Spring Security 3.
0
BY TANUJ KATHURIA
WHAT IS SPRING SECURITY
Spring Security provides security for the Web J2EE based Applications.
It is powerful, flexible and pluggable just like Spring Framework.
It is not a firewall, proxy server, intrusion detection system, OS
Security, JVM Security etc.
MAJOR OPERATIONS
AUTHENTICATION
Process of login is Authentication,
prove who you say you are.
IDENTIFICATION + VERIFICATION
AUTHORIZATION
We know who you are but you are
allowed to access only what you
want.
For ex Manager, Leader, Admin, user
etc.
SERVLET FILTERS
SPRING SECURITY SETUP
JARS :
Spring-security-config-3.0.1.RELEASE.jar
Spring
security-core-3.0.1.RELEASE.jar
Spring
security-web-3.0.1.RELEASE.jar
SCHEMA:
CONFIGURATION CHANGE 1
FILTER CHAIN PROXY
CONFIGURATION CHANGE 2
WEB-INF/spring-security.xml
BASIC ARCHITECTURE
Authentication Manager
UserDetailsService(UserRepository),
it loads Security Context information
like user details and authorities.
Security Context
User Information
User Details and Granted Authorities
3 TYPES OF AUTHENTICATION
HTTP BASIC
DEFAULT FORM
CUSTOM FORM
<http-basic> tag need to be
included in order to use the
basic form based authentication.
<http auto-config="true"> is
the tag which calls the default
login form in case of Spring
security.
<http ><intercept-url pattern="/admin**"
access="ROLE_USER" />
<form-login login-page="/login" default-targeturl="/admin" authentication-failureurl="/loginfailed"/>
<logout logout-success-url="/logout" />
</http>
These tags call the custom Login page.
AUTHENTICATION PROVIDERS
HASHED PASSWORD
<password-encoder hash="sha-256"/>
<user name="tanuj"
password="8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12
020c923adc6c92" authorities="ROLE_USER" />
DATABASE PASSWORD
THANK YOU
TANUJ KATHURIA