 21.
  • 22.
    Flow of arequest through Spring Security’s core filtersServlet ContainerWebUserFilter XServletSecurity InterceptorSpring ContainerFilter ChainFilter 1Filter 3Filter 4Filter 5Filter 2
  • 23.
  • 24.
    Authentication Manager verifiesprincipal (typically a username) and credentials (typically a password)
  • 25.
    Spring Securitycomes with a handful of flexible authentication managers that cover the most common authentication strategiesAuthenticationManagerProviderManagerCAS Authentication ProviderDAOAuthentication ProviderX.509Authentication ProviderJAASAuthentication ProviderLDAPAuthentication Provider
  • 26.
  • 27.
    Access Decision Managerresponsible for deciding whether the user has the proper access to secured resources by invoking Voters and tallying votes
  • 28.
    Spring Securitycomes with three implementations of Access Decision ManagerWeb Authorization<authz:authorizeifAllGranted="ROLE_MOTORIST,ROLE_VIP"> Welcome VIP Motorist!<br/> <a href="j_acegi_logout">Logoff</a></authz:authorize><authz:authorizeifAnyGranted="ROLE_MOTORIST,ROLE_VIP"> Welcome Motorist!<br/> <a href="j_acegi_logout">Logoff</a></authz:authorize><authz:authorizeifNotGranted="ROLE_ANONYMOUS"><p>This is super-secret content that anonymous users aren't allowed to see.</p></authz:authorize><authz:authorizeifAllGranted="ROLE_MOTORIST“ ifAnyGranted="ROLE_VIP,ROLE_FAST_LANE“ ifNotGranted="ROLE_ADMIN"> <p>Only special users see this content.</p></authz:authorize>
  • 29.
  • 30.
    SourcesSpring in ACTIONby Craig WallsChapter 7 – Securing Springhttp://www.manning.com/walls3/http://static.springsource.org/spring-security/site/articles.htmlIntroducing Spring Security . Video of Ben Alex's Øredev 2008 Presentation. Includes walkthroughs on incrementally securing a demo web application (a variation of the "tutorial" sample).Using Spring Security. Video of Mike Wiesner's presentation at Spring One 2008.Diagrams http://blog.mindtheflex.com/wp-content/uploads/2008/07/uml.png