SlideShare a Scribd company logo

Spring Security 5

Download as PPTX, PDF
Jesus Perez Franco
Jesus Perez Franco

This document provides an overview of Spring Security including: I. It distinguishes Spring Framework, Spring Boot, and Spring Security and their relationships. II. It defines Spring Security as a framework focusing on authentication and authorization for Java applications. III. It outlines some of the core concepts in Spring Security such as Principal, Authentication, Authorization, GrantedAuthority etc. The document serves as an introduction to Spring Security fundamentals and architecture.

Presentations & Public Speaking
1 of 36
gfi.be - gfi.lu - gfi.world Spring Security 5 Implementing Spring Security 5 in an existing Spring Boot 2 application GfiBelux | 04/09/2018
Who am I? Application Architect › Agile DevOps Enthusiast › I have been an all-purpose Software Engineer for over 17 years' experience. › I worked at Gfi Spain for 12 years › I arrived in GfiBelux in January 2018 › I’m currently working for Toyota Motors Europe in the CAST Team 2 Besides work… › Enjoying a lot with my family › Two children  › Doing sport › Running, Fitness, Footboll... › Planting vegetables › Ecological Orchard › Drinking Belgium beer › With colleagues better ;) Jesus Perez Franco https://www.linkedin.com/in/jpefranco/
Summary I. Introduction: Spring Framework vs. Spring Boot vs. Spring Security II. What is Spring Security? III. Spring Security Fundamentals I IV. Spring Security Workflow V. Spring Security Architecture VI. Spring Security Configuration VII. Spring Security Fundamentals II VIII. Spring Security with REST API or RESTful Web Services IX. Spring Security OAuth2 X. JSON Web Token (JWT) with REST API XI. Practice: Impl Security GfiBelux | 04/09/2018 Spring Security 3 In-Memory Authentication JDBC Authentication LDAP Authentication UserDetailsService AuthenticationProvider Session1Session2
Introduction: Spring Framework vs. Spring Boot vs. Spring Security › Spring Framework is a Java platform that provides comprehensive infrastructure support for developing Java applications. › Spring Boot is based on the Spring Framework, providing auto-configuration features to your Spring applications and is designed to get you up and running as quickly as possible. › Spring Security provides comprehensive security services for Java EE- based software applications. There is a particular emphasis on supporting projects built using the Spring Framework. 4 Spring Security GfiBeLux | 04/09/2018 Spring Framework Spring Boot 2 Spring Security 5 Spring MVC Spring Data Etc...
What is Spring Security? › Spring Security is a framework that focuses on providing both authentication and authorization (or “access-control”) to Java web application and SOAP/RESTful web services › Spring Security currently supports integration with all of the following technologies: › HTTP basic access authentication › LDAP system › OpenID identity providers › JAAS API › CAS Server › ESB Platform › ..... › Your own authentication systems › It is built on top of Spring Framework 5 Spring Security GfiBeLux | 04/09/2018
Spring Security Fundamentals I › Principal › User that performs the action › Authentication › Confirming truth of credentials › Authorization › Define access policy for principal › GrantedAuthority › Application permission granted to a principal › SecurityContext › Hold the authentication and other security information › SecurityContextHolder › Provides access to SecurityContext 6 Spring Security GfiBeLux | 04/09/2018 › AuthenticationManager › Controller in the authentication process › AuthenticationProvider › Interface that maps to a data store which stores your user data. › Authentication Object › Object is created upon authentication, which holds the login credentials. › UserDetails › Data object which contains the user credentials, but also the Roles of the user. › UserDetailsService › Collects the user credentials, authorities(roles) and build an UserDetails object.
Front End Spring Security Common Workflow 7 Spring Security GfiBeLux | 04/09/2018 Controller in the process that it just delegates to a collection of AuthenticationProvider instances. Call an object that implements the UserDetailsService interface, which it looks up the user data and returns a UserDetails object. Will check that the password matches the password the user entered. Authentication object with the login credentials is created Back End Request Login Request REST API
Spring Security Architecture 8 Spring Security GfiBeLux | 04/09/2018 Spring security has a series/chain of filters (HTTP Basic, OAuth2, JWT) Authentication object
Spring Security Configuration › Step 1. Project structure › Step 2. Maven or Gradle dependencies › Step 3. Spring Security configuration › Web Security Authentication (@EnableWebSecurity) › In-Memory Authentication › JDBC Authentication › LDAP Authentication › UserDetailsService › AuthenticationProvider › REST API › OAuth 2.0 SSO Authentication › JSON Web Token (JWT) 9 Spring Security GfiBeLux | 04/09/2018 Users AuthorisationPermissions UserID AuthorisationID UserID username AuthorisationAuthorisationID ... domain Java module (Spring Data JPA) security Java module (Spring Security) business Java module (Spring Data REST) import Use BCrypt, as it’s usually the best solution available. {crypt} password WebSecurityConfigurerAdapter
Spring Security Configuration: Project structure 10 Spring Security GfiBeLux | 04/09/2018 › You can use start.spring.io to generate a basic project. › You can create the project web+spring security from IDE Database DependencyDependency Spring Security provides a variety of options for performing authentication. We are going to see the most frequently used.
Spring Security Configuration: Maven dependencies 11 Spring Security GfiBeLux | 04/09/2018 <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-web</artifactId> <version>5.0.7.RELEASE</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-core</artifactId> <version>5.0.7.RELEASE</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-config</artifactId> <version>5.0.7.RELEASE</version> </dependency> › pom.xml › Each release uses a standard triplet of integers: MAJOR.MINOR.PATCH › All GA releases (i.e. versions ending in .RELEASE) are deployed to Maven Central. › If you are using a SNAPSHOT version, you will need to have the Spring Snapshot repository: › If you are using a release candidate or milestone version: <repositories> <repository> <id>spring-snapshot</id> <name>Spring Snapshot Repository</name> <url>http://repo.spring.io/snapshot</url> </repository> </repositories> <repositories> <repository> <id>spring-milestone</id> <name>Spring Milestone Repository</name> <url>http://repo.spring.io/milestone</url> </repository> </repositories> You can get hold of Spring Security in several ways. You can also use Gradle and to set the build.gradle file.
Spring Security Configuration: @EnableWebSecurity and HttpSecurity 12 Spring Security GfiBeLux | 04/09/2018 @EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/", "/index").permitAll() .anyRequest() .hasAnyRole("Consultant“, “Teamlead”, “Hr”) .and() .formLogin() .loginPage("/login").failureUrl("/login-error") .and() .exceptionHandling() .accessDeniedPage("/forbidden"); ... › Adding more configuration options: › Form Login › Authorize request › Handling logout, exception, custom filters... › You have to adapt it for your own application @RequestMapping("/") public String root() { return "redirect:/index"; } @RequestMapping("/index") public String index() { return "index"; } @RequestMapping("/user/index") public String userIndex() { return "user/index"; } @RequestMapping(value = "/login") public String login() { return "login"; } @RequestMapping(value = "/forbidden") public String forbidden() { return "forbidden"; }
Spring Security Configuration: In-Memory Authentication - AuthenticationManagerBuilder 13 Spring Security GfiBeLux | 04/09/2018 @Override public void configure(AuthenticationManagerBuilder auth) throws Exception { auth .inMemoryAuthentication() .withUser("user").password("{noop}password") .roles("Consultant", "Teamlead", "Hr"); } ... › In-memory authentication is usually used in development phase › Configure the authentication method In-Memory Authentication JDBC Authentication LDAP Authentication UserDetailsService AuthenticationProvider
Spring Security Configuration: JDBC Authentication - AuthenticationManagerBuilder 14 Spring Security GfiBeLux | 04/09/2018 @Override public void configure(AuthenticationManagerBuilder auth) throws Exception DataSource dataSource = new JpaConfiguration().dataSource(); auth .jdbcAuthentication() .dataSource(dataSource) .usersByUsernameQuery("select username, password, 'true' as enabled" + " from user where username=?") .authoritiesByUsernameQuery("select username, authorisation as authority from" + " authorisation a, permissions p, user u" + " where a.AuthorisationID=p.AuthorisationID and" + " u.UserID=p.UserID and username=?") .passwordEncoder(passwordEncoder()); ... With JDBC-based authentication the user’s authentication and authorization information are stored in the database. The standard JDBC implementation of the UserDetailsService requires tables to load the password, account status (enabled or disabled) and a list of authorities (roles) for the user. You have to use the schema defined. It’s possible to use the default database scheme provided in spring security documentation or define the SQL query It’s defined in Domain module Create my encryption mechanisms In-Memory Authentication JDBC Authentication LDAP Authentication UserDetailsService AuthenticationProvider
Spring Security Configuration: JDBC Authentication – PasswordEconderImpl 15 Spring Security GfiBeLux | 04/09/2018 Spring Security 5 recommends the use of BCrypt, a salt that helps prevent pre-computed dictionary attacks. Most of the other encryption mechanisms, such as the MD5PasswordEncoder and ShaPasswordEncoder use weaker algorithms and are now deprecated. @Service public class PasswordEncoderImpl implements PasswordEncoder { @Override public String encode(CharSequence rawPassword) { String hashed = BCrypt.hashpw(rawPassword.toString(), BCrypt.gensalt(12)); return hashed; } @Override public boolean matches(CharSequence rawPassword, String encodedPassword) { return BCrypt.checkpw(rawPassword.toString(), encodedPassword); } } Default value is 10
Spring Security Configuration: JDBC Authentication - Encrypted properties with Spring 16 Spring Security GfiBeLux | 04/09/2018 To automate this process, you can add the encryption key to your deployment infrastructure like Jenkins, Bamboo, etc. You must store encrypted credentials, so would NOT allow everybody with access to the repository to use these credentials. <properties> <database.host>localhost</database.host> <database.name>academy</database.name> <database.port>3306</database.port> <database.driver>com.mysql.jdbc.Driver</database.driver> <database.username>root</database.username> <database.password>{cipher}1a5f8bbf59c7290ec5b99fe91e05dd02d692cc07bb1d7bd931f7b4c27679a391 </database.password> <database.url>jdbc:mysql://${database.host}:${database.port}/${database.name}?useSSL=false</database.url> </properties> Database configuration both pom.xml and application.properties file # spring encrypt secret --key root I use Spring Boot CLI to encrypt it: 1a5f8bbf59c7290ec5b99fe91e05dd02d692cc07bb1d7bd931f7b4c27679a391 be.gfi.academy.password=${database.password} # set ENCRYPT_KEY=secret # mvn clean install –DskiptTests=true # cd security # mvn spring-boot:run You have to provide the key via the property encrypt.key or ENCRYPT_KEY variable environment Spring recommends to use BCrypt BCryptPasswordEncoder, a stronger hashing algorithm with randomly generated salt.
Spring Security Configuration: LDAP Authentication - AuthenticationManagerBuilder 17 Spring Security GfiBeLux | 04/09/2018 public void configure(AuthenticationManagerBuilder auth) throws Exception { auth .ldapAuthentication() .userDnPatterns("uid={0},ou=people") .groupSearchBase("ou=groups") .contextSource() .url("ldap://localhost:389/dc=springframework,dc=org") .and() .passwordCompare() .passwordEncoder(passwordEncoder()) .passwordAttribute("userPassword"); } <dependency> <groupId>org.springframework.ldap</groupId> <artifactId>spring-ldap-core</artifactId> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-ldap</artifactId> </dependency> With LDAP-based authentication the user’s authentication and authorization information are stored in a directory LDAP. Use the configurations files, either application.properties or application.yml You must store encrypted credentials, so would NOT allow everybody with access to the repository to use these credentials. encrypted.property={cipher}71144...... To automate this process, you can add the encryption key to your deployment infrastructure like Jenkins, Bamboo and so on. In-Memory Authentication JDBC Authentication LDAP Authentication UserDetailsService AuthenticationProvider
Spring Security Configuration: UserDetailsService I - AuthenticationManagerBuilder 18 Spring Security GfiBeLux | 04/09/2018 @Autowired private UserDetailsServiceImpl userDetailsService; @Autowired private PasswordEncoderImpl passwordEncoder; @Override public void configure(AuthenticationManagerBuilder auth) throws Exception { auth .authenticationProvider(userDetailsService); .passwordEncoder(passwordEncoder); } The standard scenario uses a simple UserDetailsService where I usually store the password in database and spring security framework performs a check on the password. What happens when you are using a different authentication system, and the password is not provided in your own database/data model? In-Memory Authentication JDBC Authentication LDAP Authentication UserDetailsService AuthenticationProvider
