Jesus Perez Franco, profile picture
Uploaded byJesus Perez Franco
PPTX, PDF9,147 views

Spring Security 5

This document provides an overview of Spring Security including: I. It distinguishes Spring Framework, Spring Boot, and Spring Security and their relationships. II. It defines Spring Security as a framework focusing on authentication and authorization for Java applications. III. It outlines some of the core concepts in Spring Security such as Principal, Authentication, Authorization, GrantedAuthority etc. The document serves as an introduction to Spring Security fundamentals and architecture.

Presentations & Public Speaking
In this document
Powered by AI

Overview of Spring Security 5 in existing Spring Boot applications, focusing on architecture and configuration.

Differences between Spring Framework, Spring Boot, and Spring Security explained with features.

Basic concepts: Principal, Authentication, Authorization, SecurityContext, and Spring Security workflow.

Steps to configure Spring Security using Maven and project structure setup for authentication.

Details on Maven dependencies needed for Spring Security configurations, versioning standards.

Explaining @EnableWebSecurity and configurations for In-Memory, JDBC, and LDAP authentication.

Recommendations on password encryption using BCrypt and best practices for storing credentials securely.

Using custom UserDetailsService for authenticating users and managing roles, along with implementation.

How to create a custom AuthenticationProvider for handling authentication against external systems.

Key advanced topics including JWT tokens, OAuth2, and OpenID Connect for enhanced security.

Implementing REST API security using annotations for authorization and handling unauthorized access.

Setting up OAuth2 for Single Sign-On using Google API for authentication in Spring applications.

Utilizing JWT for REST API security with detailed step-by-step configuration and user authentication.

