0% found this document useful (0 votes)

308 views

Spring Security 3.0: Authentication and Authorization

The document discusses Spring Security 3.0 and covers authentication, authorization, and access control lists. It describes configuring LDAP authentication with a custom database for user roles. Remember-me services with hash-based and persistent tokens are also covered. For authorization, it explains how to set up access control lists in the database and use an access decision manager with voters to control access based on roles and permissions. After invocation providers are used to filter returned objects based on access rights.

Uploaded by

Cristian Gorgorin

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PPT, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

308 views

Spring Security 3.0: Authentication and Authorization

Uploaded by

Cristian Gorgorin

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PPT, PDF, TXT or read online on Scribd

You are on page 1/ 35

Spring Security 3.

Authentication and Authorization

Agenda
 Authentication – LDAP & Database combined
solution
 Authentication – Remember-me service
 Authorization – Access Control Lists
Authentication
 Authenticate users using an LDAP server
 Read user information, including roles, from
custom database
Authentication Objects
Authentication Manager
Declaration
<authentication-manager alias="authenticationManager">
<authentication-provider ref='ldapAuthProvider'/>

<authentication-provider>
<user-service>
<user name="admin" password="sandtp"
authorities="ROLE_USER, ROLE_ADMIN"
/>
</user-service>
</authentication-provider>

</authentication-manager>
LDAP Authentication Provider
Declaration
<beans:bean id="ldapAuthProvider"
class="org.springframework.security.ldap.aut
hentication.LdapAuthenticationProvider">
<beans:constructor-arg
ref="bindAuthenticator" />
<beans:constructor-arg
ref="authoritiesPopulator" />
</beans:bean>
Bind Authenticator Declaration
<beans:bean id="bindAuthenticator"
class="org.springframework.security.ldap.authentication.BindAuthenticator">
<beans:constructor-arg ref="contextSource" />
<beans:property name="userDnPatterns">
<beans:list>
<beans:value>sAMAccountName={0}</beans:value>
</beans:list>
</beans:property>
<beans:property name="userSearch" ref="userSearch" />
</beans:bean>
<beans:bean id="contextSource"
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<beans:constructor-arg value="ldap://sntsoftware.ro:389/DC=sntsoftware,DC=ro" />
<beans:property name="userDn" value="CN=Ldap.Query.Service,CN=Users,DC=sntsoftware,DC=ro" />
<beans:property name="password" value="sandtp" />
</beans:bean>
<beans:bean id="userSearch"
class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<beans:constructor-arg index="0" value="" />
<beans:constructor-arg index="1" value="(sAMAccountName={0})" />
<beans:constructor-arg index="2" ref="contextSource" />
</beans:bean>
Authorities Populator
Declaration
<beans:bean id="authoritiesPopulator"
class="org.springframework.security.ldap.aut
hentication.UserDetailsServiceLdapAuthoritie
sPopulator">
<beans:constructor-arg
ref="userDetailsService"/>
</beans:bean>
UserDetailsService Declaration
<beans:bean id="userDetailsService"
class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl">
<beans:property name="dataSource" ref="dataSource"/>
</beans:bean>

<bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource"

destroy-method="close">
<property name="driverClassName" value="com.mysql.jdbc.Driver" />
<property name="url" value="jdbc:mysql://bart/voucher_schema?
createDatabaseIfNotExist=true&amp;useUnicode=true&amp;characterEncoding
=utf-8" />
<property name="username" value="root" />
<property name="password" value="sandtp-d" />
<property name="maxActive" value="100" />
<property name="maxWait" value="1000" />
<property name="poolPreparedStatements" value="true" />
<property name="defaultAutoCommit" value="true" />
</bean>
Database Schema for
JdbcDaoImpl
Remember-me Services

Spring Security offers 2 implementations:

 Simple hash-based token

 Persistent token
Remember-me : Simple hash-
based token
Remember-me : Persistent
Token
Remember-me Objects
Remember-me : Persistent
Token - Configuration
<beans:bean id="rememberMeServices"
class="org.springframework.security.web.authentication.rememberme.P
ersistentTokenBasedRememberMeServices">
<beans:property name="userDetailsService" ref="userDetailsService" />
<beans:property name="tokenRepository" ref="jdbcTokenRepository" />
<beans:property name="key" value="e37f4b31-0c45-11dd-bd0b-
0800200c9a66" />
</beans:bean>

