You are previewing Spring Security 3.1.
O'Reilly logo
Spring Security 3.1

Book Description

This book demonstrates how to secure your Java applications from hackers using Spring Security 3.1. With plenty of handholding, it takes you step by step through every stage, accompanied by sample code and useful screenshots.

  • NoLearn to leverage the power of Spring Security to keep intruders at bay through simple examples that illustrate real world problems

  • Each sample demonstrates key concepts allowing you to build your knowledge of the architecture in a practical and incremental way

  • Filled with samples that clearly illustrate how to integrate with the technologies and frameworks of your choice

  • In Detail

    Knowing that experienced hackers are itching to test your skills makes security one of the most difficult and high-pressure concerns of creating an application. The complexity of properly securing an application is compounded when you must also integrate this factor with existing code, new technologies, and other frameworks. Use this book to easily secure your Java application with the tried and trusted Spring Security framework, a powerful and highly customizable authentication and access-control framework.

    "Spring Security 3.1" is an incremental guide that will teach you how to protect your application from malicious users. You will learn how to cleanly integrate Spring Security into your application using the latest technologies and frameworks with the help of detailed examples.

    This book is centred around a security audit of an insecure application and then modifying the sample to resolve the issues found in the audit.

    The book starts by integrating a variety of authentication mechanisms. It then demonstrates how to properly restrict access to your application. It concludes with tips on integrating with some of the more popular web frameworks. An example of how Spring Security defends against session fixation, moves into concurrency control, and how you can utilize session management for administrative functions is also included.

    "Spring Security 3.1" will ensure that integrating with Spring Security is seamless from start to finish.

    Table of Contents

    1. Spring Security 3.1
      1. Table of Contents
      2. Spring Security 3.1
      3. Credits
      4. About the Author
      5. Acknowledgement
      6. About the Reviewers
        1. Support files, eBooks, discount offers and more
          1. Why Subscribe?
          2. Free Access for Packt account holders
      8. Preface
        1. What this book covers
        2. What you need for this book
        3. Who this book is for
        4. Conventions
        5. Reader feedback
        6. Customer support
          1. Downloading the example code
          2. Errata
          3. Piracy
          4. Questions
      9. 1. Anatomy of an Unsafe Application
        1. Security audit
        2. About the sample application
        3. The JBCP calendar application architecture
        4. Application technology
        5. Reviewing the audit results
        6. Authentication
        7. Authorization
        8. Database credential security
        9. Sensitive information
        10. Transport-level protection
        11. Using Spring Security 3.1 to address security concerns
        12. Why Spring Security
        13. Summary
      10. 2. Getting Started with Spring Security
        1. Hello Spring Security
          1. Importing the sample application
          2. Updating your dependencies
            1. Using Spring 3.1 and Spring Security 3.1
          3. Implementing a Spring Security XML configuration file
          4. Updating your web.xml file
            1. ContextLoaderListener
            2. ContextLoaderListener versus DispatcherServlet
            3. springSecurityFilterChain
            4. DelegatingFilterProxy
            5. FilterChainProxy
          5. Running a secured application
          6. Common problems
        2. A little bit of polish
          1. Customizing login
            1. Configuring logout
            2. The page isn't redirecting properly
            3. Basic role-based authorization
            4. Expression-based authorization
            5. Conditionally displaying authentication information
            6. Customizing the behavior after login
        3. Summary
      11. 3. Custom Authentication
        1. JBCP Calendar architecture
          1. CalendarUser
          2. Event
          3. CalendarService
          4. UserContext
          5. SpringSecurityUserContext
        2. Logging in new users using SecurityContextHolder