Spring Security Configuration: UserDetailsService II - AuthenticationManagerBuilder 19 Spring Security GfiBeLux | 04/09/2018 @Service @Transactional public class UserDetailsServiceImpl implements UserDetailsService { @Autowired private IUserDao userDAO; @Override public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { UserVO user = userDAO.findByUsername(username); if (user == null) { throw new UsernameNotFoundException(username); } return new UserPrincipalImpl(user); } } This User Details Service only has access to the username in order to retrieve the full user entity – and in a large number of scenarios, this is enough. It’s defined in Domain module
Spring Security Configuration: UserPrincipal - AuthenticationManagerBuilder 20 Spring Security GfiBeLux | 04/09/2018 public class UserPrincipalImpl implements UserDetails { String ROLE_PREFIX = "ROLE_"; private UserVO user; public UserPrincipalImpl(UserVO user) { this.user = user; } @Override public String getPassword() { return user.getPassword(); } @Override public String getUsername() { return user.getUsername(); } @Override public Collection<GrantedAuthority> getAuthorities() { List<GrantedAuthority> grantedAuthorities = new ArrayList<>(); List<AuthorisationVO> roles = user.getRoles(); for(AuthorisationVO item : roles) { grantedAuthorities.add(new SimpleGrantedAuthority(ROLE_PREFIX+item.getAuthorisation())); } return grantedAuthorities; } ... ... } @RestController @RequestMapping("/api") public class TestService { @RequestMapping("/user-information") @ResponseBody public Principal information(Principal principal) { return principal; } } http://localhost:8080/api/user-information API Test In-Memory Authentication JDBC Authentication LDAP Authentication UserDetailsService AuthenticationProvider
Spring Security Configuration: Authentication Provider I - AuthenticationManagerBuilder 21 Spring Security GfiBeLux | 04/09/2018 @Autowired private AuthenticationProviderImpl authProvider; @Override public void configure(AuthenticationManagerBuilder auth) throws Exception { auth .authenticationProvider(authProvider); } More custom scenarios will still need to access the full Authentication request to be able to perform the authentication process – for example when authenticating against some external, third party service (e.g. CAS/IS - Centralized Authentication System/Identity Server, so my system have no idea about the password) – both the username and the password from the authentication request will be necessary. For these more advanced scenarios we’ll need to define a custom Authentication Provider:
Spring Security Configuration: Authentication Provider II - AuthenticationManagerBuilder 22 Spring Security GfiBeLux | 04/09/2018 public class AuthenticationProviderImpl implements AuthenticationProvider { @Autowired private IUserDao userDAO; @Override public Authentication authenticate(Authentication authentication) throws AuthenticationException { String name = authentication.getName(); String password = authentication.getCredentials().toString(); UserVO user = userDAO.findByUsername(name); if (user == null) { throw new BadCredentialsException("Authentication failed for " + name); } List<GrantedAuthority> grantedAuthorities = new ArrayList<>(); if (new PasswordEncoderImpl().matches(password, user.getPassword())) { List<AuthorisationVO> roles = user.getRoles(); for(AuthorisationVO item : roles) { grantedAuthorities.add(new SimpleGrantedAuthority(ROLE_PREFIX+item.getAuthorisation())); } } ... Authentication against a third-party system like a database in our use case Use the credentials Must be “ROLE_”
Summary I. Introduction: Spring Framework vs. Spring Boot vs. Spring Security II. What is Spring Security? III. Spring Security Fundamentals I IV. Spring Security Workflow V. Spring Security Architecture VI. Spring Security Configuration VII. Spring Security Fundamentals II VIII. Spring Security with REST API or RESTful Web Services IX. Spring Security OAuth2 X. JSON Web Token (JWT) with REST API XI. Practice: Impl Security GfiBelux | 04/09/2018 Spring Security 23 In-Memory Authentication JDBC Authentication LDAP Authentication UserDetailsService AuthenticationProvider Session1Session2
Spring Security Fundamentals II › JWT (JSON Web Tokens) › It is just a token format. JWT tokens are JSON encoded data structures containing information about issuer, subject (claims), expiration time, etc. JWT is simpler than SAML 1.1/2.0, is supported by all devices and it is more powerful than SWT (Simple Web Token). See https://jwt.io/ › OAuth2 › OAuth2 is a framework that solves a problem when a user wants to access the data using a client software like browser-based web apps, native mobile apps or desktop apps. OAuth2 is just for authorization, client software can be authorized to access the resources on behalf of the end user by using an access token. › OpenID Connect › OpenID Connect builds on top of OAuth2 and adds authentication. OpenID Connect adds some constraints to OAuth2 like UserInfo Endpoint, ID Token, discovery and dynamic registration of OpenID Connect providers and session management. JWT is the mandatory format for the token. 24 Spring Security GfiBeLux | 04/09/2018
Spring Security with REST API Authorization with annotations on controller I 25 Spring Security GfiBeLux | 04/09/2018 @RestController @RequestMapping("/api") public class TestService { @Secured("ROLE_Consultant") @RequestMapping("/user-information") public Principal information(Principal principal) { return principal; } @PreAuthorize("hasRole('ROLE_Consultant') and hasRole('ROLE_Teamlead') and hasRole('ROLE_Hr')") @RequestMapping("/user-details") @ResponseBody public Object details(Authentication auth) { return auth.getDetails(); } @Secured("ROLE_Consultant") @RequestMapping("/thanks") @ResponseBody public String getThanks() { return "{"message":"Thanks!"}"; } } API with access control Frontend (Node) Browser/APP Backend (Spring Boot) API RESTfull HTTPS Basic Authentication
Spring Security with REST API Authorization with annotations on controller II 26 Spring Security GfiBeLux | 04/09/2018 By default, the BasicAuthenticationEntryPoint provisioned by Spring Security returns a full page for a 401 Unauthorized response back to the client. This HTML representation of the error renders well in a browser, but it not well suited for other scenarios, such as a REST API where a json representation may be preferred. Traditional form based authentication Cookie/Session Based Authentication (stateful) Use the Postman tool or the curl command testing your API Rest Basic Authentication with REST API (stateless). Very basic mechanism. Should be used only in HTTPS environmen Even if it is base64 encoded, it can be easily decoded
Spring Security with REST API Authorization with annotations on controller III 27 Security GfiBeLux | 04/09/2018 public class CustomBasicAuthenticationEntryPoint extends BasicAuthenticationEntryPoint { @Override public void commence (HttpServletRequest request, HttpServletResponse response, AuthenticationException authEx throws IOException { response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); response.setHeader("WWW-Authenticate", "Basic realm=" + getRealmName()); response.setContentType(MediaType.APPLICATION_JSON_UTF8_VALUE); PrintWriter writer = response.getWriter(); writer.println("HTTP Status 401 : " + authEx.getMessage()); } @Override public void afterPropertiesSet() throws Exception { setRealmName(SecurityConfig.REALM_NAME); super.afterPropertiesSet(); } } http .authorizeRequests().anyRequest().authenticated() .and() .httpBasic() .authenticationEntryPoint(authenticationEntryPoint); Implementation of a custom BasicAuthenticationEntryPoint
Spring Security OAuth2 Single Sign-On 28 Spring Security GfiBeLux | 04/09/2018 Copying the client-id and client-secret to application.properties or application.yml Setting the redirect URI To begin, obtain OAuth 2.0 client credentials from the Google API Console. Google's OAuth 2.0 APIs can be used for both authentication and authorization, which conforms to the OpenID Connect specification.
Spring Security OAuth2 Single Sign-On 29 Spring Security GfiBeLux | 04/09/2018 spring.security.oauth2.client.registration.google.client-id=277735095424...... spring.security.oauth2.client.registration.google.client-secret=XGksESFC01e58..... <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-oauth2-client</artifactId> <version>${spring-security-version}</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-oauth2-jose</artifactId> <version>${spring-security-version}</version> </dependency> @Override protected void configure(HttpSecurity http) { http .authorizeRequests() .antMatchers("/", "/index") .permitAll() .antMatchers("/user/**") .authenticated() .and() .oauth2Login() .loginPage("/login"); Use the Google's OAuth 2.0 endpoints to authorize access to Google APIs. <a href="/oauth2/authorization/google">Google account</a> Frontend (Node) Browser/APP Backend I Call Google API Token Call Backend API <token> Check token response Backend II ... SSO Application.properties file
JSON Web Token (JWT) with REST API 30 Spring Security GfiBeLux | 04/09/2018 Step 1: Request /api/login and get the JWT Step 2: Request API REST with JWT (token)
JSON Web Token (JWT) with REST API Configuration 31 Spring Security GfiBeLux | 04/09/2018 @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers(HttpMethod.POST,"/api/login") .permitAll() .anyRequest() .authenticated() .and() // We filter the api/login requests .addFilterBefore(new JWTLoginFilter("/api/login", authenticationManager()), UsernamePasswordAuthenticationFilter.class) // And filter other requests to check the presence of JWT in header .addFilterBefore(new JWTAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class); <dependency> <groupId>io.jsonwebtoken</groupId> <artifactId>jjwt</artifactId> <version>0.9.0</version> </dependency>
JSON Web Token (JWT) with REST API JWTLoginFilter 32 Spring Security GfiBeLux | 04/09/2018 public class JWTLoginFilter extends AbstractAuthenticationProcessingFilter{ private TokenAuthenticationService tokenAuthenticationService; public JWTLoginFilter(String url, AuthenticationManager authenticationManager) { super(new AntPathRequestMatcher(url)); setAuthenticationManager(authenticationManager); tokenAuthenticationService = new TokenAuthenticationService(); } @Override public Authentication attemptAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws AuthenticationException, IOException, ServletException { AccountCredentials credentials = new ObjectMapper().readValue(httpServletRequest.getInputStream(),AccountCredentials.class); UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(credentials.getUsername(), credentials.getPassword()); return getAuthenticationManager().authenticate(token); } @Override protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authentication) throws IOException, ServletException{ String name = authentication.getName(); tokenAuthenticationService.addAuthentication(response,name); } }
JSON Web Token (JWT) with REST API TokenAuthenticationService 33 Spring Security GfiBeLux | 04/09/2018 public class TokenAuthenticationService { private long EXPIRATIONTIME = 1000 * 60 * 60 * 24 * 10; // 10 days private String secret = "secret"; // Must be an environment variable into OS private String tokenPrefix = ""; // "Bearer " private String headerString = "Authorization"; public void addAuthentication(HttpServletResponse response, String username) { String JWT = Jwts.builder() .setSubject(username) .setExpiration(new Date(System.currentTimeMillis() + EXPIRATIONTIME)) .signWith(SignatureAlgorithm.HS512, secret).compact(); response.addHeader(headerString,tokenPrefix + JWT); } public Authentication getAuthentication(HttpServletRequest request) { String token = request.getHeader(headerString); if(token != null) { String username = Jwts.parser() .setSigningKey(secret) .parseClaimsJws(token) .getBody() .getSubject(); if(username != null) // we managed to retrieve a user { return new AuthenticatedUserImpl(username); } } return null; } }
JSON Web Token (JWT) with REST API AuthenticatedUserImpl 34 Spring Security GfiBeLux | 04/09/2018 public class AuthenticatedUserImpl implements Authentication { String ROLE_PREFIX = "ROLE_"; private boolean authenticated = true; private String name; @Autowired private IUserDao userDAO; AuthenticatedUserImpl(String name){ this.name = name; } @Override public Collection<GrantedAuthority> getAuthorities() { List<GrantedAuthority> grantedAuthorities = new ArrayList<>(); UserVO user = userDAO.findByUsername(name); List<AuthorisationVO> roles = user.getRoles(); for(AuthorisationVO item : roles) { grantedAuthorities.add(new SimpleGrantedAuthority(ROLE_PREFIX+item.getAuthorisation())); } grantedAuthorities.add(new SimpleGrantedAuthority(ROLE_PREFIX+"Consultant")); return grantedAuthorities; } .... ....
JSON Web Token (JWT) with REST API JWTLoginFilter and AccountCredentials 35 Spring Security GfiBeLux | 04/09/2018 public class JWTAuthenticationFilter extends GenericFilterBean{ @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException { Authentication authentication = new TokenAuthenticationService().getAuthentication((HttpServletRequest)request); SecurityContextHolder.getContext().setAuthentication(authentication); filterChain.doFilter(request,response); } } public class AccountCredentials { private String username; private String password; String getUsername() { return username; } String getPassword() { return password; } public void setUsername(String _username) { this.username = _username; } public void setPassword(String _password) { this.password = _password; } }
FRANCE | SPAIN | PORTUGAL | BELGIUM | SWITSERLAND | LUXEMBURG | UNITED KINGDOM | POLAND | ROMANIA | MOROCCO | IVORY COAST| ANGOLA | USA | MEXICO | COLOMBIA | BRASIL gfi.be - gfi.lu - gfi.world Jesus.perez.franco@gfi.be https://www.linkedin.com/in/jpefranco/ Jesus Perez Franco Application Architect Digital Business Gfi Registered office Square de Meeûs 28/40 – 1000 Brussels Tel: +32(0)16381111 Fax: +32(0)16381100 info@gfi.be