<beans:bean id="jdbcTokenRepository"
class="org.springframework.security.web.authentication.rememberme.J
dbcTokenRepositoryImpl">
<beans:property name="dataSource" ref="dataSource" />
</beans:bean>
Database Schema for
JdbcDaoImpl
Agenda

 Authentication – LDAP & Database combined

solution
 Authentication – Remember-me service
 Authorization – Access Control Lists
Spring Security Access
Control Lists (ACLs)
 authorization = grant access rights to
authenticated users
 often the role is not enough to make
authorization decisions
 example: manager can only approve
requests from employees in his own
department
 ACL: authorization decision per-user, per-
object and per-operation basis
ACLs (cont)


@Secured({"ROLE_ADMIN", "ACL_OBJECT_READ", "AFTER_ACL_READ"})
MySecuredObject getSecuredObject(MySecuredObject obj);

 2 types of verification:
 Before invocation  check access rights on
parameters
 after invocation  check access rights on returned
object
 if access not granted  AccessDeniedException
ACL Database Schema
ACL Database Schema (cont)
ACL_ENTRY.mask
ACL Data Model
ACL Service – Object Model
ACL Service – Declaration
(MySQL)
<beans:bean id="aclService"
class="org.springframework.security.acls.jdbc.JdbcMutableAclSe
rvice">
<beans:constructor-arg ref="dataSource"/>
<beans:constructor-arg ref="lookupStrategy"/>
<beans:constructor-arg ref="aclCache"/>

<beans:property name="classIdentityQuery" value="SELECT

@@IDENTITY"/>
<beans:property name="sidIdentityQuery" value="SELECT
@@IDENTITY"/>
</beans:bean>
Access Decision Manager
@Secured({"ROLE_ADMIN", "ACL_OBJECT_READ", "AFTER_ACL_READ"})

public SecuredObject getSecuredObject(SecuredObject obj);

Access Decision Manager -
Declaration
<global-method-security secured-
annotations="enabled" access-decision-manager-
ref="businessAccessDecisionManager">
<after-invocation-provider ref="afterAclRead"/>
<after-invocation-provider
ref="afterAclCollectionRead"/>
</global-method-security>
Access Decision Manager –
Declaration (cont)
<beans:bean id="businessAccessDecisionManager"
class="org.springframework.security.access.vote.UnanimousBas
ed">
<beans:property name="allowIfAllAbstainDecisions"
value="true"/>
<beans:property name="decisionVoters">
<beans:list>
<beans:ref local="roleVoter"/>
<beans:ref local="aclObjectReadVoter"/>
</beans:list>
</beans:property>
</beans:bean>
Access Decision Manager –
Voters Configuration
<beans:bean id="roleVoter"
class="org.springframework.security.access.vote.RoleVoter"/>
<beans:bean id="aclObjectReadVoter"
class="org.springframework.security.acls.AclEntryVoter">
<beans:constructor-arg ref="aclService"/>
<beans:constructor-arg value="ACL_OBJECT_READ"/>
<beans:constructor-arg>
<beans:list>
<beans:ref local="aclCumulativeReadAdminPermission"/>
</beans:list>
</beans:constructor-arg>
<beans:property name="processDomainObjectClass"
value="com.snt.model.security.SecuredObject"/>
</beans:bean>
Access Decision Manager –
Custom Permission
<beans:bean id="aclCumulativeReadAdminPermission"
class="com.snt.model.security.ReadAdminCumulativePermission">
</beans:bean>

package com.snt.model.security;
import org.springframework.security.acls.domain.BasePermission;
public class ReadAdminCumulativePermission extends
org.springframework.security.acls.domain.CumulativePermission {

public ReadAdminCumulativePermission() {
set(BasePermission.READ);
set(BasePermission.ADMINISTRATION);
}
}
Access Decision Manager –
how does it work?
@Secured({"ROLE_ADMIN", "ACL_OBJECT_READ",
"AFTER_ACL_READ"})
public SecuredObject getSecuredObject(SecuredObject obj);