Embed presentation

Downloaded 445 times
gfi.be - gfi.lu - gfi.world Spring Security 5 Implementing Spring Security 5 in an existing Spring Boot 2 application GfiBelux | 04/09/2018
Who am I? Application Architect › Agile DevOps Enthusiast › I have been an all-purpose Software Engineer for over 17 years' experience. › I worked at Gfi Spain for 12 years › I arrived in GfiBelux in January 2018 › I’m currently working for Toyota Motors Europe in the CAST Team 2 Besides work… › Enjoying a lot with my family › Two children  › Doing sport › Running, Fitness, Footboll... › Planting vegetables › Ecological Orchard › Drinking Belgium beer › With colleagues better ;) Jesus Perez Franco https://www.linkedin.com/in/jpefranco/
Summary I. Introduction: Spring Framework vs. Spring Boot vs. Spring Security II. What is Spring Security? III. Spring Security Fundamentals I IV. Spring Security Workflow V. Spring Security Architecture VI. Spring Security Configuration VII. Spring Security Fundamentals II VIII. Spring Security with REST API or RESTful Web Services IX. Spring Security OAuth2 X. JSON Web Token (JWT) with REST API XI. Practice: Impl Security GfiBelux | 04/09/2018 Spring Security 3 In-Memory Authentication JDBC Authentication LDAP Authentication UserDetailsService AuthenticationProvider Session1Session2
Introduction: Spring Framework vs. Spring Boot vs. Spring Security › Spring Framework is a Java platform that provides comprehensive infrastructure support for developing Java applications. › Spring Boot is based on the Spring Framework, providing auto-configuration features to your Spring applications and is designed to get you up and running as quickly as possible. › Spring Security provides comprehensive security services for Java EE- based software applications. There is a particular emphasis on supporting projects built using the Spring Framework. 4 Spring Security GfiBeLux | 04/09/2018 Spring Framework Spring Boot 2 Spring Security 5 Spring MVC Spring Data Etc...
What is Spring Security? › Spring Security is a framework that focuses on providing both authentication and authorization (or “access-control”) to Java web application and SOAP/RESTful web services › Spring Security currently supports integration with all of the following technologies: › HTTP basic access authentication › LDAP system › OpenID identity providers › JAAS API › CAS Server › ESB Platform › ..... › Your own authentication systems › It is built on top of Spring Framework 5 Spring Security GfiBeLux | 04/09/2018
Spring Security Fundamentals I › Principal › User that performs the action › Authentication › Confirming truth of credentials › Authorization › Define access policy for principal › GrantedAuthority › Application permission granted to a principal › SecurityContext › Hold the authentication and other security information › SecurityContextHolder › Provides access to SecurityContext 6 Spring Security GfiBeLux | 04/09/2018 › AuthenticationManager › Controller in the authentication process › AuthenticationProvider › Interface that maps to a data store which stores your user data. › Authentication Object › Object is created upon authentication, which holds the login credentials. › UserDetails › Data object which contains the user credentials, but also the Roles of the user. › UserDetailsService › Collects the user credentials, authorities(roles) and build an UserDetails object.
Front End Spring Security Common Workflow 7 Spring Security GfiBeLux | 04/09/2018 Controller in the process that it just delegates to a collection of AuthenticationProvider instances. Call an object that implements the UserDetailsService interface, which it looks up the user data and returns a UserDetails object. Will check that the password matches the password the user entered. Authentication object with the login credentials is created Back End Request Login Request REST API
Spring Security Architecture 8 Spring Security GfiBeLux | 04/09/2018 Spring security has a series/chain of filters (HTTP Basic, OAuth2, JWT) Authentication object
Spring Security Configuration › Step 1. Project structure › Step 2. Maven or Gradle dependencies › Step 3. Spring Security configuration › Web Security Authentication (@EnableWebSecurity) › In-Memory Authentication › JDBC Authentication › LDAP Authentication › UserDetailsService › AuthenticationProvider › REST API › OAuth 2.0 SSO Authentication › JSON Web Token (JWT) 9 Spring Security GfiBeLux | 04/09/2018 Users AuthorisationPermissions UserID AuthorisationID UserID username AuthorisationAuthorisationID ... domain Java module (Spring Data JPA) security Java module (Spring Security) business Java module (Spring Data REST) import Use BCrypt, as it’s usually the best solution available. {crypt} password WebSecurityConfigurerAdapter
Spring Security Configuration: Project structure 10 Spring Security GfiBeLux | 04/09/2018 › You can use start.spring.io to generate a basic project. › You can create the project web+spring security from IDE Database DependencyDependency Spring Security provides a variety of options for performing authentication. We are going to see the most frequently used.
Spring Security Configuration: Maven dependencies 11 Spring Security GfiBeLux | 04/09/2018 <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-web</artifactId> <version>5.0.7.RELEASE</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-core</artifactId> <version>5.0.7.RELEASE</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-config</artifactId> <version>5.0.7.RELEASE</version> </dependency> › pom.xml › Each release uses a standard triplet of integers: MAJOR.MINOR.PATCH › All GA releases (i.e. versions ending in .RELEASE) are deployed to Maven Central. › If you are using a SNAPSHOT version, you will need to have the Spring Snapshot repository: › If you are using a release candidate or milestone version: <repositories> <repository> <id>spring-snapshot</id> <name>Spring Snapshot Repository</name> <url>http://repo.spring.io/snapshot</url> </repository> </repositories> <repositories> <repository> <id>spring-milestone</id> <name>Spring Milestone Repository</name> <url>http://repo.spring.io/milestone</url> </repository> </repositories> You can get hold of Spring Security in several ways. You can also use Gradle and to set the build.gradle file.
Spring Security Configuration: @EnableWebSecurity and HttpSecurity 12 Spring Security GfiBeLux | 04/09/2018 @EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/", "/index").permitAll() .anyRequest() .hasAnyRole("Consultant“, “Teamlead”, “Hr”) .and() .formLogin() .loginPage("/login").failureUrl("/login-error") .and() .exceptionHandling() .accessDeniedPage("/forbidden"); ... › Adding more configuration options: › Form Login › Authorize request › Handling logout, exception, custom filters... › You have to adapt it for your own application @RequestMapping("/") public String root() { return "redirect:/index"; } @RequestMapping("/index") public String index() { return "index"; } @RequestMapping("/user/index") public String userIndex() { return "user/index"; } @RequestMapping(value = "/login") public String login() { return "login"; } @RequestMapping(value = "/forbidden") public String forbidden() { return "forbidden"; }
Spring Security Configuration: In-Memory Authentication - AuthenticationManagerBuilder 13 Spring Security GfiBeLux | 04/09/2018 @Override public void configure(AuthenticationManagerBuilder auth) throws Exception { auth .inMemoryAuthentication() .withUser("user").password("{noop}password") .roles("Consultant", "Teamlead", "Hr"); } ... › In-memory authentication is usually used in development phase › Configure the authentication method In-Memory Authentication JDBC Authentication LDAP Authentication UserDetailsService AuthenticationProvider
Spring Security Configuration: JDBC Authentication - AuthenticationManagerBuilder 14 Spring Security GfiBeLux | 04/09/2018 @Override public void configure(AuthenticationManagerBuilder auth) throws Exception DataSource dataSource = new JpaConfiguration().dataSource(); auth .jdbcAuthentication() .dataSource(dataSource) .usersByUsernameQuery("select username, password, 'true' as enabled" + " from user where username=?") .authoritiesByUsernameQuery("select username, authorisation as authority from" + " authorisation a, permissions p, user u" + " where a.AuthorisationID=p.AuthorisationID and" + " u.UserID=p.UserID and username=?") .passwordEncoder(passwordEncoder()); ... With JDBC-based authentication the user’s authentication and authorization information are stored in the database. The standard JDBC implementation of the UserDetailsService requires tables to load the password, account status (enabled or disabled) and a list of authorities (roles) for the user. You have to use the schema defined. It’s possible to use the default database scheme provided in spring security documentation or define the SQL query It’s defined in Domain module Create my encryption mechanisms In-Memory Authentication JDBC Authentication LDAP Authentication UserDetailsService AuthenticationProvider
Spring Security Configuration: JDBC Authentication – PasswordEconderImpl 15 Spring Security GfiBeLux | 04/09/2018 Spring Security 5 recommends the use of BCrypt, a salt that helps prevent pre-computed dictionary attacks. Most of the other encryption mechanisms, such as the MD5PasswordEncoder and ShaPasswordEncoder use weaker algorithms and are now deprecated. @Service public class PasswordEncoderImpl implements PasswordEncoder { @Override public String encode(CharSequence rawPassword) { String hashed = BCrypt.hashpw(rawPassword.toString(), BCrypt.gensalt(12)); return hashed; } @Override public boolean matches(CharSequence rawPassword, String encodedPassword) { return BCrypt.checkpw(rawPassword.toString(), encodedPassword); } } Default value is 10
Spring Security Configuration: JDBC Authentication - Encrypted properties with Spring 16 Spring Security GfiBeLux | 04/09/2018 To automate this process, you can add the encryption key to your deployment infrastructure like Jenkins, Bamboo, etc. You must store encrypted credentials, so would NOT allow everybody with access to the repository to use these credentials. <properties> <database.host>localhost</database.host> <database.name>academy</database.name> <database.port>3306</database.port> <database.driver>com.mysql.jdbc.Driver</database.driver> <database.username>root</database.username> <database.password>{cipher}1a5f8bbf59c7290ec5b99fe91e05dd02d692cc07bb1d7bd931f7b4c27679a391 </database.password> <database.url>jdbc:mysql://${database.host}:${database.port}/${database.name}?useSSL=false</database.url> </properties> Database configuration both pom.xml and application.properties file # spring encrypt secret --key root I use Spring Boot CLI to encrypt it: 1a5f8bbf59c7290ec5b99fe91e05dd02d692cc07bb1d7bd931f7b4c27679a391 be.gfi.academy.password=${database.password} # set ENCRYPT_KEY=secret # mvn clean install –DskiptTests=true # cd security # mvn spring-boot:run You have to provide the key via the property encrypt.key or ENCRYPT_KEY variable environment Spring recommends to use BCrypt BCryptPasswordEncoder, a stronger hashing algorithm with randomly generated salt.
Spring Security Configuration: LDAP Authentication - AuthenticationManagerBuilder 17 Spring Security GfiBeLux | 04/09/2018 public void configure(AuthenticationManagerBuilder auth) throws Exception { auth .ldapAuthentication() .userDnPatterns("uid={0},ou=people") .groupSearchBase("ou=groups") .contextSource() .url("ldap://localhost:389/dc=springframework,dc=org") .and() .passwordCompare() .passwordEncoder(passwordEncoder()) .passwordAttribute("userPassword"); } <dependency> <groupId>org.springframework.ldap</groupId> <artifactId>spring-ldap-core</artifactId> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-ldap</artifactId> </dependency> With LDAP-based authentication the user’s authentication and authorization information are stored in a directory LDAP. Use the configurations files, either application.properties or application.yml You must store encrypted credentials, so would NOT allow everybody with access to the repository to use these credentials. encrypted.property={cipher}71144...... To automate this process, you can add the encryption key to your deployment infrastructure like Jenkins, Bamboo and so on. In-Memory Authentication JDBC Authentication LDAP Authentication UserDetailsService AuthenticationProvider
Spring Security Configuration: UserDetailsService I - AuthenticationManagerBuilder 18 Spring Security GfiBeLux | 04/09/2018 @Autowired private UserDetailsServiceImpl userDetailsService; @Autowired private PasswordEncoderImpl passwordEncoder; @Override public void configure(AuthenticationManagerBuilder auth) throws Exception { auth .authenticationProvider(userDetailsService); .passwordEncoder(passwordEncoder); } The standard scenario uses a simple UserDetailsService where I usually store the password in database and spring security framework performs a check on the password. What happens when you are using a different authentication system, and the password is not provided in your own database/data model? In-Memory Authentication JDBC Authentication LDAP Authentication UserDetailsService AuthenticationProvider
Spring Security Configuration: UserDetailsService II - AuthenticationManagerBuilder 19 Spring Security GfiBeLux | 04/09/2018 @Service @Transactional public class UserDetailsServiceImpl implements UserDetailsService { @Autowired private IUserDao userDAO; @Override public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { UserVO user = userDAO.findByUsername(username); if (user == null) { throw new UsernameNotFoundException(username); } return new UserPrincipalImpl(user); } } This User Details Service only has access to the username in order to retrieve the full user entity – and in a large number of scenarios, this is enough. It’s defined in Domain module