Recommended

Spring Security
Spring SecuritySpring Security
Spring SecurityBoy Tech
 
Spring Security
Spring SecuritySpring Security
Spring SecurityKnoldus Inc.
 
Spring security
Spring securitySpring security
Spring securitySaurabh Sharma
 
Spring Boot
Spring BootSpring Boot
Spring Bootkoppenolski
 
Spring Framework - Spring Security
Spring Framework - Spring SecuritySpring Framework - Spring Security
Spring Framework - Spring SecurityDzmitry Naskou
 
Introduction to Spring Boot
Introduction to Spring BootIntroduction to Spring Boot
Introduction to Spring BootPurbarun Chakrabarti
 
Spring Security
Spring SecuritySpring Security
Spring SecuritySumit Gole
 
Getting started with Spring Security
Getting started with Spring SecurityGetting started with Spring Security
Getting started with Spring SecurityKnoldus Inc.
 

Recommended

Spring Security
Spring SecuritySpring Security
Spring SecurityBoy Tech
 
Spring Security
Spring SecuritySpring Security
Spring SecurityKnoldus Inc.
 
Spring security
Spring securitySpring security
Spring securitySaurabh Sharma
 
Spring Boot
Spring BootSpring Boot
Spring Bootkoppenolski
 
Spring Framework - Spring Security
Spring Framework - Spring SecuritySpring Framework - Spring Security
Spring Framework - Spring SecurityDzmitry Naskou
 
Introduction to Spring Boot
Introduction to Spring BootIntroduction to Spring Boot
Introduction to Spring BootPurbarun Chakrabarti
 
Spring Security
Spring SecuritySpring Security
Spring SecuritySumit Gole
 
Getting started with Spring Security
Getting started with Spring SecurityGetting started with Spring Security
Getting started with Spring SecurityKnoldus Inc.
 
Spring data jpa
Spring data jpaSpring data jpa
Spring data jpaJeevesh Pandey
 
Spring boot - an introduction
Spring boot - an introductionSpring boot - an introduction
Spring boot - an introductionJonathan Holloway
 
Spring Boot
Spring BootSpring Boot
Spring BootPei-Tang Huang
 
Introduction to spring boot
Introduction to spring bootIntroduction to spring boot
Introduction to spring bootSantosh Kumar Kar
 
Xke spring boot
Xke spring bootXke spring boot
Xke spring bootsourabh aggarwal
 
Spring Framework - Core
Spring Framework - CoreSpring Framework - Core
Spring Framework - CoreDzmitry Naskou
 
Spring boot Introduction
Spring boot IntroductionSpring boot Introduction
Spring boot IntroductionJeevesh Pandey
 
Spring boot
Spring bootSpring boot
Spring bootBhagwat Kumar
 
Spring boot
Spring bootSpring boot
Spring bootPradeep Shanmugam
 
Spring - Part 1 - IoC, Di and Beans
Spring - Part 1 - IoC, Di and Beans Spring - Part 1 - IoC, Di and Beans
Spring - Part 1 - IoC, Di and Beans Hitesh-Java
 
Spring Boot
Spring BootSpring Boot
Spring BootJaran Flaath
 
Spring Boot and REST API
Spring Boot and REST APISpring Boot and REST API
Spring Boot and REST API07.pallav
 
Spring Framework - AOP
Spring Framework - AOPSpring Framework - AOP
Spring Framework - AOPDzmitry Naskou
 
Spring Boot
Spring BootSpring Boot
Spring BootJiayun Zhou
 
PUC SE Day 2019 - SpringBoot
PUC SE Day 2019 - SpringBootPUC SE Day 2019 - SpringBoot
PUC SE Day 2019 - SpringBootJosué Neis
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2axykim00
 
Spring Core
Spring CoreSpring Core
Spring CorePushan Bhattacharya
 
Spring Security 3
Spring Security 3Spring Security 3
Spring Security 3Jason Ferguson
 
Spring data presentation
Spring data presentationSpring data presentation
Spring data presentationOleksii Usyk
 
REST APIs with Spring
REST APIs with SpringREST APIs with Spring
REST APIs with SpringJoshua Long
 
Java EE Application Security With PicketLink
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLinkpigorcraveiro
 
What API Specifications and Tools Help Engineers to Construct a High-Security...
What API Specifications and Tools Help Engineers to Construct a High-Security...What API Specifications and Tools Help Engineers to Construct a High-Security...
What API Specifications and Tools Help Engineers to Construct a High-Security...Hitachi, Ltd. OSS Solution Center.
 

