Scribd
Upload
226 views95 pages

Java Training-Spring Core

Spring Security is a powerful and highly customizable authentication and authorization framework for Spring-based applications. It provides key components like authentication managers, providers, and filters to handle user authentication, authorization, and securing application resources. The document discusses Spring Security fundamentals, configuration using XML namespaces, and how to implement authentication, authorization, session management, and logout functionality.

Uploaded by

Duy Chuong Huynh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
226 views95 pages

Java Training-Spring Core

Spring Security is a powerful and highly customizable authentication and authorization framework for Spring-based applications. It provides key components like authentication managers, providers, and filters to handle user authentication, authorization, and securing application resources. The document discusses Spring Security fundamentals, configuration using XML namespaces, and how to implement authentication, authorization, session management, and logout functionality.

Uploaded by

Duy Chuong Huynh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 95

Spring Framework - Security

SPRING FRAMEWORK
Dmitry Noskov

Spring Security 3.0

Application security

Security is arguably one of the most critical


architectural components of any application written
in the 21st century

Spring Framework - Security

Dmitry Noskov

What is Spring Security

a powerful and highly customizable authentication


and access-control framework
build on top of Spring Framework
de-facto standard for securing Spring-based
applications

Spring Framework - Security

Dmitry Noskov

Fundamentals (1)

principal

authentication

user that performs the action


confirming truth of credentials

authorization

define access policy for principal

Spring Framework - Security

Dmitry Noskov

Fundamentals (2)

Authentication

GrantedAuthority

application-wide permissions granted to a principal

SecurityContext

the principal in a Spring Security-specific manner

hold the Authentication and other security information

SecurityContextHolder

provide access to SecurityContext


Spring Framework - Security

Dmitry Noskov

SecurityContextHolder

provide access to SecurityContext


strategies
ThreadLocal
InreritableThreadLocal
Global

Spring Framework - Security

Dmitry Noskov

Getting started
SecurityContext context = SecurityContextHolder.getContext();
Object principal = context.getAuthentication().getPrincipal();
if (principal instanceof UserDetails) {
String username = ((UserDetails)principal).getUsername();

} else {
String username = principal.toString();
}

Spring Framework - Security

Dmitry Noskov

Use case

Spring Framework - Security

Dmitry Noskov

Namespace
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:sec="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema

/beans

http://www.springframework.org/schema/

beans/spring-beans-3.0.xsd

http://www.springframework.org/schema

/security

http://www.springframework.org/schema

/security/spring-security-3.0.xsd">

Spring Framework - Security

Dmitry Noskov

Filters

Spring Framework - Security

Dmitry Noskov

Security filter
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>
org.springframework.web.filter.DelegatingFilterProxy
</filter-class>

</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

Spring Framework - Security

Dmitry Noskov

Filter chain

Spring Framework - Security

Dmitry Noskov

Filter chain (2)


<bean id="springSecurityFilterChain"
class="org.springframework.security.web.FilterChainProxy">

<sec:filter-chain-map path-type="ant">
<sec:filter-chain pattern="/login.do*" filters="none"/>
<sec:filter-chain pattern="/**.do*"
filters="
securityContextPersistenceFilter,
logoutFilter,
usernamePasswordAuthenticationFilter,
rememberMeAuthenticationFilter,
exceptionTranslationFilter,
filterSecurityInterceptor" />
</sec:filter-chain-map>
</bean>
Spring Framework - Security

Dmitry Noskov

Basic filters
Filter

Description

ChannelProcessingFilter

ensures that a request is being sent over HTTP or HTTPS

SecurityContextPersistentFilter

Populates the security context using information obtained from the


repository (http session)