Spring Security Configuration: UserPrincipal - AuthenticationManagerBuilder 20 Spring Security GfiBeLux | 04/09/2018 public class UserPrincipalImpl implements UserDetails { String ROLE_PREFIX = "ROLE_"; private UserVO user; public UserPrincipalImpl(UserVO user) { this.user = user; } @Override public String getPassword() { return user.getPassword(); } @Override public String getUsername() { return user.getUsername(); } @Override public Collection<GrantedAuthority> getAuthorities() { List<GrantedAuthority> grantedAuthorities = new ArrayList<>(); List<AuthorisationVO> roles = user.getRoles(); for(AuthorisationVO item : roles) { grantedAuthorities.add(new SimpleGrantedAuthority(ROLE_PREFIX+item.getAuthorisation())); } return grantedAuthorities; } ... ... } @RestController @RequestMapping("/api") public class TestService { @RequestMapping("/user-information") @ResponseBody public Principal information(Principal principal) { return principal; } } http://localhost:8080/api/user-information API Test In-Memory Authentication JDBC Authentication LDAP Authentication UserDetailsService AuthenticationProvider
Spring Security Configuration: Authentication Provider I - AuthenticationManagerBuilder 21 Spring Security GfiBeLux | 04/09/2018 @Autowired private AuthenticationProviderImpl authProvider; @Override public void configure(AuthenticationManagerBuilder auth) throws Exception { auth .authenticationProvider(authProvider); } More custom scenarios will still need to access the full Authentication request to be able to perform the authentication process – for example when authenticating against some external, third party service (e.g. CAS/IS - Centralized Authentication System/Identity Server, so my system have no idea about the password) – both the username and the password from the authentication request will be necessary. For these more advanced scenarios we’ll need to define a custom Authentication Provider:
Spring Security Configuration: Authentication Provider II - AuthenticationManagerBuilder 22 Spring Security GfiBeLux | 04/09/2018 public class AuthenticationProviderImpl implements AuthenticationProvider { @Autowired private IUserDao userDAO; @Override public Authentication authenticate(Authentication authentication) throws AuthenticationException { String name = authentication.getName(); String password = authentication.getCredentials().toString(); UserVO user = userDAO.findByUsername(name); if (user == null) { throw new BadCredentialsException("Authentication failed for " + name); } List<GrantedAuthority> grantedAuthorities = new ArrayList<>(); if (new PasswordEncoderImpl().matches(password, user.getPassword())) { List<AuthorisationVO> roles = user.getRoles(); for(AuthorisationVO item : roles) { grantedAuthorities.add(new SimpleGrantedAuthority(ROLE_PREFIX+item.getAuthorisation())); } } ... Authentication against a third-party system like a database in our use case Use the credentials Must be “ROLE_”
Summary I. Introduction: Spring Framework vs. Spring Boot vs. Spring Security II. What is Spring Security? III. Spring Security Fundamentals I IV. Spring Security Workflow V. Spring Security Architecture VI. Spring Security Configuration VII. Spring Security Fundamentals II VIII. Spring Security with REST API or RESTful Web Services IX. Spring Security OAuth2 X. JSON Web Token (JWT) with REST API XI. Practice: Impl Security GfiBelux | 04/09/2018 Spring Security 23 In-Memory Authentication JDBC Authentication LDAP Authentication UserDetailsService AuthenticationProvider Session1Session2
Spring Security Fundamentals II › JWT (JSON Web Tokens) › It is just a token format. JWT tokens are JSON encoded data structures containing information about issuer, subject (claims), expiration time, etc. JWT is simpler than SAML 1.1/2.0, is supported by all devices and it is more powerful than SWT (Simple Web Token). See https://jwt.io/ › OAuth2 › OAuth2 is a framework that solves a problem when a user wants to access the data using a client software like browser-based web apps, native mobile apps or desktop apps. OAuth2 is just for authorization, client software can be authorized to access the resources on behalf of the end user by using an access token. › OpenID Connect › OpenID Connect builds on top of OAuth2 and adds authentication. OpenID Connect adds some constraints to OAuth2 like UserInfo Endpoint, ID Token, discovery and dynamic registration of OpenID Connect providers and session management. JWT is the mandatory format for the token. 24 Spring Security GfiBeLux | 04/09/2018
Spring Security with REST API Authorization with annotations on controller I 25 Spring Security GfiBeLux | 04/09/2018 @RestController @RequestMapping("/api") public class TestService { @Secured("ROLE_Consultant") @RequestMapping("/user-information") public Principal information(Principal principal) { return principal; } @PreAuthorize("hasRole('ROLE_Consultant') and hasRole('ROLE_Teamlead') and hasRole('ROLE_Hr')") @RequestMapping("/user-details") @ResponseBody public Object details(Authentication auth) { return auth.getDetails(); } @Secured("ROLE_Consultant") @RequestMapping("/thanks") @ResponseBody public String getThanks() { return "{"message":"Thanks!"}"; } } API with access control Frontend (Node) Browser/APP Backend (Spring Boot) API RESTfull HTTPS Basic Authentication
Spring Security with REST API Authorization with annotations on controller II 26 Spring Security GfiBeLux | 04/09/2018 By default, the BasicAuthenticationEntryPoint provisioned by Spring Security returns a full page for a 401 Unauthorized response back to the client. This HTML representation of the error renders well in a browser, but it not well suited for other scenarios, such as a REST API where a json representation may be preferred. Traditional form based authentication Cookie/Session Based Authentication (stateful) Use the Postman tool or the curl command testing your API Rest Basic Authentication with REST API (stateless). Very basic mechanism. Should be used only in HTTPS environmen Even if it is base64 encoded, it can be easily decoded
Spring Security with REST API Authorization with annotations on controller III 27 Security GfiBeLux | 04/09/2018 public class CustomBasicAuthenticationEntryPoint extends BasicAuthenticationEntryPoint { @Override public void commence (HttpServletRequest request, HttpServletResponse response, AuthenticationException authEx throws IOException { response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); response.setHeader("WWW-Authenticate", "Basic realm=" + getRealmName()); response.setContentType(MediaType.APPLICATION_JSON_UTF8_VALUE); PrintWriter writer = response.getWriter(); writer.println("HTTP Status 401 : " + authEx.getMessage()); } @Override public void afterPropertiesSet() throws Exception { setRealmName(SecurityConfig.REALM_NAME); super.afterPropertiesSet(); } } http .authorizeRequests().anyRequest().authenticated() .and() .httpBasic() .authenticationEntryPoint(authenticationEntryPoint); Implementation of a custom BasicAuthenticationEntryPoint
Spring Security OAuth2 Single Sign-On 28 Spring Security GfiBeLux | 04/09/2018 Copying the client-id and client-secret to application.properties or application.yml Setting the redirect URI To begin, obtain OAuth 2.0 client credentials from the Google API Console. Google's OAuth 2.0 APIs can be used for both authentication and authorization, which conforms to the OpenID Connect specification.
Spring Security OAuth2 Single Sign-On 29 Spring Security GfiBeLux | 04/09/2018 spring.security.oauth2.client.registration.google.client-id=277735095424...... spring.security.oauth2.client.registration.google.client-secret=XGksESFC01e58..... <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-oauth2-client</artifactId> <version>${spring-security-version}</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-oauth2-jose</artifactId> <version>${spring-security-version}</version> </dependency> @Override protected void configure(HttpSecurity http) { http .authorizeRequests() .antMatchers("/", "/index") .permitAll() .antMatchers("/user/**") .authenticated() .and() .oauth2Login() .loginPage("/login"); Use the Google's OAuth 2.0 endpoints to authorize access to Google APIs. <a href="/oauth2/authorization/google">Google account</a> Frontend (Node) Browser/APP Backend I Call Google API Token Call Backend API <token> Check token response Backend II ... SSO Application.properties file
JSON Web Token (JWT) with REST API 30 Spring Security GfiBeLux | 04/09/2018 Step 1: Request /api/login and get the JWT Step 2: Request API REST with JWT (token)
JSON Web Token (JWT) with REST API Configuration 31 Spring Security GfiBeLux | 04/09/2018 @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers(HttpMethod.POST,"/api/login") .permitAll() .anyRequest() .authenticated() .and() // We filter the api/login requests .addFilterBefore(new JWTLoginFilter("/api/login", authenticationManager()), UsernamePasswordAuthenticationFilter.class) // And filter other requests to check the presence of JWT in header .addFilterBefore(new JWTAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class); <dependency> <groupId>io.jsonwebtoken</groupId> <artifactId>jjwt</artifactId> <version>0.9.0</version> </dependency>
JSON Web Token (JWT) with REST API JWTLoginFilter 32 Spring Security GfiBeLux | 04/09/2018 public class JWTLoginFilter extends AbstractAuthenticationProcessingFilter{ private TokenAuthenticationService tokenAuthenticationService; public JWTLoginFilter(String url, AuthenticationManager authenticationManager) { super(new AntPathRequestMatcher(url)); setAuthenticationManager(authenticationManager); tokenAuthenticationService = new TokenAuthenticationService(); } @Override public Authentication attemptAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws AuthenticationException, IOException, ServletException { AccountCredentials credentials = new ObjectMapper().readValue(httpServletRequest.getInputStream(),AccountCredentials.class); UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(credentials.getUsername(), credentials.getPassword()); return getAuthenticationManager().authenticate(token); } @Override protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authentication) throws IOException, ServletException{ String name = authentication.getName(); tokenAuthenticationService.addAuthentication(response,name); } }
JSON Web Token (JWT) with REST API TokenAuthenticationService 33 Spring Security GfiBeLux | 04/09/2018 public class TokenAuthenticationService { private long EXPIRATIONTIME = 1000 * 60 * 60 * 24 * 10; // 10 days private String secret = "secret"; // Must be an environment variable into OS private String tokenPrefix = ""; // "Bearer " private String headerString = "Authorization"; public void addAuthentication(HttpServletResponse response, String username) { String JWT = Jwts.builder() .setSubject(username) .setExpiration(new Date(System.currentTimeMillis() + EXPIRATIONTIME)) .signWith(SignatureAlgorithm.HS512, secret).compact(); response.addHeader(headerString,tokenPrefix + JWT); } public Authentication getAuthentication(HttpServletRequest request) { String token = request.getHeader(headerString); if(token != null) { String username = Jwts.parser() .setSigningKey(secret) .parseClaimsJws(token) .getBody() .getSubject(); if(username != null) // we managed to retrieve a user { return new AuthenticatedUserImpl(username); } } return null; } }
JSON Web Token (JWT) with REST API AuthenticatedUserImpl 34 Spring Security GfiBeLux | 04/09/2018 public class AuthenticatedUserImpl implements Authentication { String ROLE_PREFIX = "ROLE_"; private boolean authenticated = true; private String name; @Autowired private IUserDao userDAO; AuthenticatedUserImpl(String name){ this.name = name; } @Override public Collection<GrantedAuthority> getAuthorities() { List<GrantedAuthority> grantedAuthorities = new ArrayList<>(); UserVO user = userDAO.findByUsername(name); List<AuthorisationVO> roles = user.getRoles(); for(AuthorisationVO item : roles) { grantedAuthorities.add(new SimpleGrantedAuthority(ROLE_PREFIX+item.getAuthorisation())); } grantedAuthorities.add(new SimpleGrantedAuthority(ROLE_PREFIX+"Consultant")); return grantedAuthorities; } .... ....
JSON Web Token (JWT) with REST API JWTLoginFilter and AccountCredentials 35 Spring Security GfiBeLux | 04/09/2018 public class JWTAuthenticationFilter extends GenericFilterBean{ @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException { Authentication authentication = new TokenAuthenticationService().getAuthentication((HttpServletRequest)request); SecurityContextHolder.getContext().setAuthentication(authentication); filterChain.doFilter(request,response); } } public class AccountCredentials { private String username; private String password; String getUsername() { return username; } String getPassword() { return password; } public void setUsername(String _username) { this.username = _username; } public void setPassword(String _password) { this.password = _password; } }
FRANCE | SPAIN | PORTUGAL | BELGIUM | SWITSERLAND | LUXEMBURG | UNITED KINGDOM | POLAND | ROMANIA | MOROCCO | IVORY COAST| ANGOLA | USA | MEXICO | COLOMBIA | BRASIL gfi.be - gfi.lu - gfi.world Jesus.perez.franco@gfi.be https://www.linkedin.com/in/jpefranco/ Jesus Perez Franco Application Architect Digital Business Gfi Registered office Square de Meeûs 28/40 – 1000 Brussels Tel: +32(0)16381111 Fax: +32(0)16381100 info@gfi.be