More Related Content

What's hot

Spring boot - an introduction
Spring boot - an introductionSpring boot - an introduction
Spring boot - an introductionJonathan Holloway
 
Spring Framework - Core
Spring Framework - CoreSpring Framework - Core
Spring Framework - CoreDzmitry Naskou
 
Spring boot Introduction
Spring boot IntroductionSpring boot Introduction
Spring boot IntroductionJeevesh Pandey
 
Spring - Part 1 - IoC, Di and Beans
Spring - Part 1 - IoC, Di and Beans Spring - Part 1 - IoC, Di and Beans
Spring - Part 1 - IoC, Di and Beans Hitesh-Java
 
Spring Boot and REST API
Spring Boot and REST APISpring Boot and REST API
Spring Boot and REST API07.pallav
 
Spring Framework - AOP
Spring Framework - AOPSpring Framework - AOP
Spring Framework - AOPDzmitry Naskou
 
PUC SE Day 2019 - SpringBoot
PUC SE Day 2019 - SpringBootPUC SE Day 2019 - SpringBoot
PUC SE Day 2019 - SpringBootJosué Neis
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2axykim00
 
Spring data presentation
Spring data presentationSpring data presentation
Spring data presentationOleksii Usyk
 
REST APIs with Spring
REST APIs with SpringREST APIs with Spring
REST APIs with SpringJoshua Long
 

What's hot (20)

Spring data jpa
Spring data jpaSpring data jpa
Spring data jpa
 
Spring boot - an introduction
Spring boot - an introductionSpring boot - an introduction
Spring boot - an introduction
 
Spring Boot
Spring BootSpring Boot
Spring Boot
 
Introduction to spring boot
Introduction to spring bootIntroduction to spring boot
Introduction to spring boot
 
Xke spring boot
Xke spring bootXke spring boot
Xke spring boot
 
Spring Framework - Core
Spring Framework - CoreSpring Framework - Core
Spring Framework - Core
 
Spring boot Introduction
Spring boot IntroductionSpring boot Introduction
Spring boot Introduction
 
Spring boot
Spring bootSpring boot
Spring boot
 
Spring boot
Spring bootSpring boot
Spring boot
 
Spring - Part 1 - IoC, Di and Beans
Spring - Part 1 - IoC, Di and Beans Spring - Part 1 - IoC, Di and Beans
Spring - Part 1 - IoC, Di and Beans
 
Spring Boot
Spring BootSpring Boot
Spring Boot
 
Spring Boot and REST API
Spring Boot and REST APISpring Boot and REST API
Spring Boot and REST API
 
Spring Framework - AOP
Spring Framework - AOPSpring Framework - AOP
Spring Framework - AOP
 
Spring Boot
Spring BootSpring Boot
Spring Boot
 
PUC SE Day 2019 - SpringBoot
PUC SE Day 2019 - SpringBootPUC SE Day 2019 - SpringBoot
PUC SE Day 2019 - SpringBoot
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2
 
Spring Core
Spring CoreSpring Core
Spring Core
 
Spring Security 3
Spring Security 3Spring Security 3
Spring Security 3
 
Spring data presentation
Spring data presentationSpring data presentation
Spring data presentation
 
REST APIs with Spring
REST APIs with SpringREST APIs with Spring
REST APIs with Spring
 

Similar to Spring Security 5

Java EE Application Security With PicketLink
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLinkpigorcraveiro
 
What API Specifications and Tools Help Engineers to Construct a High-Security...
What API Specifications and Tools Help Engineers to Construct a High-Security...What API Specifications and Tools Help Engineers to Construct a High-Security...
What API Specifications and Tools Help Engineers to Construct a High-Security...Hitachi, Ltd. OSS Solution Center.
 
Timings API: Performance Assertion during the functional testing
Timings API: Performance Assertion during the functional testing Timings API: Performance Assertion during the functional testing
Timings API: Performance Assertion during the functional testingPetrosPlakogiannis
 
Configuring kerberos based sso in weblogic
Configuring kerberos based sso in weblogicConfiguring kerberos based sso in weblogic
Configuring kerberos based sso in weblogicHarihara sarma
 
Blibli Web Application Security Policy Enforcement Point
Blibli Web Application Security Policy Enforcement Point Blibli Web Application Security Policy Enforcement Point
Blibli Web Application Security Policy Enforcement Point SARCCOM
 
Itb 2021 - Bulding Quick APIs by Gavin Pickin
Itb 2021 - Bulding Quick APIs by Gavin PickinItb 2021 - Bulding Quick APIs by Gavin Pickin
Itb 2021 - Bulding Quick APIs by Gavin PickinGavin Pickin
 
DevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit TestsDevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit TestsPuma Security, LLC
 
WSO2 ITALIA SMART TALK #3 WSO2 IS NEW FEATURE
WSO2 ITALIA SMART TALK #3 WSO2 IS NEW FEATURE WSO2 ITALIA SMART TALK #3 WSO2 IS NEW FEATURE
WSO2 ITALIA SMART TALK #3 WSO2 IS NEW FEATUREProfesia Srl, Lynx Group
 
Full Angular 7 Firebase Authentication System
Full Angular 7 Firebase Authentication SystemFull Angular 7 Firebase Authentication System
Full Angular 7 Firebase Authentication SystemDigamber Singh
 
Building 12-factor Cloud Native Microservices
Building 12-factor Cloud Native MicroservicesBuilding 12-factor Cloud Native Microservices
Building 12-factor Cloud Native MicroservicesJakarta_EE
 
securing-portlets-with-spring-security.pdf
securing-portlets-with-spring-security.pdfsecuring-portlets-with-spring-security.pdf
securing-portlets-with-spring-security.pdfjcarrey
 
securing-portlets-with-spring-security.pdf
securing-portlets-with-spring-security.pdfsecuring-portlets-with-spring-security.pdf
securing-portlets-with-spring-security.pdfjcarrey
 
Unlocking security insights with Microsoft Graph API
Unlocking security insights with Microsoft Graph APIUnlocking security insights with Microsoft Graph API
Unlocking security insights with Microsoft Graph APIMicrosoft Tech Community
 
Simple stock market analysis
Simple stock market analysisSimple stock market analysis
Simple stock market analysislynneblue
 
DEVNET-1010 Using Cisco pxGrid for Security Platform Integration
DEVNET-1010 Using Cisco pxGrid for Security Platform IntegrationDEVNET-1010 Using Cisco pxGrid for Security Platform Integration
DEVNET-1010 Using Cisco pxGrid for Security Platform IntegrationCisco DevNet
 
Security enforcement of Java Microservices with Apiman & Keycloak
Security enforcement of Java Microservices with Apiman & KeycloakSecurity enforcement of Java Microservices with Apiman & Keycloak
Security enforcement of Java Microservices with Apiman & KeycloakCharles Moulliard
 
Microservices for the Masses with Spring Boot, JHipster, and OAuth - Jforum S...
Microservices for the Masses with Spring Boot, JHipster, and OAuth - Jforum S...Microservices for the Masses with Spring Boot, JHipster, and OAuth - Jforum S...
Microservices for the Masses with Spring Boot, JHipster, and OAuth - Jforum S...Matt Raible
 
Spring security jwt tutorial toptal
Spring security jwt tutorial toptalSpring security jwt tutorial toptal
Spring security jwt tutorial toptaljbsysatm
 
RICOH THETA x IoT Developers Contest : Cloud API Seminar
RICOH THETA x IoT Developers Contest : Cloud API Seminar RICOH THETA x IoT Developers Contest : Cloud API Seminar
RICOH THETA x IoT Developers Contest : Cloud API Seminarcontest-theta360
 

Similar to Spring Security 5 (20)

Java EE Application Security With PicketLink
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLink
 
What API Specifications and Tools Help Engineers to Construct a High-Security...
What API Specifications and Tools Help Engineers to Construct a High-Security...What API Specifications and Tools Help Engineers to Construct a High-Security...
What API Specifications and Tools Help Engineers to Construct a High-Security...
 
