You are previewing Spring Security 3.
O'Reilly logo
Spring Security 3

Book Description

  • Make your web applications impenetrable.

  • Implement authentication and authorization of users.

  • Integrate Spring Security 3 with common external security providers.

  • Packed full with concrete, simple, and concise examples.

In Detail

Security is of critical importance to all web applications. Vulnerable applications are easy prey for hackers. This book is the perfect tool for Java developers looking to repel attacks against their web applications using the proven Spring Security library to achieve this.

A comprehensive guide to Spring Security 3. You will learn through real world business scenarios how to guard against the latest threats. You will also learn to combine Spring Security 3 with external security providers such as LDAP, OpenID, CAS, Kerberos, and Active Directory.

The book starts by giving an overview of security concepts and techniques, as well as setup and configuration. The book then gets you working with a JSP based web application that implements a simple e-commerce website. At this point you will progressively enhance the application giving you hands on experience implementing features of Spring Security 3 in real world business scenarios.

The second half of the book is devoted to common integration scenarios that you will come accross every day. At this stage you will be in a position to solve specific, complex integration problems. The book will end by showing migration from Spring Security 2 to 3.

This practical guide will show you how to implement Spring Security 3 and protect your applications from being breached using a combination of real world, straightforward examples.

Table of Contents

  1. Spring Security 3
    1. Spring Security 3
    2. Credits
    3. Foreword
    4. About the Author
    5. About the Reviewers
    6. Preface
      1. What this book covers
      2. Other notes
      3. Acknowledgements and thanks
      4. Who this book is for
      5. Conventions
      6. Reader feedback
      7. Customer support
        1. Errata
        2. Piracy
        3. Questions
    7. 1. Anatomy of an Unsafe Application
      1. Security audit
      2. About the sample application
        1. The JBCP pets application architecture
        2. Application technology
      3. Reviewing the audit results
        1. Authentication
        2. Authorization
        3. Database Credential Security
        4. Sensitive Information
        5. Transport-Level Protection
      4. Using Spring Security 3 to address security concerns
        1. Why Spring Security?
      5. Summary
    8. 2. Getting Started with Spring Security
      1. Core security concepts
        1. Authentication
        2. Authorization
      2. Securing our application in three easy steps
        1. Implementing a Spring Security XML configuration file
        2. Adding the Spring DelegatingFilterProxy to your web.xml file
        3. Adding the Spring Security XML configuration file reference to web.xml
        4. Mind the gaps!
          1. Common problems
      3. Security is complicated: The architecture of secured web requests
        1. How requests are processed?
        2. What does auto-config do behind the scenes?
        3. How users are authenticated?
          1. What is spring_security_login and how did we get here?
          2. Where do the user's credentials get validated?
          3. When good authentication goes bad?
        4. How requests are authorized?
          1. Configuration of access decision aggregation
            1. Configuring to use a UnanimousBased access decision manager
          2. Access configuration using spring expression language
      4. Summary
    9. 3. Enhancing the User Experience
      1. Customizing the login page
        1. Implementing a custom login page
          1. Implementing the login controller
          2. Adding the login JSP
          3. Configuring Spring Security to use our Spring MVC login page
      2. Understanding logout functionality
        1. Adding a Log Out link to the site header
        2. How logout works
          1. Changing the logout URL
          2. Logout configuration directives
      3. Remember me
        1. Implementing the remember me option
        2. How remember me works
          1. Remember me and the user lifecycle
          2. Remember me configuration directives
        3. Is remember me secure?
          1. Authorization rules differentiating remembered and fully authenticated sessions
          2. Building an IP-aware remember me service
            1. Extending TokenBasedRememberMeServices
            2. Configuring the custom RememberMeServices
          3. Customizing the remember me signature
      4. Implementing password change management
        1. Extending the in-memory credential store to support password change
          1. Extending InMemoryDaoImpl with InMemoryChangePasswordDaoImpl
          2. Configuring Spring Security to use InMemoryChangePasswordDaoImpl
          3. Building a change password page
          4. Adding a change password handler to AccountController
          5. Exercise notes
      5. Summary