More Related Content

PDF
Spring Framework - Spring Security
byDzmitry Naskou
 
PDF
Spring Data JPA
byKnoldus Inc.
 
PDF
Spring Security
byKnoldus Inc.
 
PPTX
Spring data jpa
byJeevesh Pandey
 
PDF
OAuth2 and Spring Security
byOrest Ivasiv
 
PDF
Spring Data JPA
byCheng Ta Yeh
 
PPTX
Spring Boot
byJiayun Zhou
 
PDF
Getting started with Spring Security
byKnoldus Inc.
 
Spring Framework - Spring Security
byDzmitry Naskou
 
Spring Data JPA
byKnoldus Inc.
 
Spring Security
byKnoldus Inc.
 
Spring data jpa
byJeevesh Pandey
 
OAuth2 and Spring Security
byOrest Ivasiv
 
Spring Data JPA
byCheng Ta Yeh
 
Spring Boot
byJiayun Zhou
 
Getting started with Spring Security
byKnoldus Inc.
 

What's hot

PDF
Microservice With Spring Boot and Spring Cloud
byEberhard Wolff
 
PDF
Swagger
byNexThoughts Technologies
 
PPTX
Rest API Security
byStormpath
 
PDF
Introduction to Spring Cloud
byVMware Tanzu
 
PPTX
Spring Security
byBoy Tech
 
PDF
REST APIs with Spring
byJoshua Long
 
PDF
Introduction to JWT and How to integrate with Spring Security
byBruno Henrique Rother
 
PPTX
User Management Life Cycle with Keycloak
byMuhammad Edwin
 
PPTX
Hashicorp Vault ppt
byShrey Agarwal
 
PPT
Java Persistence API (JPA) Step By Step
byGuo Albert
 
PDF
Microservices with Java, Spring Boot and Spring Cloud
byEberhard Wolff
 
PDF
Spring Framework - AOP
byDzmitry Naskou
 
PDF
Introduction to SAML 2.0
byMika Koivisto
 
PPTX
Secure your app with keycloak
byGuy Marom
 
PPTX
Introduction to Spring Boot
byPurbarun Chakrabarti
 
PDF
Spring Framework - Core
byDzmitry Naskou
 
PPTX
Getting Started with API Security Testing
bySmartBear
 
PPT
Maven Introduction
bySandeep Chawla
 
PDF
OAuth 2.0
byUwe Friedrichsen
 
PPTX
Spring security
bySaurabh Sharma
 
Microservice With Spring Boot and Spring Cloud
byEberhard Wolff
 
Swagger
byNexThoughts Technologies
 
Rest API Security
byStormpath
 
Introduction to Spring Cloud
byVMware Tanzu
 
Spring Security
byBoy Tech
 
REST APIs with Spring
byJoshua Long
 
Introduction to JWT and How to integrate with Spring Security
byBruno Henrique Rother
 
User Management Life Cycle with Keycloak
byMuhammad Edwin
 
Hashicorp Vault ppt
byShrey Agarwal
 
Java Persistence API (JPA) Step By Step
byGuo Albert
 
Microservices with Java, Spring Boot and Spring Cloud
byEberhard Wolff
 
Spring Framework - AOP
byDzmitry Naskou
 
Introduction to SAML 2.0
byMika Koivisto
 
Secure your app with keycloak
byGuy Marom
 
Introduction to Spring Boot
byPurbarun Chakrabarti
 
Spring Framework - Core
byDzmitry Naskou
 
Getting Started with API Security Testing
bySmartBear
 
Maven Introduction
bySandeep Chawla
 
OAuth 2.0
byUwe Friedrichsen
 
Spring security
bySaurabh Sharma
 

Similar to Spring Security 5

PDF
Spring security jwt tutorial toptal
byjbsysatm
 
PDF
Spring Security in Action 1st Edition Laurentiu Spilca Spilcă Laurenţiu
byticeyfedorvt
 
PDF
Spring security4.x
byZeeshan Khan
 
PPTX
Spring Security Framework
byJayasree Perilakkalam
 
PPTX
springb security.pptxdsdsgfdsgsdgsdgsdgdsgdsgds
byzmulani8
 
PDF
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
byHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
PPTX
Comprehensive_SpringBoot_Auth.pptx wokring
byJayaPrakash579769
 
PPTX
Spring Security services for web applications
byStephenKoc1
 
PDF
Javacro 2014 Spring Security 3 Speech
byFernando Redondo Ramírez
 
PPTX
Building Layers of Defense with Spring Security
byJoris Kuipers
 
PPT
Spring Security Introduction
byMindfire Solutions
 
PDF
Spring Security in Action 1st Edition Laurentiu Spilca
byqbjpyqyprq1924
 
PDF
Spring4 security
bySang Shin
 
PDF
Building layers of defense for your application
byVMware Tanzu
 
PDF
Spring Security
bySumit Gole
 
PDF
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
byMatt Raible
 
PPTX
Spring Security: Deep dive into basics. Ihor Polataiko.pptx
byIhor Polataiko
 