LogoutFilter

Used to log a user out of the application

UsernamePasswordAuthenticationFilter

Accepts the users principal and credentials and attempts to


authenticate the user

BasicAuthenticationFilter

Attempts to authenticate a user by processing an HTTP Basic


authentication

ExceptionTranslationFilter

Handles any AccessDeniedException or


AuthenticationException

FilterSecurityInterceptor

Decides whether or not to allow access to a secured resource

http://static.springsource.org/spring-security/site/docs/3.0.x/reference/nsconfig.html#ns-custom-filters
Spring Framework - Security

Dmitry Noskov

Authentication

Spring Framework - Security

Dmitry Noskov

Authentication variants

credential-based
two-factor
hardware
other

Spring Framework - Security

Dmitry Noskov

Authentication mechanisms

basic
form
x.509
JAAS
etc.

Spring Framework - Security

Dmitry Noskov

Authentication storage

RDMBS
LDAP
custom storage
etc.

Spring Framework - Security

Dmitry Noskov

Fundamentals
Filter
Manager
Provider
Authentication
UserDetails

Spring Framework - Security

Dmitry Noskov

HTML form

<form action="j_spring_security_check" method="post">


<span>Login:</span><input name="login" type="text"/>
<span>Password:</span><input name="password" type="password"/>

<input type="submit" value="Login">


</form>

Spring Framework - Security

Dmitry Noskov

Username-password filter
<bean id="..." class="...security.web.authentication.UsernamePasswordAuthenticationFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="filterProcessesUrl" value="/j_spring_security_check"/>
<property name="usernameParameter" value="login"/>
<property name="passwordParameter" value="password"/>
<property name="authenticationSuccessHandler">
<bean class="...security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
<property name="defaultTargetUrl" value="/index.do"/>
</bean>

</property>
<property name="authenticationFailureHandler">
<bean class="...security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<property name="defaultFailureUrl" value="/login.do"/>
</bean>
</property>

<property name="rememberMeServices" ref="rememberMeService"/>


</bean>

Spring Framework - Security

Dmitry Noskov

Core authentication services

AuthenticationManager

AuthenticationProvider

performs authentication

UserDetailsService

handles authentication requests

responsible for returning an UserDetails object

UerDetails

provides the core user information


Spring Framework - Security

Dmitry Noskov

AuthenticationManager
public interface AuthenticationManager {
/* Attempts to authenticate the passed Authentication object,
* returning a fully populated Authentication object (including
* granted authorities) if successful.
* @param authentication the authentication request object

* @return a fully authenticated object including credentials


* @throws AuthenticationException if authentication fails */
Authentication authenticate(Authentication authentication)
throws AuthenticationException;
}

Spring Framework - Security

Dmitry Noskov

AuthenticationProvider
public interface AuthenticationProvider {
/* Performs authentication.
* @param authentication the authentication request object.
* @return a fully authenticated object including credentials.
* @throws AuthenticationException if authentication fails.*/

Authentication authenticate(Authentication authentication)


throws AuthenticationException;
/*Returns true if this provider supports the indicated
*Authentication object.*/
boolean supports(Class<? extends Object> authentication);
}
Spring Framework - Security

Dmitry Noskov

UserDetailsService
/*Core interface which loads user-specific data.*/
public interface UserDetailsService {
/* Locates the user based on the username.
* @param username the username identifying the user
* @return a fully populated user record (never null)
* @throws UsernameNotFoundException if the user could not be

found or the user has no GrantedAuthority


* @throws DataAccessException if user could not be found for a
repository-specific reason*/
UserDetails loadUserByUsername(String username)
throws UsernameNotFoundException, DataAccessException;
}

Spring Framework - Security

Dmitry Noskov

UserDetails
/* Provides core user information.*/
public interface UserDetails extends Serializable {
Collection<GrantedAuthority> getAuthorities();
String getPassword();
String getUsername();
boolean isAccountNonExpired();
boolean isAccountNonLocked();
boolean isCredentialsNonExpired();
boolean isEnabled();
}