    10. 4. Securing Credential Storage
      1. Database-backed authentication with Spring Security
        1. Configuring a database-resident authentication store
          1. Creating the default Spring Security schema
          2. Configuring the HSQL embedded database
          3. Configuring JdbcDaoImpl authentication store
          4. Adding user definitions to the schema
        2. How database-backed authentication works
        3. Implementing a custom JDBC UserDetailsService
          1. Creating a custom JDBC UserDetailsService class
          2. Adding a Spring Bean declaration for the custom UserDetailsService
        4. Out of the box JDBC-based user management
      2. Advanced configuration of JdbcDaoImpl
        1. Configuring group-based authorization
          1. Configuring JdbcDaoImpl to use groups
          2. Modifying the initial load SQL script
          3. Modifying the embedded database creation declaration
        2. Using a legacy or custom schema with database-resident authentication
          1. Determining the correct JDBC SQL queries
          2. Configuring the JdbcDaoImpl to use customSQL queries
      3. Configuring secure passwords
        1. Configuring password encoding
          1. Configuring the PasswordEncoder
          2. Configuring the AuthenticationProvider
          3. Writing the database bootstrap password encoder
          4. Configuring the bootstrap password encoder
        2. Would you like some salt with that password?
        3. Configuring a salted password
          1. Declaring the SaltSource Spring bean
          2. Wiring the PasswordEncoder to the SaltSource
          3. Augmenting DatabasePasswordSecurerBean
        4. Enhancing the change password functionality
        5. Configuring a custom salt source
          1. Extending the database schema
          2. Tweaking configuration of the CustomJdbcDaoImpl UserDetails service
          3. Overriding the baseline UserDetails implementation
          4. Extending the functionality of CustomJdbcDaoImpl
      4. Moving remember me to the database
        1. Configuring database-resident remember me tokens
          1. Adding SQL to create the remember me schema
          2. Adding new SQL script to the embedded database declaration
          3. Configuring remember me services to persist to the database
        2. Are database-backed persistent tokens more secure?
      5. Securing your site with SSL
        1. Setting up Apache Tomcat for SSL
          1. Generating a server key store
          2. Configuring Tomcat's SSL Connector
        2. Automatically securing portions of the site
          1. Secure port mapping
      6. Summary
    11. 5. Fine-Grained Access Control
      1. Re-thinking application functionality and security
        1. Planning for application security
        2. Planning user roles
        3. Planning page-level security
      2. Methods of Fine-Grained authorization
        1. Using Spring Security Tag Library to conditionally render content
          1. Conditional rendering based on URL access rules
          2. Conditional rendering based on Spring EL Expressions
          3. Conditionally rendering the Spring Security 2 way
            1. Conditional display based on absence of a role
            2. Conditional display based on any one of a list of roles
            3. Conditional display Based on all of a list of roles
            4. Using JSP Expressions
        2. Using controller logic to conditionally render content
          1. Adding conditional display of the Log In link
          2. Populating model data based on user credentials
        3. What is the best way to configure in-page authorization?
      3. Securing the business tier
        1. The basics of securing business methods
          1. Adding @PreAuthorize method annotation
          2. Instructing Spring Security to use method annotations
          3. Validating method security
        2. Several flavors of method security
          1. JSR-250 compliant standardized rules
          2. Method security using Spring's @Secured annotation
          3. Method security rules using Aspect Oriented Programming
          4. Comparing method authorization types
        3. How does method security work?
      4. Advanced method security
        1. Method security rules using bean decorators
        2. Method security rules incorporating method parameters
        3. How method parameter binding works
        4. Securing method data through Role-based filtering
          1. Adding Role-based data filtering with @PostFilter
          2. Pre-filtering collections with method @PreFilter
          3. Why use a @PreFilter at all?
        5. A fair warning about method security
      5. Summary
    12. 6. Advanced Configuration and Extension
      1. Writing a custom security filter
        1. IP filtering at the servlet filter level
          1. Writing our custom servlet filter
          2. Configuring the IP servlet filter
          3. Adding the IP servlet filter to the Spring Security filter chain
      2. Writing a custom AuthenticationProvider
        1. Implementing simple single sign-on with an AuthenticationProvider