PDF
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
byMatt Raible
 
PDF
Spring5 hibernate5 security5 lab step by step
byRajiv Gupta
 
PPTX
Spring Security
byManish Sharma
 
Spring security jwt tutorial toptal
byjbsysatm
 
Spring Security in Action 1st Edition Laurentiu Spilca Spilcă Laurenţiu
byticeyfedorvt
 
Spring security4.x
byZeeshan Khan
 
Spring Security Framework
byJayasree Perilakkalam
 
springb security.pptxdsdsgfdsgsdgsdgsdgdsgdsgds
byzmulani8
 
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
byHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Comprehensive_SpringBoot_Auth.pptx wokring
byJayaPrakash579769
 
Spring Security services for web applications
byStephenKoc1
 
Javacro 2014 Spring Security 3 Speech
byFernando Redondo Ramírez
 
Building Layers of Defense with Spring Security
byJoris Kuipers
 
Spring Security Introduction
byMindfire Solutions
 
Spring Security in Action 1st Edition Laurentiu Spilca
byqbjpyqyprq1924
 
Spring4 security
bySang Shin
 
Building layers of defense for your application
byVMware Tanzu
 
Spring Security
bySumit Gole
 
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
byMatt Raible
 
Spring Security: Deep dive into basics. Ihor Polataiko.pptx
byIhor Polataiko
 
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
byMatt Raible
 
Spring5 hibernate5 security5 lab step by step
byRajiv Gupta
 
Spring Security
byManish Sharma
 

Recently uploaded

PPTX
bussiness communication[1].pptx work and stress
bykshenal497
 
PDF
OSMC 2025: Onotify: A scalable, flexible Alertmanager by Colin Douch.pdf
byNETWAYS
 
PDF
SIHMA Scalabrini Institute for Human Mobility in Africa(SIHMA) - Annual Repor...
byScalabrini Institute for Human Mobility in Africa
 
PPTX
tongue and its prosthodontic considerations
byFebaMariya2
 
PDF
92.9 Best Places to Buy Verified Facebook Accounts in ....pdf
byo9hr3zizwi3t6b6tsgn
 
PDF
OSMC 2025: Monitoring a small world by Mattias Schlenker.pdf
byNETWAYS
 
PDF
King Khaled university .. Presentation .
by446816119
 
PPTX
Sample Equity research report for Lafarge.pptx
bysamuelkingsofficial2
 
PPTX
Latest Cyber Security Trends and updates in 2025
byfathimarasla02
 
PPTX
2025-11-23 Moses 08 (shared slides).pptx
byDale Wells
 
PDF
DevFest Baku 2025 Speaker Presentations ( Software, AI, Workshop tracks)
bynigarasadova555
 
PPTX
All types of topology presentation .pptx
byshethayesha133
 
PPTX
History_of_Punjab_by_Arshdeep_Singh (1).pptx
bydeeppc8900
 
DOCX
Capacity Building ,Personal Effectiveness and Service Excellence
byiss360degree
 
PPTX
Media Pitch = The Western Standard.pptx
by27golchikborges
 
PDF
ACE Aarhus: Team '25 Europe Recap and latest news
byDanielEriksen5
 
PPTX
HK_TEMPLATE12211212121112112567890976.pptx
bymimiii22022022
 
PPTX
Group-6-presentation-Philippine-Politics-and-Governance-Vico-Sotto.pptx
bylhoidardhensalamanca
 
PDF
BUY Verified Binance Accounts for Trading Bitcoin and ....pdf
bymarketing
 
PDF
OSMC 2025: Using NetBox DNS by Jan-Piet Mens.pdf
byNETWAYS
 
bussiness communication[1].pptx work and stress
bykshenal497
 
OSMC 2025: Onotify: A scalable, flexible Alertmanager by Colin Douch.pdf
byNETWAYS
 
SIHMA Scalabrini Institute for Human Mobility in Africa(SIHMA) - Annual Repor...
byScalabrini Institute for Human Mobility in Africa
 
tongue and its prosthodontic considerations
byFebaMariya2
 
92.9 Best Places to Buy Verified Facebook Accounts in ....pdf
byo9hr3zizwi3t6b6tsgn
 
OSMC 2025: Monitoring a small world by Mattias Schlenker.pdf
byNETWAYS
 
King Khaled university .. Presentation .
by446816119
 
Sample Equity research report for Lafarge.pptx
bysamuelkingsofficial2
 
Latest Cyber Security Trends and updates in 2025
byfathimarasla02
 
2025-11-23 Moses 08 (shared slides).pptx
byDale Wells
 
DevFest Baku 2025 Speaker Presentations ( Software, AI, Workshop tracks)
bynigarasadova555
 
All types of topology presentation .pptx
byshethayesha133
 
History_of_Punjab_by_Arshdeep_Singh (1).pptx
bydeeppc8900
 
Capacity Building ,Personal Effectiveness and Service Excellence
byiss360degree
 
Media Pitch = The Western Standard.pptx
by27golchikborges
 
ACE Aarhus: Team '25 Europe Recap and latest news
byDanielEriksen5
 
HK_TEMPLATE12211212121112112567890976.pptx
bymimiii22022022
 
Group-6-presentation-Philippine-Politics-and-Governance-Vico-Sotto.pptx
bylhoidardhensalamanca
 