Spring Framework - Security

Dmitry Noskov

Authentication manager
<bean id="..." class="...security.authentication.ProviderManager">
<property name="providers">
<list>
<ref local="casAuthenticationProvider"/>
<ref local="daoAuthenticationProvider"/>

<ref local="ldapAuthenticationProvider"/>
</list>
</property>
</bean>

Spring Framework - Security

Dmitry Noskov

Authentication provider
<bean id="daoAuthenticationProvider"
class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="userDetailsService"/>
<property name="saltSource" ref bean="saltSource"/>
<property name="passwordEncoder" ref="passwordEncoder"/>

</bean>
<bean id="userDetailsService"
class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl">
<property name="dataSource" ref="dataSource"/>
</bean>

Spring Framework - Security

Dmitry Noskov

Authentication DB schema

Spring Framework - Security

Dmitry Noskov

Password encoding

PasswordEncoder
MD5
SHA

SaltSource
SystemWide
reflection

Spring Framework - Security

Dmitry Noskov

Session management
<bean id="sessionManagementFilter"
class="org.springframework.security.web.session.SessionManagementFilter">
<property name="invalidSessionUrl" value="/timeout.do"/>
<property name="sessionAuthenticationStrategy" ref="strategy"/>
</bean>
<bean id="strategy"
class="SessionFixationProtectionStrategy">
<property name="alwaysCreateSession" value="true"/>
<property name="migrateSessionAttributes" value="true"/>
</bean>

Spring Framework - Security

Dmitry Noskov

Logout
<bean id="logoutFilter"
class="org.springframework.security.web.authentication.logout.LogoutFilter">
<constructor-arg>
<bean class="SimpleUrlLogoutSuccessHandler">
<property name="defaultTargetUrl" value="/login"/>
</bean>

</constructor-arg>
<constructor-arg>
<bean class="SecurityContextLogoutHandler"/>
</constructor-arg>
<property name="filterProcessesUrl" value="/logout"/>
</bean>

Spring Framework - Security

Dmitry Noskov

Remember Me authentication

RememberMeAuthenticationFilter
RememberMeServices
RememberMeAuthenticationProvider

Spring Framework - Security

Dmitry Noskov

RememberMe service
public interface RememberMeServices {
Authentication autoLogin(HttpServletRequest request,
HttpServletResponse response);
void loginFail(HttpServletRequest request,

HttpServletResponse response);
void loginSuccess(HttpServletRequest request,
HttpServletResponse response,
Authentication successfulAuthentication);
}

Spring Framework - Security

Dmitry Noskov

Remember Me shema

Spring Framework - Security

Dmitry Noskov

Anonymous authentication
<bean id="anonymousAuthenticationFilter"
class="...web.authentication.AnonymousAuthenticationFilter">
<property name="key" value="foobar"/>
<property name="userAttribute" value="anonymous,ROLE_ANONYMOUS"/>
</bean>
<bean id="anonymousAuthenticationProvider"
class="...authentication.AnonymousAuthenticationProvider">
<property name="key" value="foobar"/>
</bean>

Spring Framework - Security

Dmitry Noskov

Authentication with magic tags


<sec:http auto-config="true">
<sec:form-login login-page="" login-processing-url=""/>
<sec:anonymous enabled="true"/>
<sec:logout invalidate-session="true" logout-url=""/>

<sec:remember-me services-ref=""/>
</sec:http>

Spring Framework - Security

Dmitry Noskov

Authorization

Spring Framework - Security

Dmitry Noskov

Use case

Spring Framework - Security

Dmitry Noskov

Authorization

handling
pre-invocation
after invocation

implementations
voting based
expression based

Spring Framework - Security

Dmitry Noskov

Security layers

WEB (URLs)

Servlet Filter

methods
Spring AOP
AspectJ

content

JSP tag

Spring Framework - Security

Dmitry Noskov

Security interceptor (1)

Spring Framework - Security

Dmitry Noskov

Security interceptor (2)