          1. Customizing the authentication token
          2. Writing the request header processing servlet filter
          3. Writing the request header AuthenticationProvider
        2. Combining AuthenticationProviders
        3. Simulating single sign-on with request headers
        4. Considerations when writing a custom AuthenticationProvider
      3. Session management and concurrency
        1. Configuring session fixation protection
          1. Understanding session fixation attacks
          2. Preventing session fixation attacks with Spring Security
          3. Simulating a session fixation attack
          4. Comparing session-fixation-protection options
        2. Enhancing user protection with concurrent session control
          1. Configuring concurrent session control
          2. Understanding concurrent session control
          3. Testing concurrent session control
          4. Configuring expired session redirect
        3. Other benefits of concurrent session control
          1. Displaying a count of active users
          2. Displaying information about all users
      4. Understanding and configuring exception handling
        1. Configuring "Access Denied" handling
          1. Configuring an "Access Denied" destination URL
          2. Adding controller handling of AccessDeniedException
          3. Writing the Access Denied page
        2. What causes an AccessDeniedException
        3. The importance of the AuthenticationEntryPoint
      5. Configuring Spring Security infrastructure beans manually
        1. A high level overview of Spring Security bean dependencies
        2. Reconfiguring the web application
        3. Configuring a minimal Spring Security environment
          1. Configuring a minimal servlet filter set
            1. SecurityContextPersistenceFilter
            2. UsernamePasswordAuthenticationFilter
            3. AnonymousAuthenticationFilter
            4. FilterSecurityInterceptor
          2. Configuring a minimal supporting object set
      6. Advanced Spring Security bean-based configuration
        1. Adjusting factors related to session lifecycle
        2. Manual configuration of other common services
          1. Declaring remaining missing filters
          2. LogoutFilter
          3. RememberMeAuthenticationFilter
          4. ExceptionTranslationFilter
        3. Explicit configuration of the SpEL expression evaluator and Voter
        4. Bean-based configuration of method security
        5. Wrapping up explicit configuration
        6. Which type of configuration should I choose?
      7. Authentication event handling
        1. Configuring an authentication event listener
          1. Declaring required bean dependencies
          2. Building a custom application event listener
          3. Out of the box ApplicationListeners
        2. Multitudes of application events
      8. Building a custom implementation of an SpEL expression handler
      9. Summary
    13. 7. Access Control Lists
      1. Using Access Control Lists for business object security
        1. Access Control Lists in Spring Security
      2. Basic configuration of Spring Security ACL support
        1. Defining a simple target scenario
        2. Adding ACL tables to the HSQL database
        3. Configuring the Access Decision Manager
        4. Configuring supporting ACL beans
        5. Creating a simple ACL entry
      3. Advanced ACL topics
        1. How permissions work
        2. Custom ACL permission declaration
        3. ACL-Enabling your JSPs with the Spring Security JSP tag library
        4. Spring Expression Language support for ACLs
        5. Mutable ACLs and authorization
          1. Configuring a Spring transaction manager
          2. Interacting with the JdbcMutableAclService
        6. Ehcache ACL caching
          1. Configuring Ehcache ACL caching
          2. How Spring ACL uses Ehcache
      4. Considerations for a typical ACL deployment
        1. About ACL scalability and performance modelling
        2. Do not discount custom development costs
        3. Should I use Spring Security ACL?
      5. Summary
    14. 8. Opening up to OpenID
      1. The promising world of OpenID
        1. Signing up for an OpenID
      2. Enabling OpenID authentication with Spring Security
        1. Writing an OpenID login form
        2. Configuring OpenID support in Spring Security
        3. Adding OpenID users
      3. The OpenID user registration problem
        1. How OpenID identifiers are resolved
        2. Implementing user registration with OpenID
          1. Adding the OpenID registration option
          2. Differentiating between a login and registration request
          3. Configuring a custom authentication failure handler
          4. Adding the OpenID registration functionality to the controller
      4. Attribute Exchange
        1. Enabling AX in Spring Security OpenID
        2. Real-world AX support and limitations
        3. Google OpenID support
      5. Is OpenID secure?
      6. Summary
    15. 9. LDAP Directory Services
      1. Understanding LDAP
        1. LDAP
        2. Common LDAP attribute names
        3. Running an embedded LDAP server