Timings API: Performance Assertion during the functional testing
Timings API: Performance Assertion during the functional testing Timings API: Performance Assertion during the functional testing
Timings API: Performance Assertion during the functional testing
 
Configuring kerberos based sso in weblogic
Configuring kerberos based sso in weblogicConfiguring kerberos based sso in weblogic
Configuring kerberos based sso in weblogic
 
Blibli Web Application Security Policy Enforcement Point
Blibli Web Application Security Policy Enforcement Point Blibli Web Application Security Policy Enforcement Point
Blibli Web Application Security Policy Enforcement Point
 
Itb 2021 - Bulding Quick APIs by Gavin Pickin
Itb 2021 - Bulding Quick APIs by Gavin PickinItb 2021 - Bulding Quick APIs by Gavin Pickin
Itb 2021 - Bulding Quick APIs by Gavin Pickin
 
KubeConRecap_nakamura.pdf
KubeConRecap_nakamura.pdfKubeConRecap_nakamura.pdf
KubeConRecap_nakamura.pdf
 
DevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit TestsDevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit Tests
 
WSO2 ITALIA SMART TALK #3 WSO2 IS NEW FEATURE
WSO2 ITALIA SMART TALK #3 WSO2 IS NEW FEATURE WSO2 ITALIA SMART TALK #3 WSO2 IS NEW FEATURE
WSO2 ITALIA SMART TALK #3 WSO2 IS NEW FEATURE
 
Full Angular 7 Firebase Authentication System
Full Angular 7 Firebase Authentication SystemFull Angular 7 Firebase Authentication System
Full Angular 7 Firebase Authentication System
 
Building 12-factor Cloud Native Microservices
Building 12-factor Cloud Native MicroservicesBuilding 12-factor Cloud Native Microservices
Building 12-factor Cloud Native Microservices
 
securing-portlets-with-spring-security.pdf
securing-portlets-with-spring-security.pdfsecuring-portlets-with-spring-security.pdf
securing-portlets-with-spring-security.pdf
 
securing-portlets-with-spring-security.pdf
securing-portlets-with-spring-security.pdfsecuring-portlets-with-spring-security.pdf
securing-portlets-with-spring-security.pdf
 
Unlocking security insights with Microsoft Graph API
Unlocking security insights with Microsoft Graph APIUnlocking security insights with Microsoft Graph API
Unlocking security insights with Microsoft Graph API
 
Simple stock market analysis
Simple stock market analysisSimple stock market analysis
Simple stock market analysis
 
DEVNET-1010 Using Cisco pxGrid for Security Platform Integration
DEVNET-1010 Using Cisco pxGrid for Security Platform IntegrationDEVNET-1010 Using Cisco pxGrid for Security Platform Integration
DEVNET-1010 Using Cisco pxGrid for Security Platform Integration
 
Security enforcement of Java Microservices with Apiman & Keycloak
Security enforcement of Java Microservices with Apiman & KeycloakSecurity enforcement of Java Microservices with Apiman & Keycloak
Security enforcement of Java Microservices with Apiman & Keycloak
 
Microservices for the Masses with Spring Boot, JHipster, and OAuth - Jforum S...
Microservices for the Masses with Spring Boot, JHipster, and OAuth - Jforum S...Microservices for the Masses with Spring Boot, JHipster, and OAuth - Jforum S...
Microservices for the Masses with Spring Boot, JHipster, and OAuth - Jforum S...
 
Spring security jwt tutorial toptal
Spring security jwt tutorial toptalSpring security jwt tutorial toptal
Spring security jwt tutorial toptal
 
RICOH THETA x IoT Developers Contest : Cloud API Seminar
RICOH THETA x IoT Developers Contest : Cloud API Seminar RICOH THETA x IoT Developers Contest : Cloud API Seminar
RICOH THETA x IoT Developers Contest : Cloud API Seminar
 

Recently uploaded

Mathan flower ppt.pptx slide orchids ✨🌸
Mathan flower ppt.pptx slide orchids ✨🌸Mathan flower ppt.pptx slide orchids ✨🌸
Mathan flower ppt.pptx slide orchids ✨🌸mathanramanathan2005
 
PHYSICS PROJECT BY MSC - NANOTECHNOLOGY
PHYSICS PROJECT BY MSC - NANOTECHNOLOGYPHYSICS PROJECT BY MSC - NANOTECHNOLOGY
PHYSICS PROJECT BY MSC - NANOTECHNOLOGYpruthirajnayak525
 
Work Remotely with Confluence ACE 2.pptx
Work Remotely with Confluence ACE 2.pptxWork Remotely with Confluence ACE 2.pptx
Work Remotely with Confluence ACE 2.pptxmavinoikein
 
Dutch Power - 26 maart 2024 - Henk Kras - Circular Plastics
Dutch Power - 26 maart 2024 - Henk Kras - Circular PlasticsDutch Power - 26 maart 2024 - Henk Kras - Circular Plastics
Dutch Power - 26 maart 2024 - Henk Kras - Circular PlasticsDutch Power
 
Quality by design.. ppt for RA (1ST SEM
Quality by design.. ppt for RA (1ST SEMQuality by design.. ppt for RA (1ST SEM
Quality by design.. ppt for RA (1ST SEMCharmi13
 
Event 4 Introduction to Open Source.pptx
Event 4 Introduction to Open Source.pptxEvent 4 Introduction to Open Source.pptx
Event 4 Introduction to Open Source.pptxaryanv1753
 
Simulation-based Testing of Unmanned Aerial Vehicles with Aerialist
Simulation-based Testing of Unmanned Aerial Vehicles with AerialistSimulation-based Testing of Unmanned Aerial Vehicles with Aerialist
Simulation-based Testing of Unmanned Aerial Vehicles with AerialistSebastiano Panichella
 
The 3rd Intl. Workshop on NL-based Software Engineering
The 3rd Intl. Workshop on NL-based Software EngineeringThe 3rd Intl. Workshop on NL-based Software Engineering
The 3rd Intl. Workshop on NL-based Software EngineeringSebastiano Panichella
 
INDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRR
INDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRRINDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRR
INDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRRsarwankumar4524
 
Call Girls In Aerocity 🤳 Call Us +919599264170
Call Girls In Aerocity 🤳 Call Us +919599264170Call Girls In Aerocity 🤳 Call Us +919599264170
Call Girls In Aerocity 🤳 Call Us +919599264170Escort Service
 
miladyskindiseases-200705210221 2.!!pptx
miladyskindiseases-200705210221 2.!!pptxmiladyskindiseases-200705210221 2.!!pptx
miladyskindiseases-200705210221 2.!!pptxCarrieButtitta
 
DGT @ CTAC 2024 Valencia: Most crucial invest to digitalisation_Sven Zoelle_v...
DGT @ CTAC 2024 Valencia: Most crucial invest to digitalisation_Sven Zoelle_v...DGT @ CTAC 2024 Valencia: Most crucial invest to digitalisation_Sven Zoelle_v...
DGT @ CTAC 2024 Valencia: Most crucial invest to digitalisation_Sven Zoelle_v...Henrik Hanke
 
Gaps, Issues and Challenges in the Implementation of Mother Tongue Based-Mult...
Gaps, Issues and Challenges in the Implementation of Mother Tongue Based-Mult...Gaps, Issues and Challenges in the Implementation of Mother Tongue Based-Mult...
Gaps, Issues and Challenges in the Implementation of Mother Tongue Based-Mult...marjmae69
 
RACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATION
RACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATIONRACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATION
RACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATIONRachelAnnTenibroAmaz
 
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...Krijn Poppe
 
Chizaram's Women Tech Makers Deck. .pptx
Chizaram's Women Tech Makers Deck. .pptxChizaram's Women Tech Makers Deck. .pptx
Chizaram's Women Tech Makers Deck. .pptxogubuikealex
 
Anne Frank A Beacon of Hope amidst darkness ppt.pptx
Anne Frank A Beacon of Hope amidst darkness ppt.pptxAnne Frank A Beacon of Hope amidst darkness ppt.pptx
Anne Frank A Beacon of Hope amidst darkness ppt.pptxnoorehahmad
 
SBFT Tool Competition 2024 -- Python Test Case Generation Track
SBFT Tool Competition 2024 -- Python Test Case Generation TrackSBFT Tool Competition 2024 -- Python Test Case Generation Track
SBFT Tool Competition 2024 -- Python Test Case Generation TrackSebastiano Panichella
 
Genshin Impact PPT Template by EaTemp.pptx
Genshin Impact PPT Template by EaTemp.pptxGenshin Impact PPT Template by EaTemp.pptx
Genshin Impact PPT Template by EaTemp.pptxJohnree4
 
THE COUNTRY WHO SOLVED THE WORLD_HOW CHINA LAUNCHED THE CIVILIZATION REVOLUTI...
THE COUNTRY WHO SOLVED THE WORLD_HOW CHINA LAUNCHED THE CIVILIZATION REVOLUTI...THE COUNTRY WHO SOLVED THE WORLD_HOW CHINA LAUNCHED THE CIVILIZATION REVOLUTI...
THE COUNTRY WHO SOLVED THE WORLD_HOW CHINA LAUNCHED THE CIVILIZATION REVOLUTI...漢銘 謝
 

Recently uploaded (20)

Mathan flower ppt.pptx slide orchids ✨🌸
Mathan flower ppt.pptx slide orchids ✨🌸Mathan flower ppt.pptx slide orchids ✨🌸
Mathan flower ppt.pptx slide orchids ✨🌸
 
PHYSICS PROJECT BY MSC - NANOTECHNOLOGY
PHYSICS PROJECT BY MSC - NANOTECHNOLOGYPHYSICS PROJECT BY MSC - NANOTECHNOLOGY
PHYSICS PROJECT BY MSC - NANOTECHNOLOGY
 
Work Remotely with Confluence ACE 2.pptx
Work Remotely with Confluence ACE 2.pptxWork Remotely with Confluence ACE 2.pptx
Work Remotely with Confluence ACE 2.pptx
 
Dutch Power - 26 maart 2024 - Henk Kras - Circular Plastics
Dutch Power - 26 maart 2024 - Henk Kras - Circular PlasticsDutch Power - 26 maart 2024 - Henk Kras - Circular Plastics
Dutch Power - 26 maart 2024 - Henk Kras - Circular Plastics
 
Quality by design.. ppt for RA (1ST SEM
Quality by design.. ppt for RA (1ST SEMQuality by design.. ppt for RA (1ST SEM
Quality by design.. ppt for RA (1ST SEM
 
Event 4 Introduction to Open Source.pptx
Event 4 Introduction to Open Source.pptxEvent 4 Introduction to Open Source.pptx
Event 4 Introduction to Open Source.pptx
 