BUY Verified Binance Accounts for Trading Bitcoin and ....pdf
bymarketing
 
OSMC 2025: Using NetBox DNS by Jan-Piet Mens.pdf
byNETWAYS
 

Spring Security 5

  • 1.
    gfi.be - gfi.lu- gfi.world Spring Security 5 Implementing Spring Security 5 in an existing Spring Boot 2 application GfiBelux | 04/09/2018
  • 2.
    Who am I? ApplicationArchitect › Agile DevOps Enthusiast › I have been an all-purpose Software Engineer for over 17 years' experience. › I worked at Gfi Spain for 12 years › I arrived in GfiBelux in January 2018 › I’m currently working for Toyota Motors Europe in the CAST Team 2 Besides work… › Enjoying a lot with my family › Two children  › Doing sport › Running, Fitness, Footboll... › Planting vegetables › Ecological Orchard › Drinking Belgium beer › With colleagues better ;) Jesus Perez Franco https://www.linkedin.com/in/jpefranco/
  • 3.
    Summary I. Introduction: SpringFramework vs. Spring Boot vs. Spring Security II. What is Spring Security? III. Spring Security Fundamentals I IV. Spring Security Workflow V. Spring Security Architecture VI. Spring Security Configuration VII. Spring Security Fundamentals II VIII. Spring Security with REST API or RESTful Web Services IX. Spring Security OAuth2 X. JSON Web Token (JWT) with REST API XI. Practice: Impl Security GfiBelux | 04/09/2018 Spring Security 3 In-Memory Authentication JDBC Authentication LDAP Authentication UserDetailsService AuthenticationProvider Session1Session2
  • 4.
    Introduction: Spring Framework vs.Spring Boot vs. Spring Security › Spring Framework is a Java platform that provides comprehensive infrastructure support for developing Java applications. › Spring Boot is based on the Spring Framework, providing auto-configuration features to your Spring applications and is designed to get you up and running as quickly as possible. › Spring Security provides comprehensive security services for Java EE- based software applications. There is a particular emphasis on supporting projects built using the Spring Framework. 4 Spring Security GfiBeLux | 04/09/2018 Spring Framework Spring Boot 2 Spring Security 5 Spring MVC Spring Data Etc...
  • 5.
    What is SpringSecurity? › Spring Security is a framework that focuses on providing both authentication and authorization (or “access-control”) to Java web application and SOAP/RESTful web services › Spring Security currently supports integration with all of the following technologies: › HTTP basic access authentication › LDAP system › OpenID identity providers › JAAS API › CAS Server › ESB Platform › ..... › Your own authentication systems › It is built on top of Spring Framework 5 Spring Security GfiBeLux | 04/09/2018
  • 6.
    Spring Security FundamentalsI › Principal › User that performs the action › Authentication › Confirming truth of credentials › Authorization › Define access policy for principal › GrantedAuthority › Application permission granted to a principal › SecurityContext › Hold the authentication and other security information › SecurityContextHolder › Provides access to SecurityContext 6 Spring Security GfiBeLux | 04/09/2018 › AuthenticationManager › Controller in the authentication process › AuthenticationProvider › Interface that maps to a data store which stores your user data. › Authentication Object › Object is created upon authentication, which holds the login credentials. › UserDetails › Data object which contains the user credentials, but also the Roles of the user. › UserDetailsService › Collects the user credentials, authorities(roles) and build an UserDetails object.
  • 7.
    Front End Spring Security CommonWorkflow 7 Spring Security GfiBeLux | 04/09/2018 Controller in the process that it just delegates to a collection of AuthenticationProvider instances. Call an object that implements the UserDetailsService interface, which it looks up the user data and returns a UserDetails object. Will check that the password matches the password the user entered. Authentication object with the login credentials is created Back End Request Login Request REST API
  • 8.
    Spring Security Architecture 8 SpringSecurity GfiBeLux | 04/09/2018 Spring security has a series/chain of filters (HTTP Basic, OAuth2, JWT) Authentication object
  • 9.
    Spring Security Configuration ›Step 1. Project structure › Step 2. Maven or Gradle dependencies › Step 3. Spring Security configuration › Web Security Authentication (@EnableWebSecurity) › In-Memory Authentication › JDBC Authentication › LDAP Authentication › UserDetailsService › AuthenticationProvider › REST API › OAuth 2.0 SSO Authentication › JSON Web Token (JWT) 9 Spring Security GfiBeLux | 04/09/2018 Users AuthorisationPermissions UserID AuthorisationID UserID username AuthorisationAuthorisationID ... domain Java module (Spring Data JPA) security Java module (Spring Security) business Java module (Spring Data REST) import Use BCrypt, as it’s usually the best solution available. {crypt} password WebSecurityConfigurerAdapter
  • 10.
    Spring Security Configuration: Projectstructure 10 Spring Security GfiBeLux | 04/09/2018 › You can use start.spring.io to generate a basic project. › You can create the project web+spring security from IDE Database DependencyDependency Spring Security provides a variety of options for performing authentication. We are going to see the most frequently used.
  • 11.
    Spring Security Configuration: Mavendependencies 11 Spring Security GfiBeLux | 04/09/2018 <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-web</artifactId> <version>5.0.7.RELEASE</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-core</artifactId> <version>5.0.7.RELEASE</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-config</artifactId> <version>5.0.7.RELEASE</version> </dependency> › pom.xml › Each release uses a standard triplet of integers: MAJOR.MINOR.PATCH › All GA releases (i.e. versions ending in .RELEASE) are deployed to Maven Central. › If you are using a SNAPSHOT version, you will need to have the Spring Snapshot repository: › If you are using a release candidate or milestone version: <repositories> <repository> <id>spring-snapshot</id> <name>Spring Snapshot Repository</name> <url>http://repo.spring.io/snapshot</url> </repository> </repositories> <repositories> <repository> <id>spring-milestone</id> <name>Spring Milestone Repository</name> <url>http://repo.spring.io/milestone</url> </repository> </repositories> You can get hold of Spring Security in several ways. You can also use Gradle and to set the build.gradle file.
  • 12.
    Spring Security Configuration: @EnableWebSecurityand HttpSecurity 12 Spring Security GfiBeLux | 04/09/2018 @EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/", "/index").permitAll() .anyRequest() .hasAnyRole("Consultant“, “Teamlead”, “Hr”) .and() .formLogin() .loginPage("/login").failureUrl("/login-error") .and() .exceptionHandling() .accessDeniedPage("/forbidden"); ... › Adding more configuration options: › Form Login › Authorize request › Handling logout, exception, custom filters... › You have to adapt it for your own application @RequestMapping("/") public String root() { return "redirect:/index"; } @RequestMapping("/index") public String index() { return "index"; } @RequestMapping("/user/index") public String userIndex() { return "user/index"; } @RequestMapping(value = "/login") public String login() { return "login"; } @RequestMapping(value = "/forbidden") public String forbidden() { return "forbidden"; }
  • 13.
    Spring Security Configuration: In-MemoryAuthentication - AuthenticationManagerBuilder 13 Spring Security GfiBeLux | 04/09/2018 @Override public void configure(AuthenticationManagerBuilder auth) throws Exception { auth .inMemoryAuthentication() .withUser("user").password("{noop}password") .roles("Consultant", "Teamlead", "Hr"); } ... › In-memory authentication is usually used in development phase › Configure the authentication method In-Memory Authentication JDBC Authentication LDAP Authentication UserDetailsService AuthenticationProvider
  • 14.
    Spring Security Configuration: JDBCAuthentication - AuthenticationManagerBuilder 14 Spring Security GfiBeLux | 04/09/2018 @Override public void configure(AuthenticationManagerBuilder auth) throws Exception DataSource dataSource = new JpaConfiguration().dataSource(); auth .jdbcAuthentication() .dataSource(dataSource) .usersByUsernameQuery("select username, password, 'true' as enabled" + " from user where username=?") .authoritiesByUsernameQuery("select username, authorisation as authority from" + " authorisation a, permissions p, user u" + " where a.AuthorisationID=p.AuthorisationID and" + " u.UserID=p.UserID and username=?") .passwordEncoder(passwordEncoder()); ... With JDBC-based authentication the user’s authentication and authorization information are stored in the database. The standard JDBC implementation of the UserDetailsService requires tables to load the password, account status (enabled or disabled) and a list of authorities (roles) for the user. You have to use the schema defined. It’s possible to use the default database scheme provided in spring security documentation or define the SQL query It’s defined in Domain module Create my encryption mechanisms In-Memory Authentication JDBC Authentication LDAP Authentication UserDetailsService AuthenticationProvider