 AclEntryVoter(AclService aclService,
java.lang.String processConfigAttribute,
Permission[] requirePermission)
 boolean supports(java.lang.Class<?> clazz)
 boolean supports(ConfigAttribute attribute)
 int vote(Authentication authentication,
java.lang.Object object,
java.util.Collection<ConfigAttribute> attributes)
Access Decision Manager –
Cumulative Permissions Issue
 Matching for permissions is done by Spring
Framework using “==”
 Suppose Read and Write permissions are set
 If you ask for isGranted(READ), it will not be
allowed!
 You need to ask isGranted(READ && WRITE)
 Solutions:
 - modify the corresponding Spring Security code
 - Enhancement provided in Spring Security 3.1:
 http://jira.springframework.org/browse/SEC-1166
After Invocation Manager
After Invocation Providers
<global-method-security secured-
annotations="enabled" access-decision-manager-
ref="businessAccessDecisionManager">
<after-invocation-provider ref="afterAclRead"/>
<after-invocation-provider
ref="afterAclCollectionRead"/>
</global-method-security>
After Invocation Providers
(cont)
<beans:bean id="afterAclRead"
class="org.springframework.security.acls.afterinvocation.AclEntryAfterInvocationProvider">
<beans:constructor-arg ref="aclService"/>
<beans:constructor-arg>
<beans:list>
<beans:ref local="aclCumulativeReadAdminPermission"/>
</beans:list>
</beans:constructor-arg>
</beans:bean>

<beans:bean id="afterAclCollectionRead"
class="org.springframework.security.acls.afterinvocation.AclEntryAfterInvocationCollectionFi
lteringProvider">
<beans:constructor-arg ref="aclService"/>
<beans:constructor-arg>
<beans:list>
<beans:ref local="aclCumulativeReadAdminPermission"/>
</beans:list>
</beans:constructor-arg>
</beans:bean>
Thank you!

 http://static.springsource.org/spring-
security/site/docs/3.0.x/reference/springse
curity.html