Simulation-based Testing of Unmanned Aerial Vehicles with Aerialist
Simulation-based Testing of Unmanned Aerial Vehicles with AerialistSimulation-based Testing of Unmanned Aerial Vehicles with Aerialist
Simulation-based Testing of Unmanned Aerial Vehicles with Aerialist
 
The 3rd Intl. Workshop on NL-based Software Engineering
The 3rd Intl. Workshop on NL-based Software EngineeringThe 3rd Intl. Workshop on NL-based Software Engineering
The 3rd Intl. Workshop on NL-based Software Engineering
 
INDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRR
INDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRRINDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRR
INDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRR
 
Call Girls In Aerocity 🤳 Call Us +919599264170
Call Girls In Aerocity 🤳 Call Us +919599264170Call Girls In Aerocity 🤳 Call Us +919599264170
Call Girls In Aerocity 🤳 Call Us +919599264170
 
miladyskindiseases-200705210221 2.!!pptx
miladyskindiseases-200705210221 2.!!pptxmiladyskindiseases-200705210221 2.!!pptx
miladyskindiseases-200705210221 2.!!pptx
 
DGT @ CTAC 2024 Valencia: Most crucial invest to digitalisation_Sven Zoelle_v...
DGT @ CTAC 2024 Valencia: Most crucial invest to digitalisation_Sven Zoelle_v...DGT @ CTAC 2024 Valencia: Most crucial invest to digitalisation_Sven Zoelle_v...
DGT @ CTAC 2024 Valencia: Most crucial invest to digitalisation_Sven Zoelle_v...
 
Gaps, Issues and Challenges in the Implementation of Mother Tongue Based-Mult...
Gaps, Issues and Challenges in the Implementation of Mother Tongue Based-Mult...Gaps, Issues and Challenges in the Implementation of Mother Tongue Based-Mult...
Gaps, Issues and Challenges in the Implementation of Mother Tongue Based-Mult...
 
RACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATION
RACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATIONRACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATION
RACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATION
 
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
 
Chizaram's Women Tech Makers Deck. .pptx
Chizaram's Women Tech Makers Deck. .pptxChizaram's Women Tech Makers Deck. .pptx
Chizaram's Women Tech Makers Deck. .pptx
 
Anne Frank A Beacon of Hope amidst darkness ppt.pptx
Anne Frank A Beacon of Hope amidst darkness ppt.pptxAnne Frank A Beacon of Hope amidst darkness ppt.pptx
Anne Frank A Beacon of Hope amidst darkness ppt.pptx
 
SBFT Tool Competition 2024 -- Python Test Case Generation Track
SBFT Tool Competition 2024 -- Python Test Case Generation TrackSBFT Tool Competition 2024 -- Python Test Case Generation Track
SBFT Tool Competition 2024 -- Python Test Case Generation Track
 
Genshin Impact PPT Template by EaTemp.pptx
Genshin Impact PPT Template by EaTemp.pptxGenshin Impact PPT Template by EaTemp.pptx
Genshin Impact PPT Template by EaTemp.pptx
 
THE COUNTRY WHO SOLVED THE WORLD_HOW CHINA LAUNCHED THE CIVILIZATION REVOLUTI...
THE COUNTRY WHO SOLVED THE WORLD_HOW CHINA LAUNCHED THE CIVILIZATION REVOLUTI...THE COUNTRY WHO SOLVED THE WORLD_HOW CHINA LAUNCHED THE CIVILIZATION REVOLUTI...
THE COUNTRY WHO SOLVED THE WORLD_HOW CHINA LAUNCHED THE CIVILIZATION REVOLUTI...
 