          1. Managing users in Spring Security
          2. Logging in a new user to an application
          3. Updating SignupController
        3. Creating a custom UserDetailsService object
          1. CalendarUserDetailsService
          2. Configuring UserDetailsService
          3. Removing references to UserDetailsManager
          4. CalendarUserDetails
          5. SpringSecurityUserContext simplifications
            1. Displaying custom user attributes
        4. Creating a custom AuthenticationProvider object
          1. CalendarUserAuthenticationProvider
          2. Configuring CalendarUserAuthenticationProvider
          3. Authenticating with different parameters
            1. DomainUsernamePasswordAuthenticationToken
            2. Updating CalendarUserAuthenticationProvider
            3. Adding domain to the login page
            4. DomainUsernamePasswordAuthenticationFilter
            5. Updating our configuration
        5. Which authentication method to use
        6. Summary
      12. 4. JDBC-based Authentication
        1. Using Spring Security's default JDBC authentication
          1. Required dependencies
          2. Using the H2 database
          3. Provided JDBC scripts
          4. Configuring the H2-embedded database
          5. Configuring JDBC UserDetailsManager
          6. Spring Security's default user schema
          7. Defining users
          8. Defining user authorities
        2. UserDetailsManager
          1. What other features does UserDetailsManager provide out of the box
        3. Group-based access control
          1. Configuring group-based access control
          2. Configuring JdbcUserDetailsManager to use groups
          3. Utilize the GBAC JDBC scripts
            1. Group-based schema
            2. Group authority mappings
        4. Support for a custom schema
          1. Determining the correct JDBC SQL queries
          2. Updating the SQL scripts that are loaded
          3. CalendarUser authority SQL
          4. Insert custom authorities
          5. Configuring the JdbcUserDetailsManager to use custom SQL queries
        5. Configuring secure passwords
          1. PasswordEncoder
          2. Configuring password encoding
            1. Configuring the PasswordEncoder
            2. Making Spring Security aware of the PasswordEncoder
            3. Hashing the stored passwords
            4. Hashing a new user's passwords
          3. Not quite secure
          4. Would you like some salt with that password
            1. Using salt in Spring Security
              1. Updating the Spring Security configuration
              2. Migrating existing passwords
              3. Updating DefaultCalendarUserService
              4. Trying out the salted passwords
        6. Summary
      13. 5. LDAP Directory Services
        1. Understanding LDAP
        2. LDAP
        3. Common LDAP attribute names
        4. Updating our dependencies
        5. Configuring embedded LDAP integration
        6. Configuring an LDAP server reference
          1. Enabling the LDAP AuthenticationProviderNext interface
        7. Troubleshooting embedded LDAP
        8. Understanding how Spring LDAP authentication works
        9. Authenticating user credentials
          1. Demonstrating authentication with Apache Directory Studio
        10. Binding anonymously to LDAP
        11. Searching for the user
        12. Binding as a user to LDAP
        13. Determining user role membership
          1. Determining roles with Apache Directory Studio
        14. Mapping additional attributes of UserDetails
        15. Advanced LDAP configuration
        16. Sample JBCP LDAP users
          1. Password comparison versus bind authentication
        17. Configuring basic password comparison
        18. LDAP password encoding and storage
          1. The drawbacks of a password comparison authenticator
        19. Configuring UserDetailsContextMapper
          1. Implicit configuration of UserDetailsContextMapper
        20. Viewing additional user details
        21. Using an alternate password attribute
        22. Using LDAP as UserDetailsService
        23. Configuring LdapUserDetailsService
          1. Updating AccountController to use LdapUserDetailsService
        24. Integrating with an external LDAP server
        25. Explicit LDAP bean configuration
          1. Configuring an external LDAP server reference
        26. Configuring LdapAuthenticationProvider
          1. Delegating role discovery to UserDetailsService
        27. Integrating with Microsoft Active Directory via LDAP
          1. Built-In Active Directory support in Spring Security 3.1
        28. Summary
      14. 6. Remember-me Services
        1. What is remember-me
        2. Dependencies
        3. The token-based remember-me feature
          1. Configuring the token-based remember-me feature
          2. How the token-based remember-me feature works
            1. MD5
            2. Remember-me signature
          3. Token-based remember-me configuration directives