Security
Interceptor

Authentication
Manager

Access Decision
Manager

Run-As
Manager

Spring Framework - Security

After-Invocation
Manager

Dmitry Noskov

Voting based
DecisionManager
DecisionVoter
ConfigAttribute

Spring Framework - Security

Dmitry Noskov

Decision managers
Decision manager

Description

AffirmativeBased

Allows access if at least one voter votes to grant access

ConsensusBased

Allows access if a consensus of voters vote to grant access

UnanimousBased

Allows access if all voters vote to grant access

Spring Framework - Security

Dmitry Noskov

Decision voter
public interface AccessDecisionVoter {
int ACCESS_GRANTED = 1;
int ACCESS_ABSTAIN = 0;
int ACCESS_DENIED = -1;
boolean supports(ConfigAttribute attribute);
boolean supports(Class<?> clazz);
int vote(Authentication authentication,
Object object,
Collection<ConfigAttribute> attributes);
}
Spring Framework - Security

Dmitry Noskov

Basic expressions
Expression

Description

hasRole(ROLE_USER)

Returns true if the current principal has the specified role

hasAnyRole(ROLE_USER, ROLE_ADMIN)

Returns true if the current principal has any of the roles

principal

Allows direct access to the principal object representing


the current user

authentication

Allows direct access to the current Authentication object


obtained from the SecurityContext

permitAll

Always evaluates to true

denyAll

Always evaluates to false

isAnonymous()

Returns true if the current principal is an anonymous user

isRememberMe()

Returns true if the current principal is a remember-me user

Spring Framework - Security

Dmitry Noskov

WEB authorization

Spring Framework - Security

Dmitry Noskov

Web authorization
<bean id="..." class="web.access.intercept.FilterSecurityInterceptor">
<property name="authenticationManager" ref="authManager"/>

<property name="accessDecisionManager" ref="decisionManager"/>


<property name="securityMetadataSource">
<sec:filter-security-metadata-source>
<sec:intercept-url pattern="/index.do*"
access="IS_AUTHENTICATED_FULLY"/>

<sec:intercept-url pattern="/**"
access="ROLE_USER"
filters="none"
method="GET"
requires-channel="https"/>

</sec:filter-security-metadata-source>
</property>
</bean>
Spring Framework - Security

Dmitry Noskov

WEB authorization with magic tags


<sec:http use-expressions="true">
<sec:intercept-url pattern="/index*"
access="isAuthenticated()"/>
<sec:intercept-url pattern="/**"

access="hasRole('ROLE_USER')"
filters="none"
method="GET"
requires-channel="https"/>

</sec:http>

Spring Framework - Security

Dmitry Noskov

WEB authorization
<bean id="webExpressionHandler"
class="DefaultWebSecurityExpressionHandler"/>
<bean id="webExpressionVoter" class="WebExpressionVoter">
<property name="expressionHandler" ref="webExpressionHandler"/>
</bean>
<bean class="org.springframework.security.access.vote.AffirmativeBased">
<property name="decisionVoters">
<list>
<ref bean="webExpressionVoter"/>
</list>
</property>
</bean>
Spring Framework - Security

Dmitry Noskov

Custom expression root


public class CustomWebSecurityExpressionRoot
extends WebSecurityExpressionRoot {
public CustomWebSecurityExpressionRoot(Authentication a,
FilterInvocation fi) {

super(a, fi);
}
public boolean hasAllRoles(String... roles) {
return false;
}
}
Spring Framework - Security

Dmitry Noskov

Custom expression handler


public class CustomWebSecurityExpressionHandler

extends DefaultWebSecurityExpressionHandler {
@Override
public EvaluationContext createEvaluationContext(Authentication a,
FilterInvocation fi) {