 http://static.springsource.org/spring-
security/site/docs/3.0.x/apidocs/

Grokking The Java Developer Interview - More Than 200 Questions To Crack The Java, Spring
100% (2)
Grokking The Java Developer Interview - More Than 200 Questions To Crack The Java, Spring
330 pages
Kubernetes Basic To Advance End To End
100% (4)
Kubernetes Basic To Advance End To End
295 pages
07. Microservices Notes
No ratings yet
07. Microservices Notes
14 pages
System Design Interview Textbook
No ratings yet
System Design Interview Textbook
51 pages
Hibernate Tips - More Than 70 Solutions To Common Hibernate Problems
No ratings yet
Hibernate Tips - More Than 70 Solutions To Common Hibernate Problems
257 pages
Lab 6k A Shopping Cart Using The ArrayList Class-0
No ratings yet
Lab 6k A Shopping Cart Using The ArrayList Class-0
3 pages
Online Voting System Final
100% (3)
Online Voting System Final
92 pages
Vprofile Project Setup Mac M1 M2
No ratings yet
Vprofile Project Setup Mac M1 M2
13 pages
Notes - JWT + Spring Security Overview
No ratings yet
Notes - JWT + Spring Security Overview
8 pages
AWS Certified Solution Architect Associate Study Guide V1.0 Abdul Jaseem VP Release 30 Aug 2020
100% (6)
AWS Certified Solution Architect Associate Study Guide V1.0 Abdul Jaseem VP Release 30 Aug 2020
235 pages
Getting started with Spring Framework: A Hands-on Guide to Begin Developing Applications Using Spring Framework
From Everand
Getting started with Spring Framework: A Hands-on Guide to Begin Developing Applications Using Spring Framework
Ashish Sarin
4.5/5 (2)
Spring Boot Reference
No ratings yet
Spring Boot Reference
351 pages
6.1) Kubernetes Detailed Notes
100% (3)
6.1) Kubernetes Detailed Notes
75 pages
AWS Course - All Slides
80% (10)
AWS Course - All Slides
879 pages
Securing Microservice APIs
No ratings yet
Securing Microservice APIs
51 pages
Spring Security Ramesh Draft2
No ratings yet
Spring Security Ramesh Draft2
10 pages
Security
No ratings yet
Security
11 pages
462 Solution Code Spring Security Demo 08 JDBC Plaintext
No ratings yet
462 Solution Code Spring Security Demo 08 JDBC Plaintext
14 pages
Hibernate, Spring & Struts Interview Questions You'll Most Likely Be Asked
From Everand
Hibernate, Spring & Struts Interview Questions You'll Most Likely Be Asked
Vibrant Publishers
No ratings yet
Spring Data JPA Notes
No ratings yet
Spring Data JPA Notes
12 pages
Spring
No ratings yet
Spring
5 pages
Hibernate Interview Questions
0% (1)
Hibernate Interview Questions
112 pages
6.supplier Study Material 2 PDF
No ratings yet
6.supplier Study Material 2 PDF
5 pages
Spring AOP
No ratings yet
Spring AOP
48 pages
Experience Faqs (Final)
0% (1)
Experience Faqs (Final)
35 pages
Microservices Notes and Practise
100% (1)
Microservices Notes and Practise
176 pages
01 Microservices Material
No ratings yet
01 Microservices Material
4 pages
Mockito Framework
No ratings yet
Mockito Framework
17 pages
Spring SpringBoot
No ratings yet
Spring SpringBoot
354 pages
Spting Boot
No ratings yet
Spting Boot
54 pages
Hibernate Annotations
No ratings yet
Hibernate Annotations
68 pages
Durgesh Imp SB Questions
No ratings yet
Durgesh Imp SB Questions
5 pages
Spring Interview Questions
No ratings yet
Spring Interview Questions
84 pages
Spring and Hibernate
No ratings yet
Spring and Hibernate
4 pages
Spring Course Material Nagoor Babu
0% (1)
Spring Course Material Nagoor Babu
44 pages
SpringBootInputFiles by RAGHU
No ratings yet
SpringBootInputFiles by RAGHU
3 pages
05 Spring Boot Rest Security
No ratings yet
05 Spring Boot Rest Security
72 pages
Using Spring Boot 3 With Spring Security Notes
No ratings yet
Using Spring Boot 3 With Spring Security Notes
15 pages
EJB Roseindia Notes
No ratings yet
EJB Roseindia Notes
126 pages
Hibernate
No ratings yet
Hibernate
161 pages
Learn Spring Security Course - Baeldung
No ratings yet
Learn Spring Security Course - Baeldung
28 pages
Spring JDBC Class Notes
No ratings yet
Spring JDBC Class Notes
7 pages
MICROSERVICES