        4. Is remember-me secure
          1. Authorization rules for remember-me
        5. Persistent remember-me
          1. Using the persistent-based remember-me feature
            1. Adding SQL to create the remember-me schema
            2. Initializing the data source with the remember-me schema
            3. Configuring the persistent-based remember-me feature
          2. How does the persistent-based remember-me feature work
          3. Are database-backed persistent tokens more secure
          4. Cleaning up the expired remember-me sessions
        6. Remember-me architecture
          1. Remember-me and the user lifecycle
        7. Restricting the remember-me feature to an IP address
          1. Custom cookie and HTTP parameter names
        8. Summary
      15. 7. Client Certificate Authentication
        1. How client certificate authentication works
        2. Setting up client certificate authentication infrastructure
          1. Understanding the purpose of a public key infrastructure
          2. Creating a client certificate key pair
          3. Configuring the Tomcat trust store
          4. Importing the certificate key pair into a browser
            1. Using Firefox
            2. Using Chrome
            3. Using Internet Explorer
          5. Wrapping up testing
          6. Troubleshooting client certificate authentication
        3. Configuring client certificate authentication in Spring Security
          1. Configuring client certificate authentication using the security namespace
          2. How Spring Security uses certificate information
          3. How Spring Security certificate authentication works
            1. Handling unauthenticated requests with AuthenticationEntryPoint
            2. Supporting dual-mode authentication
        4. Configuring client certificate authentication using Spring Beans
          1. Additional capabilities of bean-based configuration
        5. Considerations when implementing Client Certificate authentication
        6. Summary
      16. 8. Opening up to OpenID
        1. The promising world of OpenID
        2. Signing up for an OpenID
        3. Enabling OpenID authentication with Spring Security
        4. Additional required dependencies
          1. Configuring OpenID support in Spring Security
          2. Adding OpenID users
          3. CalendarUserDetailsService lookup by OpenID
        5. The OpenID user registration problem
          1. How are OpenID identifiers resolved
        6. Implementing user registration with OpenID
          1. Registering OpenIDAuthenticationUserDetailsService
        7. Attribute Exchange
          1. Enabling AX in Spring Security OpenID
          2. Configuring different attributes for each OpenID Provider
        8. Usability enhancements
        9. Automatic redirection to the OpenID Provider
          1. Conditional automatic redirection
        10. Is OpenID Secure
        11. Summary
      17. 9. Single Sign-on with Central Authentication Service
        1. Introducing Central Authentication Service
          1. High-level CAS authentication flow
          2. Spring Security and CAS
          3. Required dependencies
          4. CAS installation and configuration
        2. Configuring basic CAS integration
          1. Creating the CAS ServiceProperties object
          2. Adding the CasAuthenticationEntryPoint
          3. Enabling CAS ticket verification
          4. Proving authenticity with the CasAuthenticationProvider
        3. Single logout
          1. Configuring single logout
          2. Clustered environments
        4. Proxy ticket authentication for stateless services
          1. Configuring proxy ticket authentication
          2. Using proxy tickets
          3. Authenticating proxy tickets
        5. Customizing the CAS Server
          1. CAS Maven WAR Overlay
          2. How CAS internal authentication works
          3. Configuring CAS to connect to our embedded LDAP server
        6. Getting UserDetails from a CAS assertion
          1. Returning LDAP attributes in the CAS Response
            1. Mapping LDAP attributes to CAS attributes
            2. Authorizing CAS Services to access custom attributes
          2. Getting UserDetails from a CAS assertion
            1. GrantedAuthorityFromAssertionAttributesUser Details Service
            2. Alternative ticket authentication using SAML 1.1
          3. How is attribute retrieval useful
        7. Additional CAS capabilities
        8. Summary
      18. 10. Fine-grained Access Control
        1. Maven dependencies
        2. Spring Expression Language (SpEL) integration
          1. WebSecurityExpressionRoot
            1. Using the request attribute
            2. Using hasIpAddress
          2. MethodSecurityExpressionRoot
        3. Page-level authorization
          1. Conditional rendering with Spring Security tag library
            1. Conditional rendering based on URL access rules
            2. Conditional rendering using SpEL