StandardEvaluationContext ctx =
(StandardEvaluationContext)super.createEvaluationContext(a, fi);
SecurityExpressionRoot root =
new CustomWebSecurityExpressionRoot(a, fi);
ctx.setRootObject(root);

return ctx;
}
}
Spring Framework - Security

Dmitry Noskov

Method authorization

Spring Framework - Security

Dmitry Noskov

Method authorization

annotation driven
voting based - @Secured
expression based - @Pre/@Post
JSR-250 - @RolesAllowed

xml driven

Spring Framework - Security

Dmitry Noskov

Configuration
<sec:global-method-security>
access-decision-manager-ref="accessDecisionManager"
jsr250-annotations="disabled"
pre-post-annotations="disabled"

secured-annotations="enabled"
</sec:global-method-security>

Spring Framework - Security

Dmitry Noskov

Annotation driven (voting)

voting
@Secured({"ROLE_USER"})
void create(Customer customer);

jsr-250
@RolesAllowed({"ROLE_USER"})

void create(Customer customer);

Spring Framework - Security

Dmitry Noskov

Annotation driven (expression)

1
@PreAuthorize("hasRole('ROLE_USER')")
void create(Customer customer);

2
@PreAuthorize("hasRole('ROLE_USER') and hasRole('ROLE_ADMIN')")

void create(Customer customer);

3
@PreAuthorize("hasAnyRole('ROLE_USER', 'ROLE_ADMIN')")
void create(Customer customer);

Spring Framework - Security

Dmitry Noskov

XML driven authorization (1)


<bean id="methodInterceptor" class="MethodSecurityInterceptor">
<property name="authenticationManager" ref="authManager"/>
<property name="accessDecisionManager" ref="decisionManager"/>
<property name="securityMetadataSource">
<value>

org.training.AccountService.createAccount=ROLE_USER
org.training.AccountService.delete*=ROLE_ADMIN
</value>
</property>
</bean>

Spring Framework - Security

Dmitry Noskov

XML driven authorization (2)


<bean id="accountService"
class="org.training.AccountServiceImpl">
<sec:intercept-methods>
<sec:protect access="ROLE_USER" method="createAccount"/>

<sec:protect access="ROLE_ADMIN" method="delete*"/>


</sec:intercept-methods>
</bean>

Spring Framework - Security

Dmitry Noskov

Domain Object Security

Spring Framework - Security

Dmitry Noskov

ACL DB scheme

Spring Framework - Security

Dmitry Noskov

ACL_CLASS
ACL_SID
ACL_OBJECT_IDENTITY
ACL_ENTRY

Spring Framework - Security

Dmitry Noskov

Basic classes

Acl
AccessControlEntry
Permission
Sid
ObjectIdentity

represents the identity of an individual domain object

Spring Framework - Security

Dmitry Noskov

Basic ACL services

AclService
MutableAclService
LookupStrategy
ObjectIdentityRetrievalStrategy
SidRetrievalStrategy

Spring Framework - Security

Dmitry Noskov

Permissions

base permissions
read (1)
write (2)
create (4)
delete (8)
administration (16)

custom permissions

Spring Framework - Security

Dmitry Noskov

Spring Framework - Security

Dmitry Noskov

Configuration (voting)
<sec:global-method-security
access-decision-manager-ref="accessDecisionManager"
secured-annotations="enabled">
</sec:global-method-security>
<bean id="accessDecisionManager" class="AffirmativeBased">

<property name="decisionVoters">
<list>
<ref bean="voter1"/>
<ref bean="voter2"/>
</list>
</property>
</bean>
Spring Framework - Security

Dmitry Noskov

@Secured

annotation

@Secured("ACL_CUSTOMER_READ")
public Customer getProjectsByCustomer(Customer customer) {}

voter

<bean id="customerReadVoter" class="AclEntryVoter">


<constructor-arg ref="aclService"/>

<constructor-arg value="ACL_CUSTOMER_READ"/>
<constructor-arg>
<array>
<util:constant static-field="BasePermission.READ"/>
</array>

