Spring Security - A Complete Guide

 spring security

Web applications are susceptible to security threats and attacks, as they are accessible to anyone on the internet. There may exist some REST endpoints having restricted access to specific users. We can use Spring Security, a framework that focuses on providing both authentication and authorization to Java applications to secure such URLs.


Spring security works on the following four core concepts – Authentication, Authorization, Password Storage & Servlet Filters.


Authentication

Authentication is the act of verifying an assertion, such as the identity of a computer system user. It involves providing valid credentials to verify who you are.


Authorization

For a simple application, authenticating user might be enough, but let’s think about a big enterprise application.

  • An employee may only have certain permissions to carry out specific operations
  • The back-end product managers are allowed to work only on the products
  • E-commerce managers can work on both customer and order information, without changing the product information
  • The system admin can perform all the operations


Password Storage

Making sure that our passwords are secure and difficult to hack is another primary goal of any security framework. Spring Security’s Password Encoder interface performs a one-way transformation for the password. Spring Security provides several Password Encoder like: 

BCryptPasswordEncoder.

Argon2PasswordEncoder.

Pbkdf2PasswordEncoder

SCryptPasswordEncoder.


Spring Security Modules

  • Core: spring-security-core.jar – This is core jar file and is required for every application that wants to use Spring Security, includes core access-control and core authentication classes and interfaces.
  • Web: spring-security-web.jar – This jar is useful for Spring Security web authentication and URL-based access control, includes filters and web-security infrastructure.
  • Config: spring-security-config.jar – This jar file is required for Spring Security configuration using XML and Java both, includes Java configuration code and security namespace parsing code. 

Features 

  • Comprehensive
  • Protection against attacks
  • Servlet API integration

Advantages

  • Servlet API integration
  • Extensible support
  • Protection against attacks
  • Spring MVC integration
  • Portability
  • Protection against CSRF attacks
  • Java configuration support

To enable basic Spring Security to J2EE applications, the below 3 steps are followed:

1. Add jar files

2. Filter declaration to pom.xml

3. Java configuration 


Spring Security’s web infrastructure should only be used by delegating to an instance of FilterChainProxy. The security filters should not be used by themselves. In theory, you could mention each Spring Security filter bean that you need in your application context file and add a corresponding DelegatingFilterProxy entry to web.xml for each filter.

  • ChannelProcessingFilter, because it might need to redirect to a different protocol
  • SecurityContextPersistenceFilter, so a SecurityContext can be set up in the SecurityContextHolder at the beginning of a web request
  • ConcurrentSessionFilter, since it uses the SecurityContextHolder functionality but requires updating the SessionRegistry to reflect ongoing requests from the principal
  • RememberMeAuthenticationFilter, so that if no earlier authentication processing mechanism updated the SecurityContextHolder, and the request presents a cookie that enables remember-me services to take place, a fitting remembered Authentication object will be put there
  • ExceptionTranslationFilter, to grab any Spring Security abnormality
  • FilterSecurityInterceptor, to protect web URIs and raise exceptions when access is denied

Comments

Post a Comment

Popular posts from this blog

AIOps, RPA and AI in Healthcare

Image
  The ongoing global crisis has made us realise the importance of  AIOps Tools in Healthcare Industry . Technologies are helping the countries to cope up with the current situation.  - South Korea’s government developed apps helped to track people during the quarantine - A biosensor has been developed recently by India’s National Institute of Animal Biotechnology, Hyderabad which helps in tracing virus in the saliva Apart from such technologies, AI for IT Operations, AIOps is revolutionizing the healthcare industry. - Smart Machines retrained by AIOps to read CT Scan images - It helps to evaluate the treatment and prognosis of patients - Also helps in tracking the development of different diseases RPA in Healthcare Robotic Process Automation (RPA) are a set of tools which can perform repetitive and routine tasks with a quicker pace and lower cost. - It is used to help clinicians - It enhances the quality of care which is delivered
Read more

zDesk – The Best VDI Solution for Healthcare

Image
The pandemic started with the shutting down of workplaces to control the spread of the virus. Z-Desk ensured continuity of businesses of the clients via remote access to desktops, laptops or any other devices capable of RDP. Desktop Virtualization to many organizations is expensive as well as complex. Z-Desk was conceived to challenge such status-quo. - Z-Desk is hard agnostic and simple to deploy. - Z-Desk gives an unparallel user experience. - It is a secured and an “all-inclusive”  Virtual Desktop Infrastructure (VDI) solutions . Core components of zDesk: - Hypervisor - Connection broker - Orchestration - Management and control layer These components are generally not integrated into a typical VDI. These generally tend to be a part of a multi-layer architecture. The typical VDI’s face a lot of issues like: - Its management layer requires a dedicated hardware - It requires separate installations for feature manag
Read more

Long80 - Cyber Security Services

Image
  Long 80’s end-to-end  Cyber Security Solutions , helps to manage risk and build an effective cybersecurity program, catering to the full suite of  cyber security services , be it assessment, operations, or strategy. It delivers holistic, intelligence-driven cyber security services, helping enterprises prepare against, protect from, and proactively respond to threats. Leveraging extensive healthcare experience, our internal Security Center of Excellence (CoE), and AI & Automation-led services, Long 80 brings in the right set of business drivers which ensure seamless security operations, and deliver over 40% in cost savings. The Levers  AI-enabled security operations  Automation platform with response workflows Follow-the-sun global delivery model SOC analysts with deep domain expertise and rich consulting experience Offensive & defensive security teams Security CoE with standard templates & playbooks The Differentiators  75% of security practice aligned with Healthcare
Read more