      2. Configuring basic LDAP integration
        1. Configuring an LDAP server reference
        2. Enabling the LDAP AuthenticationProvider
        3. Troubleshooting embedded LDAP
      3. Understanding how Spring LDAP authentication works
        1. Authenticating user credentials
        2. Determining user role membership
        3. Mapping additional attributes of UserDetails
      4. Advanced LDAP configuration
        1. Sample JBCP LDAP users
        2. Password comparison versus Bind authentication
          1. Configuring basic password comparison
          2. LDAP password encoding and storage
          3. The drawbacks of a Password Comparison Authenticator
        3. Configuring the UserDetailsContextMapper
          1. Implicit configuration of a UserDetailsContextMapper
          2. Viewing additional user details
        4. Using an alternate password attribute
        5. Using LDAP as a UserDetailsService
          1. Notes about remember me with an LDAP UserDetailsService
          2. Configuration for an In-Memory remember me service
      5. Integrating with an external LDAP server
      6. Explicit LDAP bean configuration
        1. Configuring an external LDAP server reference
        2. Configuring an LdapAuthenticationProvider
        3. Integrating with Microsoft Active Directory via LDAP
        4. Delegating role discovery to a UserDetailsService
      7. Summary
    16. 10. Single Sign On with Central Authentication Service
      1. Introducing Central Authentication Service
        1. High level CAS authentication flow
        2. Spring Security and CAS
        3. CAS installation and configuration
      2. Configuring basic CAS integration
        1. Adding the CasAuthenticationEntryPoint
        2. Enabling CAS ticket verification
        3. Proving authenticity with the CasAuthenticationProvider
      3. Advanced CAS configuration
        1. Retrieval of attributes from CAS assertion
          1. How CAS internal authentication works
          2. Configuring CAS to connect to our embedded LDAP server
          3. Getting UserDetails from a CAS assertion
          4. Examining the CAS assertion
          5. Mapping LDAP attributes to CAS attributes
          6. Finally, returning the attributes in the CAS assertion
          7. Alternative Ticket authentication using SAML 1.1
        2. How is Attribute Retrieval useful?
        3. Additional CAS capabilities
      4. Summary
    17. 11. Client Certificate Authentication
      1. How Client Certificate authentication works
      2. Setting up a Client Certificate authentication infrastructure
        1. Understanding the purpose of a public key infrastructure
        2. Creating a client certificate key pair
        3. Configuring the Tomcat trust store
        4. Importing the certificate key pair into a browser
          1. Using Firefox
          2. Using Internet Explorer
        5. Wrapping up testing
        6. Troubleshooting Client Certificate authentication
      3. Configuring Client Certificate authentication in Spring Security
        1. Configuring Client Certificate authentication using the security namespace
        2. How Spring Security uses certificate information
        3. How Spring Security certificate authentication works
        4. Other loose ends
        5. Supporting Dual-Mode authentication
      4. Configuring Client Certificate authentication using Spring Beans
        1. Additional capabilities of bean-based configuration
      5. Considerations when implementing Client Certificate authentication
      6. Summary
    18. 12. Spring Security Extensions
      1. Spring Security Extensions
      2. A primer on Kerberos and SPNEGO authentication
      3. Kerberos authentication in Spring Security
        1. Overall Kerberos Spring Security authentication flow
        2. Getting prepared
          1. Assumptions for our examples
          2. Creating a keytab file
        3. Configuring Kerberos-related Spring beans
        4. Wiring SPNEGO beans to the security namespace
        5. Adding the Application Server machine to a Kerberos realm
        6. Special considerations for Firefox users
        7. Troubleshooting
          1. Verifying connectivity with standard tools
          2. Enabling Java GSS-API debugging
          3. Other troubleshooting steps
      4. Configuring LDAP UserDetailsService with Kerberos
      5. Using form login with Kerberos
      6. Summary
    19. 13. Migration to Spring Security 3
      1. Migrating from Spring Security 2
      2. Enhancements in Spring Security 3
      3. Changes to configuration in Spring Security 3
        1. Rearranged AuthenticationManager configuration
        2. New configuration syntax for session management options
        3. Changes to custom filter configuration
        4. Changes to CustomAfterInvocationProvider
        5. Minor configuration changes
      4. Changes to packages and classes
      5. Summary
    20. A. Additional Reference Material
      1. Getting started with JBCP Pets sample code
      2. Available application events
      3. Spring Security virtual URLs
      4. Method security explicit bean configuration
      5. Logical filter names migration reference