No ratings yet
MICROSERVICES
16 pages
Spring MVC Hibernate MySQL Integration CRUD Example Tutorial
No ratings yet
Spring MVC Hibernate MySQL Integration CRUD Example Tutorial
17 pages
Spring Cloud PDF
No ratings yet
Spring Cloud PDF
1,107 pages
Natraj Interviews
No ratings yet
Natraj Interviews
32 pages
Java8 Study Guide
No ratings yet
Java8 Study Guide
11 pages
Hibernate Interview Questions
100% (1)
Hibernate Interview Questions
14 pages
Interviw Questions
No ratings yet
Interviw Questions
13 pages
Class Notes
No ratings yet
Class Notes
42 pages
Spring Boot Interview Questions With Answer
No ratings yet
Spring Boot Interview Questions With Answer
11 pages
Rest
100% (1)
Rest
21 pages
Spring AOP Notes (Aspect Oriented Programming in Spring) PDF
No ratings yet
Spring AOP Notes (Aspect Oriented Programming in Spring) PDF
44 pages
Spring Cloud
No ratings yet
Spring Cloud
27 pages
Tag Spring Batch
No ratings yet
Tag Spring Batch
17 pages
Collection Framework
No ratings yet
Collection Framework
30 pages
Complete Backed Course
No ratings yet
Complete Backed Course
32 pages
10 Filters
No ratings yet
10 Filters
16 pages
Spring Interview Questions
100% (1)
Spring Interview Questions
21 pages
Hexaware Interview Round Question
100% (1)
Hexaware Interview Round Question
10 pages
E-Commerce Application - Angular Front-End and Spring Boot Back-End
No ratings yet
E-Commerce Application - Angular Front-End and Spring Boot Back-End
2 pages
Spring Part 3
No ratings yet
Spring Part 3
133 pages
Hibernate Notes
No ratings yet
Hibernate Notes
112 pages
JPA Mini Book
No ratings yet
JPA Mini Book
60 pages
Spring Annotations Reference: Spring MVC Spring Boot Spring Data JPA This Blog
No ratings yet
Spring Annotations Reference: Spring MVC Spring Boot Spring Data JPA This Blog
6 pages
Java servlet Second Edition
From Everand
Java servlet Second Edition
Gerardus Blokdyk
No ratings yet
Cloud Native Applications with Jakarta EE: Build, Design, and Deploy Cloud-Native Applications and Microservices with Jakarta EE (English Edition)
From Everand
Cloud Native Applications with Jakarta EE: Build, Design, and Deploy Cloud-Native Applications and Microservices with Jakarta EE (English Edition)
Kamalmeet Singh
No ratings yet
Mastering Apache Cassandra - Second Edition
From Everand
Mastering Apache Cassandra - Second Edition
Nishant Neeraj
No ratings yet
Java Core Interview in Australia. Questions and Answers. Tech interviewer’s notes
From Everand
Java Core Interview in Australia. Questions and Answers. Tech interviewer’s notes
John Edward Cooper Berg
No ratings yet
Core Java: Made Simple: A popular language for Android smart phone application, favoured for edge device and
From Everand
Core Java: Made Simple: A popular language for Android smart phone application, favoured for edge device and
Som Prakash Rai
No ratings yet
Introduction To Cloud Computing
No ratings yet
Introduction To Cloud Computing
27 pages
Kubernetes
100% (6)
Kubernetes
138 pages
15 Reasons To Use Redis As An Application Cache: Itamar Haber
No ratings yet
15 Reasons To Use Redis As An Application Cache: Itamar Haber
9 pages
Migrating To Cloud-Native Architectures Using Microservices: An Experience Report
No ratings yet
Migrating To Cloud-Native Architectures Using Microservices: An Experience Report
15 pages
Kubernetes Docker
100% (7)
Kubernetes Docker
129 pages
Java Application Vulnerabilities:: What They Are and How To Fix Them
No ratings yet
Java Application Vulnerabilities:: What They Are and How To Fix Them
9 pages
Kubernetes Practicals Ebook
67% (3)
Kubernetes Practicals Ebook
187 pages
Kubernetes Interview Questions
100% (1)
Kubernetes Interview Questions
8 pages
Op 100 Spring Interview Questions and Answers (Part 1)
No ratings yet
Op 100 Spring Interview Questions and Answers (Part 1)
41 pages
100 Days of Kubernetes
100% (4)
100 Days of Kubernetes
121 pages
Best Practices in Implementing A Secure Microservices Architecture
100% (1)