Spring Security 5

  • 1. gfi.be - gfi.lu - gfi.world Spring Security 5 Implementing Spring Security 5 in an existing Spring Boot 2 application GfiBelux | 04/09/2018
  • 2. Who am I? Application Architect › Agile DevOps Enthusiast › I have been an all-purpose Software Engineer for over 17 years' experience. › I worked at Gfi Spain for 12 years › I arrived in GfiBelux in January 2018 › I’m currently working for Toyota Motors Europe in the CAST Team 2 Besides work… › Enjoying a lot with my family › Two children  › Doing sport › Running, Fitness, Footboll... › Planting vegetables › Ecological Orchard › Drinking Belgium beer › With colleagues better ;) Jesus Perez Franco https://www.linkedin.com/in/jpefranco/
  • 3. Summary I. Introduction: Spring Framework vs. Spring Boot vs. Spring Security II. What is Spring Security? III. Spring Security Fundamentals I IV. Spring Security Workflow V. Spring Security Architecture VI. Spring Security Configuration VII. Spring Security Fundamentals II VIII. Spring Security with REST API or RESTful Web Services IX. Spring Security OAuth2 X. JSON Web Token (JWT) with REST API XI. Practice: Impl Security GfiBelux | 04/09/2018 Spring Security 3 In-Memory Authentication JDBC Authentication LDAP Authentication UserDetailsService AuthenticationProvider Session1Session2
  • 4. Introduction: Spring Framework vs. Spring Boot vs. Spring Security › Spring Framework is a Java platform that provides comprehensive infrastructure support for developing Java applications. › Spring Boot is based on the Spring Framework, providing auto-configuration features to your Spring applications and is designed to get you up and running as quickly as possible. › Spring Security provides comprehensive security services for Java EE- based software applications. There is a particular emphasis on supporting projects built using the Spring Framework. 4 Spring Security GfiBeLux | 04/09/2018 Spring Framework Spring Boot 2 Spring Security 5 Spring MVC Spring Data Etc...
  • 5. What is Spring Security? › Spring Security is a framework that focuses on providing both authentication and authorization (or “access-control”) to Java web application and SOAP/RESTful web services › Spring Security currently supports integration with all of the following technologies: › HTTP basic access authentication › LDAP system › OpenID identity providers › JAAS API › CAS Server › ESB Platform › ..... › Your own authentication systems › It is built on top of Spring Framework 5 Spring Security GfiBeLux | 04/09/2018
  • 6. Spring Security Fundamentals I › Principal › User that performs the action › Authentication › Confirming truth of credentials › Authorization › Define access policy for principal › GrantedAuthority › Application permission granted to a principal › SecurityContext › Hold the authentication and other security information › SecurityContextHolder › Provides access to SecurityContext 6 Spring Security GfiBeLux | 04/09/2018 › AuthenticationManager › Controller in the authentication process › AuthenticationProvider › Interface that maps to a data store which stores your user data. › Authentication Object › Object is created upon authentication, which holds the login credentials. › UserDetails › Data object which contains the user credentials, but also the Roles of the user. › UserDetailsService › Collects the user credentials, authorities(roles) and build an UserDetails object.
  • 7. Front End Spring Security Common Workflow 7 Spring Security GfiBeLux | 04/09/2018 Controller in the process that it just delegates to a collection of AuthenticationProvider instances. Call an object that implements the UserDetailsService interface, which it looks up the user data and returns a UserDetails object. Will check that the password matches the password the user entered. Authentication object with the login credentials is created Back End Request Login Request REST API
  • 8. Spring Security Architecture 8 Spring Security GfiBeLux | 04/09/2018 Spring security has a series/chain of filters (HTTP Basic, OAuth2, JWT) Authentication object
  • 9. Spring Security Configuration › Step 1. Project structure › Step 2. Maven or Gradle dependencies › Step 3. Spring Security configuration › Web Security Authentication (@EnableWebSecurity) › In-Memory Authentication › JDBC Authentication › LDAP Authentication › UserDetailsService › AuthenticationProvider › REST API › OAuth 2.0 SSO Authentication › JSON Web Token (JWT) 9 Spring Security GfiBeLux | 04/09/2018 Users AuthorisationPermissions UserID AuthorisationID UserID username AuthorisationAuthorisationID ... domain Java module (Spring Data JPA) security Java module (Spring Security) business Java module (Spring Data REST) import Use BCrypt, as it’s usually the best solution available. {crypt} password WebSecurityConfigurerAdapter
  • 10. Spring Security Configuration: Project structure 10 Spring Security GfiBeLux | 04/09/2018 › You can use start.spring.io to generate a basic project. › You can create the project web+spring security from IDE Database DependencyDependency Spring Security provides a variety of options for performing authentication. We are going to see the most frequently used.
  • 11. Spring Security Configuration: Maven dependencies 11 Spring Security GfiBeLux | 04/09/2018 <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-web</artifactId> <version>5.0.7.RELEASE</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-core</artifactId> <version>5.0.7.RELEASE</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-config</artifactId> <version>5.0.7.RELEASE</version> </dependency> › pom.xml › Each release uses a standard triplet of integers: MAJOR.MINOR.PATCH › All GA releases (i.e. versions ending in .RELEASE) are deployed to Maven Central. › If you are using a SNAPSHOT version, you will need to have the Spring Snapshot repository: › If you are using a release candidate or milestone version: <repositories> <repository> <id>spring-snapshot</id> <name>Spring Snapshot Repository</name> <url>http://repo.spring.io/snapshot</url> </repository> </repositories> <repositories> <repository> <id>spring-milestone</id> <name>Spring Milestone Repository</name> <url>http://repo.spring.io/milestone</url> </repository> </repositories> You can get hold of Spring Security in several ways. You can also use Gradle and to set the build.gradle file.
  • 12. Spring Security Configuration: @EnableWebSecurity and HttpSecurity 12 Spring Security GfiBeLux | 04/09/2018 @EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/", "/index").permitAll() .anyRequest() .hasAnyRole("Consultant“, “Teamlead”, “Hr”) .and() .formLogin() .loginPage("/login").failureUrl("/login-error") .and() .exceptionHandling() .accessDeniedPage("/forbidden"); ... › Adding more configuration options: › Form Login › Authorize request › Handling logout, exception, custom filters... › You have to adapt it for your own application @RequestMapping("/") public String root() { return "redirect:/index"; } @RequestMapping("/index") public String index() { return "index"; } @RequestMapping("/user/index") public String userIndex() { return "user/index"; } @RequestMapping(value = "/login") public String login() { return "login"; } @RequestMapping(value = "/forbidden") public String forbidden() { return "forbidden"; }
  • 13. Spring Security Configuration: In-Memory Authentication - AuthenticationManagerBuilder 13 Spring Security GfiBeLux | 04/09/2018 @Override public void configure(AuthenticationManagerBuilder auth) throws Exception { auth .inMemoryAuthentication() .withUser("user").password("{noop}password") .roles("Consultant", "Teamlead", "Hr"); } ... › In-memory authentication is usually used in development phase › Configure the authentication method In-Memory Authentication JDBC Authentication LDAP Authentication UserDetailsService AuthenticationProvider
  • 14. Spring Security Configuration: JDBC Authentication - AuthenticationManagerBuilder 14 Spring Security GfiBeLux | 04/09/2018 @Override public void configure(AuthenticationManagerBuilder auth) throws Exception DataSource dataSource = new JpaConfiguration().dataSource(); auth .jdbcAuthentication() .dataSource(dataSource) .usersByUsernameQuery("select username, password, 'true' as enabled" + " from user where username=?") .authoritiesByUsernameQuery("select username, authorisation as authority from" + " authorisation a, permissions p, user u" + " where a.AuthorisationID=p.AuthorisationID and" + " u.UserID=p.UserID and username=?") .passwordEncoder(passwordEncoder()); ... With JDBC-based authentication the user’s authentication and authorization information are stored in the database. The standard JDBC implementation of the UserDetailsService requires tables to load the password, account status (enabled or disabled) and a list of authorities (roles) for the user. You have to use the schema defined. It’s possible to use the default database scheme provided in spring security documentation or define the SQL query It’s defined in Domain module Create my encryption mechanisms In-Memory Authentication JDBC Authentication LDAP Authentication UserDetailsService AuthenticationProvider
  • 15. Spring Security Configuration: JDBC Authentication – PasswordEconderImpl 15 Spring Security GfiBeLux | 04/09/2018 Spring Security 5 recommends the use of BCrypt, a salt that helps prevent pre-computed dictionary attacks. Most of the other encryption mechanisms, such as the MD5PasswordEncoder and ShaPasswordEncoder use weaker algorithms and are now deprecated. @Service public class PasswordEncoderImpl implements PasswordEncoder { @Override public String encode(CharSequence rawPassword) { String hashed = BCrypt.hashpw(rawPassword.toString(), BCrypt.gensalt(12)); return hashed; } @Override public boolean matches(CharSequence rawPassword, String encodedPassword) { return BCrypt.checkpw(rawPassword.toString(), encodedPassword); } } Default value is 10
  • 16. Spring Security Configuration: JDBC Authentication - Encrypted properties with Spring 16 Spring Security GfiBeLux | 04/09/2018 To automate this process, you can add the encryption key to your deployment infrastructure like Jenkins, Bamboo, etc. You must store encrypted credentials, so would NOT allow everybody with access to the repository to use these credentials. <properties> <database.host>localhost</database.host> <database.name>academy</database.name> <database.port>3306</database.port> <database.driver>com.mysql.jdbc.Driver</database.driver> <database.username>root</database.username> <database.password>{cipher}1a5f8bbf59c7290ec5b99fe91e05dd02d692cc07bb1d7bd931f7b4c27679a391 </database.password> <database.url>jdbc:mysql://${database.host}:${database.port}/${database.name}?useSSL=false</database.url> </properties> Database configuration both pom.xml and application.properties file # spring encrypt secret --key root I use Spring Boot CLI to encrypt it: 1a5f8bbf59c7290ec5b99fe91e05dd02d692cc07bb1d7bd931f7b4c27679a391 be.gfi.academy.password=${database.password} # set ENCRYPT_KEY=secret # mvn clean install –DskiptTests=true # cd security # mvn spring-boot:run You have to provide the key via the property encrypt.key or ENCRYPT_KEY variable environment Spring recommends to use BCrypt BCryptPasswordEncoder, a stronger hashing algorithm with randomly generated salt.
  • 17. Spring Security Configuration: LDAP Authentication - AuthenticationManagerBuilder 17 Spring Security GfiBeLux | 04/09/2018 public void configure(AuthenticationManagerBuilder auth) throws Exception { auth .ldapAuthentication() .userDnPatterns("uid={0},ou=people") .groupSearchBase("ou=groups") .contextSource() .url("ldap://localhost:389/dc=springframework,dc=org") .and() .passwordCompare() .passwordEncoder(passwordEncoder()) .passwordAttribute("userPassword"); } <dependency> <groupId>org.springframework.ldap</groupId> <artifactId>spring-ldap-core</artifactId> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-ldap</artifactId> </dependency> With LDAP-based authentication the user’s authentication and authorization information are stored in a directory LDAP. Use the configurations files, either application.properties or application.yml You must store encrypted credentials, so would NOT allow everybody with access to the repository to use these credentials. encrypted.property={cipher}71144...... To automate this process, you can add the encryption key to your deployment infrastructure like Jenkins, Bamboo and so on. In-Memory Authentication JDBC Authentication LDAP Authentication UserDetailsService AuthenticationProvider
  • 18. Spring Security Configuration: UserDetailsService I - AuthenticationManagerBuilder 18 Spring Security GfiBeLux | 04/09/2018 @Autowired private UserDetailsServiceImpl userDetailsService; @Autowired private PasswordEncoderImpl passwordEncoder; @Override public void configure(AuthenticationManagerBuilder auth) throws Exception { auth .authenticationProvider(userDetailsService); .passwordEncoder(passwordEncoder); } The standard scenario uses a simple UserDetailsService where I usually store the password in database and spring security framework performs a check on the password. What happens when you are using a different authentication system, and the password is not provided in your own database/data model? In-Memory Authentication JDBC Authentication LDAP Authentication UserDetailsService AuthenticationProvider
  • 19. Spring Security Configuration: UserDetailsService II - AuthenticationManagerBuilder 19 Spring Security GfiBeLux | 04/09/2018 @Service @Transactional public class UserDetailsServiceImpl implements UserDetailsService { @Autowired private IUserDao userDAO; @Override public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { UserVO user = userDAO.findByUsername(username); if (user == null) { throw new UsernameNotFoundException(username); } return new UserPrincipalImpl(user); } } This User Details Service only has access to the username in order to retrieve the full user entity – and in a large number of scenarios, this is enough. It’s defined in Domain module