  • 15.
    Spring Security Configuration: JDBCAuthentication – PasswordEconderImpl 15 Spring Security GfiBeLux | 04/09/2018 Spring Security 5 recommends the use of BCrypt, a salt that helps prevent pre-computed dictionary attacks. Most of the other encryption mechanisms, such as the MD5PasswordEncoder and ShaPasswordEncoder use weaker algorithms and are now deprecated. @Service public class PasswordEncoderImpl implements PasswordEncoder { @Override public String encode(CharSequence rawPassword) { String hashed = BCrypt.hashpw(rawPassword.toString(), BCrypt.gensalt(12)); return hashed; } @Override public boolean matches(CharSequence rawPassword, String encodedPassword) { return BCrypt.checkpw(rawPassword.toString(), encodedPassword); } } Default value is 10
  • 16.
    Spring Security Configuration: JDBCAuthentication - Encrypted properties with Spring 16 Spring Security GfiBeLux | 04/09/2018 To automate this process, you can add the encryption key to your deployment infrastructure like Jenkins, Bamboo, etc. You must store encrypted credentials, so would NOT allow everybody with access to the repository to use these credentials. <properties> <database.host>localhost</database.host> <database.name>academy</database.name> <database.port>3306</database.port> <database.driver>com.mysql.jdbc.Driver</database.driver> <database.username>root</database.username> <database.password>{cipher}1a5f8bbf59c7290ec5b99fe91e05dd02d692cc07bb1d7bd931f7b4c27679a391 </database.password> <database.url>jdbc:mysql://${database.host}:${database.port}/${database.name}?useSSL=false</database.url> </properties> Database configuration both pom.xml and application.properties file # spring encrypt secret --key root I use Spring Boot CLI to encrypt it: 1a5f8bbf59c7290ec5b99fe91e05dd02d692cc07bb1d7bd931f7b4c27679a391 be.gfi.academy.password=${database.password} # set ENCRYPT_KEY=secret # mvn clean install –DskiptTests=true # cd security # mvn spring-boot:run You have to provide the key via the property encrypt.key or ENCRYPT_KEY variable environment Spring recommends to use BCrypt BCryptPasswordEncoder, a stronger hashing algorithm with randomly generated salt.
  • 17.
    Spring Security Configuration: LDAPAuthentication - AuthenticationManagerBuilder 17 Spring Security GfiBeLux | 04/09/2018 public void configure(AuthenticationManagerBuilder auth) throws Exception { auth .ldapAuthentication() .userDnPatterns("uid={0},ou=people") .groupSearchBase("ou=groups") .contextSource() .url("ldap://localhost:389/dc=springframework,dc=org") .and() .passwordCompare() .passwordEncoder(passwordEncoder()) .passwordAttribute("userPassword"); } <dependency> <groupId>org.springframework.ldap</groupId> <artifactId>spring-ldap-core</artifactId> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-ldap</artifactId> </dependency> With LDAP-based authentication the user’s authentication and authorization information are stored in a directory LDAP. Use the configurations files, either application.properties or application.yml You must store encrypted credentials, so would NOT allow everybody with access to the repository to use these credentials. encrypted.property={cipher}71144...... To automate this process, you can add the encryption key to your deployment infrastructure like Jenkins, Bamboo and so on. In-Memory Authentication JDBC Authentication LDAP Authentication UserDetailsService AuthenticationProvider
  • 18.
    Spring Security Configuration: UserDetailsServiceI - AuthenticationManagerBuilder 18 Spring Security GfiBeLux | 04/09/2018 @Autowired private UserDetailsServiceImpl userDetailsService; @Autowired private PasswordEncoderImpl passwordEncoder; @Override public void configure(AuthenticationManagerBuilder auth) throws Exception { auth .authenticationProvider(userDetailsService); .passwordEncoder(passwordEncoder); } The standard scenario uses a simple UserDetailsService where I usually store the password in database and spring security framework performs a check on the password. What happens when you are using a different authentication system, and the password is not provided in your own database/data model? In-Memory Authentication JDBC Authentication LDAP Authentication UserDetailsService AuthenticationProvider
  • 19.
    Spring Security Configuration: UserDetailsServiceII - AuthenticationManagerBuilder 19 Spring Security GfiBeLux | 04/09/2018 @Service @Transactional public class UserDetailsServiceImpl implements UserDetailsService { @Autowired private IUserDao userDAO; @Override public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { UserVO user = userDAO.findByUsername(username); if (user == null) { throw new UsernameNotFoundException(username); } return new UserPrincipalImpl(user); } } This User Details Service only has access to the username in order to retrieve the full user entity – and in a large number of scenarios, this is enough. It’s defined in Domain module
  • 20.
    Spring Security Configuration: UserPrincipal- AuthenticationManagerBuilder 20 Spring Security GfiBeLux | 04/09/2018 public class UserPrincipalImpl implements UserDetails { String ROLE_PREFIX = "ROLE_"; private UserVO user; public UserPrincipalImpl(UserVO user) { this.user = user; } @Override public String getPassword() { return user.getPassword(); } @Override public String getUsername() { return user.getUsername(); } @Override public Collection<GrantedAuthority> getAuthorities() { List<GrantedAuthority> grantedAuthorities = new ArrayList<>(); List<AuthorisationVO> roles = user.getRoles(); for(AuthorisationVO item : roles) { grantedAuthorities.add(new SimpleGrantedAuthority(ROLE_PREFIX+item.getAuthorisation())); } return grantedAuthorities; } ... ... } @RestController @RequestMapping("/api") public class TestService { @RequestMapping("/user-information") @ResponseBody public Principal information(Principal principal) { return principal; } } http://localhost:8080/api/user-information API Test In-Memory Authentication JDBC Authentication LDAP Authentication UserDetailsService AuthenticationProvider
  • 21.
    Spring Security Configuration: AuthenticationProvider I - AuthenticationManagerBuilder 21 Spring Security GfiBeLux | 04/09/2018 @Autowired private AuthenticationProviderImpl authProvider; @Override public void configure(AuthenticationManagerBuilder auth) throws Exception { auth .authenticationProvider(authProvider); } More custom scenarios will still need to access the full Authentication request to be able to perform the authentication process – for example when authenticating against some external, third party service (e.g. CAS/IS - Centralized Authentication System/Identity Server, so my system have no idea about the password) – both the username and the password from the authentication request will be necessary. For these more advanced scenarios we’ll need to define a custom Authentication Provider:
  • 22.
    Spring Security Configuration: AuthenticationProvider II - AuthenticationManagerBuilder 22 Spring Security GfiBeLux | 04/09/2018 public class AuthenticationProviderImpl implements AuthenticationProvider { @Autowired private IUserDao userDAO; @Override public Authentication authenticate(Authentication authentication) throws AuthenticationException { String name = authentication.getName(); String password = authentication.getCredentials().toString(); UserVO user = userDAO.findByUsername(name); if (user == null) { throw new BadCredentialsException("Authentication failed for " + name); } List<GrantedAuthority> grantedAuthorities = new ArrayList<>(); if (new PasswordEncoderImpl().matches(password, user.getPassword())) { List<AuthorisationVO> roles = user.getRoles(); for(AuthorisationVO item : roles) { grantedAuthorities.add(new SimpleGrantedAuthority(ROLE_PREFIX+item.getAuthorisation())); } } ... Authentication against a third-party system like a database in our use case Use the credentials Must be “ROLE_”
  • 23.
    Summary I. Introduction: SpringFramework vs. Spring Boot vs. Spring Security II. What is Spring Security? III. Spring Security Fundamentals I IV. Spring Security Workflow V. Spring Security Architecture VI. Spring Security Configuration VII. Spring Security Fundamentals II VIII. Spring Security with REST API or RESTful Web Services IX. Spring Security OAuth2 X. JSON Web Token (JWT) with REST API XI. Practice: Impl Security GfiBelux | 04/09/2018 Spring Security 23 In-Memory Authentication JDBC Authentication LDAP Authentication UserDetailsService AuthenticationProvider Session1Session2
  • 24.
    Spring Security FundamentalsII › JWT (JSON Web Tokens) › It is just a token format. JWT tokens are JSON encoded data structures containing information about issuer, subject (claims), expiration time, etc. JWT is simpler than SAML 1.1/2.0, is supported by all devices and it is more powerful than SWT (Simple Web Token). See https://jwt.io/ › OAuth2 › OAuth2 is a framework that solves a problem when a user wants to access the data using a client software like browser-based web apps, native mobile apps or desktop apps. OAuth2 is just for authorization, client software can be authorized to access the resources on behalf of the end user by using an access token. › OpenID Connect › OpenID Connect builds on top of OAuth2 and adds authentication. OpenID Connect adds some constraints to OAuth2 like UserInfo Endpoint, ID Token, discovery and dynamic registration of OpenID Connect providers and session management. JWT is the mandatory format for the token. 24 Spring Security GfiBeLux | 04/09/2018
