Spring Security

1. Spring Security
Registration, Login, Thymeleaf
SoftUni Team
Technical Trainers
Software University
http://softuni.bg

2. Table of Contents
1. Spring Security
1. Configuration
2. Registration
3. Login
4. Remember Me
5. CSFR
2. Thymeleaf Security
2

3. 3
sli.do
#JavaWeb
Have a Question?

4. 4
What is Spring Security

5. 5
 framework that focuses on providing both authentication and
authorization
Spring Security
Authentication Authorization

6. 6
Spring Security Mechanism
Intercept
Request
GET
username
password
Database
Authentication
Manager
Access Decision
Manager
Validate
username
password
Valid
Credentials
Validate
Roles
Valid
Authorization
Secured
Resources
Web Client
Intercept
Request

7. 7
Spring Security Maven
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
pom.xml

8. 8
 Extend WebSecurityConfigurerAdapter
Spring Security Configuration (1)
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends
WebSecurityConfigurerAdapter {
//Configuration goes here
}
SecurityConfiguration.java
Enable Security

9. 9
 Override configure(HttpSecurity http)
Spring Security Configuration (2)
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/", "/register").permitAll()
.anyRequest().authenticated()
}
SecurityConfiguration.java
Authorize Requests
Permit Routes
Require Authentication

10. 10
 We need to implement UserDetails interface
Registration - User
@Entity
public class User implements UserDetails {
private String username;
private String password;
private boolean isAccountNonExpired;
private boolean isAccountNonLocked;
private boolean isCredentialsNonExpired;
private boolean isEnabled;
private Set<Role> authorities;
}
User.java

11. 11
 We need to implement GrantedAuthority interface
Registration - Roles
public class Role implements GrantedAuthority {
private String authority;
}
Role.java
Role Interface

12. 12
 We need to implement UserDetailsService interface
Registration - UserService
@Service
public class UserServiceImpl implements UserDetailsService {
@Autowired
private BCryptPasswordEncoder bCryptPasswordEncoder;
@Override
public void register(RegisterModel registerModel) {
bCryptPasswordEncoder.encode(password));
}
}
UserServiceImpl.java
Encrypt Password

13. 13
 We need to disable CSRF protection temporally
Registration - Configuration
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.and()
.csrf().disable();
}
SecurityConfiguration.java
Disable CSRF

14. 14
Login Mechanism
Web Client
GET localhost:8080
Session Cookie
GET localhost:8080
Session Cookie
Create
Session
Validate
Session

15. 15
Login - Configuration
.and()
.formLogin().loginPage("/login").permitAll()
.usernameParameter("username")
.passwordParameter("password")
SecurityConfiguration.java
<input type="text" name="username"/>
<input type="text" name="password"/>
login.html

16. 16
Login - UserService
@Service
public class UserServiceImpl implements UserDetailsService {
@Autowired
private BCryptPasswordEncoder bCryptPasswordEncoder;
@Override
public UserDetails loadUserByUsername(String username) throws
UsernameNotFoundException {
}
}
UserServiceImpl.java
User Service
Interface

17. 17
Login - Controller
@Controller
public class LoginController {
@GetMapping("/login")
public String getLoginPage(@RequestParam(required = false) String
error, Model model) {
if(error != null){
model.addAttribute("error", "Error");
}
return "login";
}
}
LoginController.java
Error Handling

18. 18
Logout
.and()
.logout().logoutSuccessUrl("/login?logout").permitAll()
SecurityConfiguration.java
Logout. No
Controller is
required

19. 19
Remember Me
.and()
.rememberMe()
.rememberMeParameter("remember")
.key("remember Me Encryption Key")
.rememberMeCookieName("rememberMeCookieName")
.tokenValiditySeconds(10000)
SecurityConfiguration.java
<input name="remember" type="checkbox" />
login.html

20. 20
 This is the currently logged user
Principal
@GetMapping("/user")
public String getUser(Principal principal){
System.out.println(principal.getName());
return "user";
}
UserController.java
Print Logged-In
username

21. 21
 Grant Access to specific methods
Pre/Post Authorize
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfiguration extends
WebSecurityConfigurerAdapter {
}
SecurityConfiguration.java
public interface UserService extends UserDetailsService {
@PreAuthorize("hasRole('ADMIN')")
void delete();
}
UserService.java
Enables
PreAuthorize
Requires Admin
Role to execute

22. 22
No Access Handling
.and()
.exceptionHandling().accessDeniedPage("/unauthorized")
SecurityConfiguration.java
@GetMapping("/unauthorized")
@ResponseBody
public String unauthorized(){
return "no access";
}
AcessController.java

23. 23
CSRF

24. 24
Spring CSFR Protection
.csrf()
.csrfTokenRepository(csrfTokenRepository())
private CsrfTokenRepository csrfTokenRepository() {
HttpSessionCsrfTokenRepository repository = new
HttpSessionCsrfTokenRepository();
repository.setSessionAttributeName("_csrf");
return repository;
}
AcessController.java
<input type="hidden" th:name="${_csrf.parameterName}"
th:value="${_csrf.token}" />
form.html

25. 25
What is Thymeleaf Security

26. 26
 Functionality to display data based on authentication rules
Thymeleaf Security
<dependency>
<groupId>org.thymeleaf.extras</groupId>
<artifactId>thymeleaf-extras-springsecurity4</artifactId>
</dependency>
pom.xml

27. 27
Principal
<!DOCTYPE html>
<html lang="en"
xmlns:th="http://www.thymeleaf.org"
xmlns:sec="http://www.thymeleaf.org/extras/spring-security">
<body>
<div sec:authentication="name">
The value of the "name" property of the authentication object
should appear here.
</div>
</body>
</html>
pom.xml
Show the
username

28. 28
Roles
<!DOCTYPE html>
<html lang="en"
xmlns:th="http://www.thymeleaf.org"
xmlns:sec="http://www.thymeleaf.org/extras/spring-security">
<body>
<div sec:authorize="hasRole('ADMIN')">
This content is only shown to administrators.
</div>
</body>
</html>
pom.xml
Show if you are
admin

29. 29
 Spring Security – framework that focuses
on providing both authentication
and authorization
 Thymeleaf Security– functionality to display
data based on authentication rules
Summary

30. ?
Web Development Basics – Course Overview
https://softuni.bg/courses/

31. License
 This course (slides, examples, demos, videos, homework, etc.)
is licensed under the "Creative Commons Attribution-
NonCommercial-ShareAlike 4.0 International" license
31

32. Free Trainings @ Software University
 Software University Foundation – softuni.org
 Software University – High-Quality Education,
Profession and Job for Software Developers
 softuni.bg
 Software University @ Facebook
 facebook.com/SoftwareUniversity
 Software University @ YouTube
 youtube.com/SoftwareUniversity
 Software University Forums – forum.softuni.bg