Best Practices in Implementing A Secure Microservices Architecture
85 pages
Kubernetes Made Easy
100% (4)
Kubernetes Made Easy
136 pages
Project - Real Time Monitoring Project
No ratings yet
Project - Real Time Monitoring Project
12 pages
Creating An E-Commerce Site With MERN Stack - Part III - Medium
No ratings yet
Creating An E-Commerce Site With MERN Stack - Part III - Medium
23 pages
Maven Jenkins Integration
No ratings yet
Maven Jenkins Integration
16 pages
Running Spring Boot Microservices On Kubernetes
No ratings yet
Running Spring Boot Microservices On Kubernetes
5 pages
AWS Certified DevOps Engineer Professional... Tests 2021
100% (3)
AWS Certified DevOps Engineer Professional... Tests 2021
210 pages
8 Data Modeling Patterns in Redis
No ratings yet
8 Data Modeling Patterns in Redis
56 pages
Waiting Line Models
100% (1)
Waiting Line Models
40 pages
LAB4
No ratings yet
LAB4
8 pages
AWS Cheat Sheets
100% (5)
AWS Cheat Sheets
30 pages
Appin Technology Lab (Network Security Courses)
No ratings yet
Appin Technology Lab (Network Security Courses)
21 pages
Linux Foundation's LFCS and LFCE Certification Preparation Guide ($39)
No ratings yet
Linux Foundation's LFCS and LFCE Certification Preparation Guide ($39)
29 pages
What Is Middleware?
No ratings yet
What Is Middleware?
33 pages
CL205v1.0 Student Guide - 06092016 PDF
No ratings yet
CL205v1.0 Student Guide - 06092016 PDF
586 pages
Data Mining Issues
No ratings yet
Data Mining Issues
5 pages
Idealancy Xss Bug Report
No ratings yet
Idealancy Xss Bug Report
5 pages
Voucher-FADIL WIFI-3Jam-up-107-05.28.21-GEN1 - FADIL29052021
No ratings yet
Voucher-FADIL WIFI-3Jam-up-107-05.28.21-GEN1 - FADIL29052021
10 pages
Ahmed - 7
No ratings yet
Ahmed - 7
5 pages
CCWP Introducing DSL To A Non-Technical Person 201201
No ratings yet
CCWP Introducing DSL To A Non-Technical Person 201201
8 pages
kUBERNETES__1734079298
No ratings yet
kUBERNETES__1734079298
44 pages
Programming Fundamentals
No ratings yet
Programming Fundamentals
71 pages
Computer Virus
No ratings yet
Computer Virus
9 pages
Data Security Pitch Deck - With Speaker Notes
No ratings yet
Data Security Pitch Deck - With Speaker Notes
48 pages
Labcollector Web Service Api
No ratings yet
Labcollector Web Service Api
10 pages
Struktur Org Mula Indonesia
No ratings yet
Struktur Org Mula Indonesia
3 pages
Contoh-Artikel-FKI 7 0
No ratings yet
Contoh-Artikel-FKI 7 0
6 pages
Ruby Course - Lesson 8 - Build A Simple Twitter Clone With Ruby
No ratings yet
Ruby Course - Lesson 8 - Build A Simple Twitter Clone With Ruby
58 pages
Android Caputre Camera
No ratings yet
Android Caputre Camera
7 pages
Advantages and Disadvantages of Selenium Webdriver
No ratings yet
Advantages and Disadvantages of Selenium Webdriver
6 pages
GRC Consultant Spec
No ratings yet
GRC Consultant Spec
3 pages
RPA Questions 1
No ratings yet
RPA Questions 1
11 pages
CSCP Demo
No ratings yet
CSCP Demo
4 pages
ISO 27001 Information Security Policy Template - Secureframe
100% (1)
ISO 27001 Information Security Policy Template - Secureframe
4 pages
Introduction To Oracle Goldengate: Sales Awareness Training, October 27 Oracle University
No ratings yet
Introduction To Oracle Goldengate: Sales Awareness Training, October 27 Oracle University
26 pages
OOPS Unit 1
No ratings yet
OOPS Unit 1
84 pages
BHGE Overview JewelEarthSDK 2017
No ratings yet
BHGE Overview JewelEarthSDK 2017
2 pages
STRT UNIT 3 and 4
No ratings yet
STRT UNIT 3 and 4
25 pages
Mesbah Mobile Forensics Software Catalogue
No ratings yet
Mesbah Mobile Forensics Software Catalogue
16 pages
Gym Management System
No ratings yet
Gym Management System
51 pages

Uploaded by

Uploaded by

Spring Security 3.

Authentication and Authorization

<bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource"

Spring Security offers 2 implementations:

 Authentication – LDAP & Database combined

<beans:property name="classIdentityQuery" value="SELECT

public SecuredObject getSecuredObject(SecuredObject obj);

You might also like