  • 25.
    Spring Security withREST API Authorization with annotations on controller I 25 Spring Security GfiBeLux | 04/09/2018 @RestController @RequestMapping("/api") public class TestService { @Secured("ROLE_Consultant") @RequestMapping("/user-information") public Principal information(Principal principal) { return principal; } @PreAuthorize("hasRole('ROLE_Consultant') and hasRole('ROLE_Teamlead') and hasRole('ROLE_Hr')") @RequestMapping("/user-details") @ResponseBody public Object details(Authentication auth) { return auth.getDetails(); } @Secured("ROLE_Consultant") @RequestMapping("/thanks") @ResponseBody public String getThanks() { return "{"message":"Thanks!"}"; } } API with access control Frontend (Node) Browser/APP Backend (Spring Boot) API RESTfull HTTPS Basic Authentication
  • 26.
    Spring Security withREST API Authorization with annotations on controller II 26 Spring Security GfiBeLux | 04/09/2018 By default, the BasicAuthenticationEntryPoint provisioned by Spring Security returns a full page for a 401 Unauthorized response back to the client. This HTML representation of the error renders well in a browser, but it not well suited for other scenarios, such as a REST API where a json representation may be preferred. Traditional form based authentication Cookie/Session Based Authentication (stateful) Use the Postman tool or the curl command testing your API Rest Basic Authentication with REST API (stateless). Very basic mechanism. Should be used only in HTTPS environmen Even if it is base64 encoded, it can be easily decoded
  • 27.
    Spring Security withREST API Authorization with annotations on controller III 27 Security GfiBeLux | 04/09/2018 public class CustomBasicAuthenticationEntryPoint extends BasicAuthenticationEntryPoint { @Override public void commence (HttpServletRequest request, HttpServletResponse response, AuthenticationException authEx throws IOException { response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); response.setHeader("WWW-Authenticate", "Basic realm=" + getRealmName()); response.setContentType(MediaType.APPLICATION_JSON_UTF8_VALUE); PrintWriter writer = response.getWriter(); writer.println("HTTP Status 401 : " + authEx.getMessage()); } @Override public void afterPropertiesSet() throws Exception { setRealmName(SecurityConfig.REALM_NAME); super.afterPropertiesSet(); } } http .authorizeRequests().anyRequest().authenticated() .and() .httpBasic() .authenticationEntryPoint(authenticationEntryPoint); Implementation of a custom BasicAuthenticationEntryPoint
  • 28.
    Spring Security OAuth2 SingleSign-On 28 Spring Security GfiBeLux | 04/09/2018 Copying the client-id and client-secret to application.properties or application.yml Setting the redirect URI To begin, obtain OAuth 2.0 client credentials from the Google API Console. Google's OAuth 2.0 APIs can be used for both authentication and authorization, which conforms to the OpenID Connect specification.
  • 29.
    Spring Security OAuth2 SingleSign-On 29 Spring Security GfiBeLux | 04/09/2018 spring.security.oauth2.client.registration.google.client-id=277735095424...... spring.security.oauth2.client.registration.google.client-secret=XGksESFC01e58..... <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-oauth2-client</artifactId> <version>${spring-security-version}</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-oauth2-jose</artifactId> <version>${spring-security-version}</version> </dependency> @Override protected void configure(HttpSecurity http) { http .authorizeRequests() .antMatchers("/", "/index") .permitAll() .antMatchers("/user/**") .authenticated() .and() .oauth2Login() .loginPage("/login"); Use the Google's OAuth 2.0 endpoints to authorize access to Google APIs. <a href="/oauth2/authorization/google">Google account</a> Frontend (Node) Browser/APP Backend I Call Google API Token Call Backend API <token> Check token response Backend II ... SSO Application.properties file
  • 30.
    JSON Web Token(JWT) with REST API 30 Spring Security GfiBeLux | 04/09/2018 Step 1: Request /api/login and get the JWT Step 2: Request API REST with JWT (token)
  • 31.
    JSON Web Token(JWT) with REST API Configuration 31 Spring Security GfiBeLux | 04/09/2018 @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers(HttpMethod.POST,"/api/login") .permitAll() .anyRequest() .authenticated() .and() // We filter the api/login requests .addFilterBefore(new JWTLoginFilter("/api/login", authenticationManager()), UsernamePasswordAuthenticationFilter.class) // And filter other requests to check the presence of JWT in header .addFilterBefore(new JWTAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class); <dependency> <groupId>io.jsonwebtoken</groupId> <artifactId>jjwt</artifactId> <version>0.9.0</version> </dependency>
  • 32.
    JSON Web Token(JWT) with REST API JWTLoginFilter 32 Spring Security GfiBeLux | 04/09/2018 public class JWTLoginFilter extends AbstractAuthenticationProcessingFilter{ private TokenAuthenticationService tokenAuthenticationService; public JWTLoginFilter(String url, AuthenticationManager authenticationManager) { super(new AntPathRequestMatcher(url)); setAuthenticationManager(authenticationManager); tokenAuthenticationService = new TokenAuthenticationService(); } @Override public Authentication attemptAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws AuthenticationException, IOException, ServletException { AccountCredentials credentials = new ObjectMapper().readValue(httpServletRequest.getInputStream(),AccountCredentials.class); UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(credentials.getUsername(), credentials.getPassword()); return getAuthenticationManager().authenticate(token); } @Override protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authentication) throws IOException, ServletException{ String name = authentication.getName(); tokenAuthenticationService.addAuthentication(response,name); } }
  • 33.
    JSON Web Token(JWT) with REST API TokenAuthenticationService 33 Spring Security GfiBeLux | 04/09/2018 public class TokenAuthenticationService { private long EXPIRATIONTIME = 1000 * 60 * 60 * 24 * 10; // 10 days private String secret = "secret"; // Must be an environment variable into OS private String tokenPrefix = ""; // "Bearer " private String headerString = "Authorization"; public void addAuthentication(HttpServletResponse response, String username) { String JWT = Jwts.builder() .setSubject(username) .setExpiration(new Date(System.currentTimeMillis() + EXPIRATIONTIME)) .signWith(SignatureAlgorithm.HS512, secret).compact(); response.addHeader(headerString,tokenPrefix + JWT); } public Authentication getAuthentication(HttpServletRequest request) { String token = request.getHeader(headerString); if(token != null) { String username = Jwts.parser() .setSigningKey(secret) .parseClaimsJws(token) .getBody() .getSubject(); if(username != null) // we managed to retrieve a user { return new AuthenticatedUserImpl(username); } } return null; } }
  • 34.
    JSON Web Token(JWT) with REST API AuthenticatedUserImpl 34 Spring Security GfiBeLux | 04/09/2018 public class AuthenticatedUserImpl implements Authentication { String ROLE_PREFIX = "ROLE_"; private boolean authenticated = true; private String name; @Autowired private IUserDao userDAO; AuthenticatedUserImpl(String name){ this.name = name; } @Override public Collection<GrantedAuthority> getAuthorities() { List<GrantedAuthority> grantedAuthorities = new ArrayList<>(); UserVO user = userDAO.findByUsername(name); List<AuthorisationVO> roles = user.getRoles(); for(AuthorisationVO item : roles) { grantedAuthorities.add(new SimpleGrantedAuthority(ROLE_PREFIX+item.getAuthorisation())); } grantedAuthorities.add(new SimpleGrantedAuthority(ROLE_PREFIX+"Consultant")); return grantedAuthorities; } .... ....
  • 35.
    JSON Web Token(JWT) with REST API JWTLoginFilter and AccountCredentials 35 Spring Security GfiBeLux | 04/09/2018 public class JWTAuthenticationFilter extends GenericFilterBean{ @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException { Authentication authentication = new TokenAuthenticationService().getAuthentication((HttpServletRequest)request); SecurityContextHolder.getContext().setAuthentication(authentication); filterChain.doFilter(request,response); } } public class AccountCredentials { private String username; private String password; String getUsername() { return username; } String getPassword() { return password; } public void setUsername(String _username) { this.username = _username; } public void setPassword(String _password) { this.password = _password; } }
  • 36.
    FRANCE | SPAIN| PORTUGAL | BELGIUM | SWITSERLAND | LUXEMBURG | UNITED KINGDOM | POLAND | ROMANIA | MOROCCO | IVORY COAST| ANGOLA | USA | MEXICO | COLOMBIA | BRASIL gfi.be - gfi.lu - gfi.world Jesus.perez.franco@gfi.be https://www.linkedin.com/in/jpefranco/ Jesus Perez Franco Application Architect Digital Business Gfi Registered office Square de Meeûs 28/40 – 1000 Brussels Tel: +32(0)16381111 Fax: +32(0)16381100 info@gfi.be

Editor's Notes