  • 20. Spring Security Configuration: UserPrincipal - AuthenticationManagerBuilder 20 Spring Security GfiBeLux | 04/09/2018 public class UserPrincipalImpl implements UserDetails { String ROLE_PREFIX = "ROLE_"; private UserVO user; public UserPrincipalImpl(UserVO user) { this.user = user; } @Override public String getPassword() { return user.getPassword(); } @Override public String getUsername() { return user.getUsername(); } @Override public Collection<GrantedAuthority> getAuthorities() { List<GrantedAuthority> grantedAuthorities = new ArrayList<>(); List<AuthorisationVO> roles = user.getRoles(); for(AuthorisationVO item : roles) { grantedAuthorities.add(new SimpleGrantedAuthority(ROLE_PREFIX+item.getAuthorisation())); } return grantedAuthorities; } ... ... } @RestController @RequestMapping("/api") public class TestService { @RequestMapping("/user-information") @ResponseBody public Principal information(Principal principal) { return principal; } } http://localhost:8080/api/user-information API Test In-Memory Authentication JDBC Authentication LDAP Authentication UserDetailsService AuthenticationProvider
  • 21. Spring Security Configuration: Authentication Provider I - AuthenticationManagerBuilder 21 Spring Security GfiBeLux | 04/09/2018 @Autowired private AuthenticationProviderImpl authProvider; @Override public void configure(AuthenticationManagerBuilder auth) throws Exception { auth .authenticationProvider(authProvider); } More custom scenarios will still need to access the full Authentication request to be able to perform the authentication process – for example when authenticating against some external, third party service (e.g. CAS/IS - Centralized Authentication System/Identity Server, so my system have no idea about the password) – both the username and the password from the authentication request will be necessary. For these more advanced scenarios we’ll need to define a custom Authentication Provider:
  • 22. Spring Security Configuration: Authentication Provider II - AuthenticationManagerBuilder 22 Spring Security GfiBeLux | 04/09/2018 public class AuthenticationProviderImpl implements AuthenticationProvider { @Autowired private IUserDao userDAO; @Override public Authentication authenticate(Authentication authentication) throws AuthenticationException { String name = authentication.getName(); String password = authentication.getCredentials().toString(); UserVO user = userDAO.findByUsername(name); if (user == null) { throw new BadCredentialsException("Authentication failed for " + name); } List<GrantedAuthority> grantedAuthorities = new ArrayList<>(); if (new PasswordEncoderImpl().matches(password, user.getPassword())) { List<AuthorisationVO> roles = user.getRoles(); for(AuthorisationVO item : roles) { grantedAuthorities.add(new SimpleGrantedAuthority(ROLE_PREFIX+item.getAuthorisation())); } } ... Authentication against a third-party system like a database in our use case Use the credentials Must be “ROLE_”
  • 23. Summary I. Introduction: Spring Framework vs. Spring Boot vs. Spring Security II. What is Spring Security? III. Spring Security Fundamentals I IV. Spring Security Workflow V. Spring Security Architecture VI. Spring Security Configuration VII. Spring Security Fundamentals II VIII. Spring Security with REST API or RESTful Web Services IX. Spring Security OAuth2 X. JSON Web Token (JWT) with REST API XI. Practice: Impl Security GfiBelux | 04/09/2018 Spring Security 23 In-Memory Authentication JDBC Authentication LDAP Authentication UserDetailsService AuthenticationProvider Session1Session2
  • 24. Spring Security Fundamentals II › JWT (JSON Web Tokens) › It is just a token format. JWT tokens are JSON encoded data structures containing information about issuer, subject (claims), expiration time, etc. JWT is simpler than SAML 1.1/2.0, is supported by all devices and it is more powerful than SWT (Simple Web Token). See https://jwt.io/ › OAuth2 › OAuth2 is a framework that solves a problem when a user wants to access the data using a client software like browser-based web apps, native mobile apps or desktop apps. OAuth2 is just for authorization, client software can be authorized to access the resources on behalf of the end user by using an access token. › OpenID Connect › OpenID Connect builds on top of OAuth2 and adds authentication. OpenID Connect adds some constraints to OAuth2 like UserInfo Endpoint, ID Token, discovery and dynamic registration of OpenID Connect providers and session management. JWT is the mandatory format for the token. 24 Spring Security GfiBeLux | 04/09/2018
  • 25. Spring Security with REST API Authorization with annotations on controller I 25 Spring Security GfiBeLux | 04/09/2018 @RestController @RequestMapping("/api") public class TestService { @Secured("ROLE_Consultant") @RequestMapping("/user-information") public Principal information(Principal principal) { return principal; } @PreAuthorize("hasRole('ROLE_Consultant') and hasRole('ROLE_Teamlead') and hasRole('ROLE_Hr')") @RequestMapping("/user-details") @ResponseBody public Object details(Authentication auth) { return auth.getDetails(); } @Secured("ROLE_Consultant") @RequestMapping("/thanks") @ResponseBody public String getThanks() { return "{"message":"Thanks!"}"; } } API with access control Frontend (Node) Browser/APP Backend (Spring Boot) API RESTfull HTTPS Basic Authentication
  • 26. Spring Security with REST API Authorization with annotations on controller II 26 Spring Security GfiBeLux | 04/09/2018 By default, the BasicAuthenticationEntryPoint provisioned by Spring Security returns a full page for a 401 Unauthorized response back to the client. This HTML representation of the error renders well in a browser, but it not well suited for other scenarios, such as a REST API where a json representation may be preferred. Traditional form based authentication Cookie/Session Based Authentication (stateful) Use the Postman tool or the curl command testing your API Rest Basic Authentication with REST API (stateless). Very basic mechanism. Should be used only in HTTPS environmen Even if it is base64 encoded, it can be easily decoded
  • 27. Spring Security with REST API Authorization with annotations on controller III 27 Security GfiBeLux | 04/09/2018 public class CustomBasicAuthenticationEntryPoint extends BasicAuthenticationEntryPoint { @Override public void commence (HttpServletRequest request, HttpServletResponse response, AuthenticationException authEx throws IOException { response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); response.setHeader("WWW-Authenticate", "Basic realm=" + getRealmName()); response.setContentType(MediaType.APPLICATION_JSON_UTF8_VALUE); PrintWriter writer = response.getWriter(); writer.println("HTTP Status 401 : " + authEx.getMessage()); } @Override public void afterPropertiesSet() throws Exception { setRealmName(SecurityConfig.REALM_NAME); super.afterPropertiesSet(); } } http .authorizeRequests().anyRequest().authenticated() .and() .httpBasic() .authenticationEntryPoint(authenticationEntryPoint); Implementation of a custom BasicAuthenticationEntryPoint
  • 28. Spring Security OAuth2 Single Sign-On 28 Spring Security GfiBeLux | 04/09/2018 Copying the client-id and client-secret to application.properties or application.yml Setting the redirect URI To begin, obtain OAuth 2.0 client credentials from the Google API Console. Google's OAuth 2.0 APIs can be used for both authentication and authorization, which conforms to the OpenID Connect specification.
  • 29. Spring Security OAuth2 Single Sign-On 29 Spring Security GfiBeLux | 04/09/2018 spring.security.oauth2.client.registration.google.client-id=277735095424...... spring.security.oauth2.client.registration.google.client-secret=XGksESFC01e58..... <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-oauth2-client</artifactId> <version>${spring-security-version}</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-oauth2-jose</artifactId> <version>${spring-security-version}</version> </dependency> @Override protected void configure(HttpSecurity http) { http .authorizeRequests() .antMatchers("/", "/index") .permitAll() .antMatchers("/user/**") .authenticated() .and() .oauth2Login() .loginPage("/login"); Use the Google's OAuth 2.0 endpoints to authorize access to Google APIs. <a href="/oauth2/authorization/google">Google account</a> Frontend (Node) Browser/APP Backend I Call Google API Token Call Backend API <token> Check token response Backend II ... SSO Application.properties file
  • 30. JSON Web Token (JWT) with REST API 30 Spring Security GfiBeLux | 04/09/2018 Step 1: Request /api/login and get the JWT Step 2: Request API REST with JWT (token)
  • 31. JSON Web Token (JWT) with REST API Configuration 31 Spring Security GfiBeLux | 04/09/2018 @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers(HttpMethod.POST,"/api/login") .permitAll() .anyRequest() .authenticated() .and() // We filter the api/login requests .addFilterBefore(new JWTLoginFilter("/api/login", authenticationManager()), UsernamePasswordAuthenticationFilter.class) // And filter other requests to check the presence of JWT in header .addFilterBefore(new JWTAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class); <dependency> <groupId>io.jsonwebtoken</groupId> <artifactId>jjwt</artifactId> <version>0.9.0</version> </dependency>
  • 32. JSON Web Token (JWT) with REST API JWTLoginFilter 32 Spring Security GfiBeLux | 04/09/2018 public class JWTLoginFilter extends AbstractAuthenticationProcessingFilter{ private TokenAuthenticationService tokenAuthenticationService; public JWTLoginFilter(String url, AuthenticationManager authenticationManager) { super(new AntPathRequestMatcher(url)); setAuthenticationManager(authenticationManager); tokenAuthenticationService = new TokenAuthenticationService(); } @Override public Authentication attemptAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws AuthenticationException, IOException, ServletException { AccountCredentials credentials = new ObjectMapper().readValue(httpServletRequest.getInputStream(),AccountCredentials.class); UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(credentials.getUsername(), credentials.getPassword()); return getAuthenticationManager().authenticate(token); } @Override protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authentication) throws IOException, ServletException{ String name = authentication.getName(); tokenAuthenticationService.addAuthentication(response,name); } }
  • 33. JSON Web Token (JWT) with REST API TokenAuthenticationService 33 Spring Security GfiBeLux | 04/09/2018 public class TokenAuthenticationService { private long EXPIRATIONTIME = 1000 * 60 * 60 * 24 * 10; // 10 days private String secret = "secret"; // Must be an environment variable into OS private String tokenPrefix = ""; // "Bearer " private String headerString = "Authorization"; public void addAuthentication(HttpServletResponse response, String username) { String JWT = Jwts.builder() .setSubject(username) .setExpiration(new Date(System.currentTimeMillis() + EXPIRATIONTIME)) .signWith(SignatureAlgorithm.HS512, secret).compact(); response.addHeader(headerString,tokenPrefix + JWT); } public Authentication getAuthentication(HttpServletRequest request) { String token = request.getHeader(headerString); if(token != null) { String username = Jwts.parser() .setSigningKey(secret) .parseClaimsJws(token) .getBody() .getSubject(); if(username != null) // we managed to retrieve a user { return new AuthenticatedUserImpl(username); } } return null; } }
  • 34. JSON Web Token (JWT) with REST API AuthenticatedUserImpl 34 Spring Security GfiBeLux | 04/09/2018 public class AuthenticatedUserImpl implements Authentication { String ROLE_PREFIX = "ROLE_"; private boolean authenticated = true; private String name; @Autowired private IUserDao userDAO; AuthenticatedUserImpl(String name){ this.name = name; } @Override public Collection<GrantedAuthority> getAuthorities() { List<GrantedAuthority> grantedAuthorities = new ArrayList<>(); UserVO user = userDAO.findByUsername(name); List<AuthorisationVO> roles = user.getRoles(); for(AuthorisationVO item : roles) { grantedAuthorities.add(new SimpleGrantedAuthority(ROLE_PREFIX+item.getAuthorisation())); } grantedAuthorities.add(new SimpleGrantedAuthority(ROLE_PREFIX+"Consultant")); return grantedAuthorities; } .... ....
  • 35. JSON Web Token (JWT) with REST API JWTLoginFilter and AccountCredentials 35 Spring Security GfiBeLux | 04/09/2018 public class JWTAuthenticationFilter extends GenericFilterBean{ @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException { Authentication authentication = new TokenAuthenticationService().getAuthentication((HttpServletRequest)request); SecurityContextHolder.getContext().setAuthentication(authentication); filterChain.doFilter(request,response); } } public class AccountCredentials { private String username; private String password; String getUsername() { return username; } String getPassword() { return password; } public void setUsername(String _username) { this.username = _username; } public void setPassword(String _password) { this.password = _password; } }
  • 36. FRANCE | SPAIN | PORTUGAL | BELGIUM | SWITSERLAND | LUXEMBURG | UNITED KINGDOM | POLAND | ROMANIA | MOROCCO | IVORY COAST| ANGOLA | USA | MEXICO | COLOMBIA | BRASIL gfi.be - gfi.lu - gfi.world Jesus.perez.franco@gfi.be https://www.linkedin.com/in/jpefranco/ Jesus Perez Franco Application Architect Digital Business Gfi Registered office Square de Meeûs 28/40 – 1000 Brussels Tel: +32(0)16381111 Fax: +32(0)16381100 info@gfi.be

Editor's Notes

  1. To Dev is used.