</constructor-arg>
<property name="processDomainObjectClass" value="Customer"/>
</bean>
Spring Framework - Security

Dmitry Noskov

Configuration (expressions)
<sec:global-method-security pre-post-annotations="enabled">
<sec:expression-handler ref="expressionHandler"/>
</sec:global-method-security>
<bean id="expressionHandler"

class="DefaultMethodSecurityExpressionHandler">
<property name="permissionEvaluator" ref="permissionEvaluator"/>
</bean>
<bean id="permissionEvaluator" class="AclPermissionEvaluator">
<constructor-arg ref="aclService"/>
</bean>
Spring Framework - Security

Dmitry Noskov

Permission evaluator
public interface PermissionEvaluator {
boolean hasPermission(Authentication authentication,
Object targetDomainObject,
Object permission);
boolean hasPermission(Authentication authentication,
Serializable targetId,
String targetType,
Object permission);
}

Spring Framework - Security

Dmitry Noskov

@PreAuthorize

by domain object

@PreAuthorize("hasPermission(#customer, 'delete')")
public void delete(Customer customer);

by identifier

@PreAuthorize(

"hasPermission(#id, 'org.training.Customer', 'read') or " +


"hasPermission(#id, 'org.training.Customer', 'admin')")
public Customer getById(Long id);

hardcode

@PreAuthorize("#customer.owner.id == principal.id")
public void create(Customer customer);

Spring Framework - Security

Dmitry Noskov

@PreFilter

single parameter

@PreFilter("hasPermission(filterObject, 'read')")
public List<Customer> filterCustomers(List<Customer> customers) {
return customers;
}

multiple parameters

@PreFilter(filterTarget = "customers",
value = "hasPermission(filterObject, 'update')")
public void updateCustomers(List<Customer> customers, State st) {
}

Spring Framework - Security

Dmitry Noskov

Additional features

Spring Framework - Security

Dmitry Noskov

RunAsManager
/*Creates a new temporary Authentication object.*/
public interface RunAsManager {
/ *Returns a replacement Authentication object for the current
*secure object, or null if replacement not required*/
Authentication buildRunAs(Authentication authentication,

Object object,
Collection<ConfigAttribute> attr);
boolean supports(ConfigAttribute attribute);
boolean supports(Class<?> clazz);
}
Spring Framework - Security

Dmitry Noskov

RunAs configuration (1)


<bean id="runAsManager" class="RunAsManagerImpl">
<property name="rolePrefix" value="ROLE_"/>
<property name="key" value="someKey"/>
</bean>

<bean class="RunAsImplAuthenticationProvider">
<property name="key" value="someKey"/>
</bean>

Spring Framework - Security

Dmitry Noskov

RunAs configuration (2)

magic tag

<sec:global-method-security run-as-manager-ref="runAsManager">
</sec:global-method-security>

interceptor bean

<bean class="MethodSecurityInterceptor">

<property name="runAsManager" ref="runAsManager"/>


</bean>

Spring Framework - Security

Dmitry Noskov

After invocation

Spring Framework - Security

Dmitry Noskov

Basic services
public interface AfterInvocationManager {
Object decide(Authentication authentication, Object object,
Collection<ConfigAttribute> attributes,
Object returnedObject) throws AccessDeniedException;
boolean supports(ConfigAttribute attribute);
boolean supports(Class<?> clazz);
}

public interface AfterInvocationProvider {


Object decide(Authentication authentication, Object object,
Collection<ConfigAttribute> attributes,
Object returnedObject) throws AccessDeniedException;

boolean supports(ConfigAttribute attribute);


boolean supports(Class<?> clazz);
}
Spring Framework - Security

Dmitry Noskov

Configuration

custom provider

<sec:global-method-security>
<sec:after-invocation-provider ref="myProvider"/>
</sec:global-method-security>

custom manager

<bean class="MethodSecurityInterceptor">
<property name="afterInvocationManager" ref="myManager"/>
</bean>

Spring Framework - Security

Dmitry Noskov

@Post

@PostAuthorize
@PreAuthorize("hasRole('ROLE_USER')")
@PostAuthorize("hasPermission(returnObject, 'read')")
public Employee getEmployeeByName(String name) {
}

@PostFilter
@PreAuthorize("hasRole('ROLE_USER')")
@PostFilter("hasPermission(filterObject, 'read')")
public List<Employee> getEmployees() {
}

Spring Framework - Security

Dmitry Noskov

JSP tag library

Spring Framework - Security

Dmitry Noskov

Authentication
<%@ taglib prefix="sec"
uri="http://www.springframework.org/security/tags" %>
<sec:authentication property="principal" var="user"/>
<div class="links"><div>Logged in: ${user.name}</div></div>

<div class="links">
<div><sec:authentication property="principal.name"/></div>
</div>

Spring Framework - Security

Dmitry Noskov

Authorize (1)
<%@ taglib prefix="sec"
uri="http://www.springframework.org/security/tags" %>
<sec:authorize ifAllGranted="ROLE_ADMIN, ROLE_SUPERVISOR">
</sec:authorize>

<security:authorize ifAnyGranted="ROLE_ADMIN, ROLE_SUPERVISOR">


</security:authorize>
<security:authorize ifNotGranted="ROLE_ADMIN, ROLE_SUPERVISOR">
</security:authorize>

Spring Framework - Security

Dmitry Noskov

Authorize (2)
<%@ taglib prefix="sec"
uri="http://www.springframework.org/security/tags" %>
<sec:authorize access="hasRole('supervisor')">
This content will only be visible to users who have
the "supervisor" authority in their list of

<tt>GrantedAuthority</tt>s.
</sec:authorize>

Spring Framework - Security

Dmitry Noskov

Authorize (3)

JSP

<sec:authorize url="/admin" >


This content will only be visible to users who are authorized
to send requests to the "/admin" URL.
</sec:authorize>

security interceptor

<bean id="..." class="web.access.intercept.FilterSecurityInterceptor">


<property name="securityMetadataSource">
<sec:filter-security-metadata-source>
<sec:intercept-url pattern="/admin*" access="ROLE_ADMIN"/>

</sec:filter-security-metadata-source>
</property>
</bean>
Spring Framework - Security

Dmitry Noskov

ACL
<%@ taglib prefix="sec"
uri="http://www.springframework.org/security/tags" %>
<sec:accesscontrollist hasPermission="1,2" domainObject="object">
This will be shown if the user has either of the permissions

represented by the values "1" or "2" on the given object.


</sec:accesscontrollist>

Spring Framework - Security

Dmitry Noskov

Summary

Spring Framework - Security

Dmitry Noskov

Separation of concerns

business logic is decoupled from security concern


authentication and authorization are decoupled

Spring Framework - Security

Dmitry Noskov

Flexibility

authentication mechanisms

user data storage

basic, form, cookies, SSO


RDBMS, LDAP, etc.

based on Spring

Spring Framework - Security

Dmitry Noskov

Portability

portable across containers


can be deployed as-is
runs in standalone environment

Spring Framework - Security

Dmitry Noskov

Books

Spring Framework - Security

Dmitry Noskov

Links

main features
http://static.springsource.org/spring-security/site/features.html

articles
http://static.springsource.org/spring-security/site/articles.html

reference
http://static.springsource.org/springsecurity/site/docs/3.0.x/reference/springsecurity.html

blog
http://blog.springsource.com/category/security/

refcardz
http://refcardz.dzone.com/refcardz/expression-basedauthorization
Spring Framework - Security

Dmitry Noskov

Questions

Spring Framework - Core

Dmitry Noskov

The end

http://www.linkedin.com/in/noskovd
http://www.slideshare.net/analizator/presentations

You might also like