          2. Using controller logic to conditionally render content
            1. WebInvocationPrivilegeEvaluator
          3. What is the best way to configure in-page authorization
        4. Method-level security
          1. Why we secure in layers
          2. Securing the business tier
            1. Adding @PreAuthorize method annotation
            2. Instructing Spring Security to use method annotations
            3. Validating method security
            4. Interface-based proxies
            5. JSR-250 compliant standardized rules
            6. Method security using Spring's @Secured annotation
            7. Method security rules using aspect-oriented programming
            8. Method security rules using bean decorators
            9. Method security rules incorporating method parameters
            10. Method security rules incorporating returned values
            11. Securing method data through role-based filtering
            12. Pre-filtering collections with @PreFilter
            13. Comparing method authorization types
          3. Practical considerations for annotation-based security
          4. Method security on Spring MVC controllers
            1. Class-based proxies
            2. Class-based proxy limitations
        5. Summary
      19. 11. Access Control Lists
        1. Using access control lists for business object security
          1. Access control lists in Spring Security
        2. Basic configuration of Spring Security ACL support
          1. Maven dependencies
          2. Defining a simple target scenario
          3. Adding ACL tables to the H2 database
          4. Configuring SecurityExpressionHandler
            1. AclPermissionCacheOptimizer
            2. PermissionEvaluator
            3. JdbcMutableAclService
            4. BasicLookupStrategy
            5. EhCacheBasedAclCache
            6. ConsoleAuditLogger
            7. AclAuthorizationStrategyImpl
          5. Creating a simple ACL entry
        3. Advanced ACL topics
          1. How permissions work
        4. Custom ACL permission declaration
          1. Enabling your JSPs with the Spring Security JSP tag library through ACL
        5. Mutable ACLs and authorization
          1. Adding ACLs to newly created Events
        6. Considerations for a typical ACL deployment
          1. About ACL scalability and performance modelling
          2. Do not discount custom development costs
        7. Should I use Spring Security ACL
        8. Summary
      20. 12. Custom Authorization
        1. How requests are authorized
          1. Configuration of access decision aggregation
        2. Configuring to use a UnanimousBased access decision manager
          1. Expression-based request authorization
        3. Customizing request authorization
          1. Dynamically defining access control to URLs
            1. JdbcRequestConfigMappingService
            2. FilterInvocationServiceSecurityMetadataSource
            3. BeanPostProcessor to extend namespace configuration
            4. Removing our <intercept-url> elements
          2. Creating a custom expression
            1. CustomWebSecurityExpressionRoot
            2. CustomWebSecurityExpressionHandler
            3. Configuring and using CustomWebSecurityExpressionHandler
          3. How does method security work
        4. Creating a custom PermissionEvaluator
          1. CalendarPermissionEvaluator
          2. Configuring CalendarPermissionEvaluator
          3. Securing our CalendarService
          4. Benefits of a custom PermissionEvaluator
        5. Summary
      21. 13. Session Management
        1. Configuring session fixation protection
          1. Understanding session fixation attacks
          2. Preventing session fixation attacks with Spring Security
          3. Simulating a session fixation attack
          4. Comparing session-fixation-protection options
        2. Restricting the number of concurrent sessions per user
          1. Configuring concurrent session control
          2. Understanding concurrent session control
          3. Testing concurrent session control
          4. Configuring expired session redirect
          5. Common problems with concurrency control
          6. Preventing authentication instead of forcing logout
          7. Other benefits of concurrent session control
            1. Displaying active sessions for a user
        3. How Spring Security uses the HttpSession
          1. HttpSessionSecurityContextRepository
          2. Configuring how Spring Security uses HttpSession
          3. Debugging with Spring Security's DebugFilter
        4. Summary
      22. 14. Integrating with Other Frameworks
        1. Integrating with Java Server Faces (JSF)
          1. Customizations to support AJAX
            1. DelegatingAuthenticationEntryPoint
            2. AjaxRequestMatcher
            3. Http401EntryPoint
            4. Configuration updates
            5. JavaScript updates
          2. Proxy-based authorization with JSF
          3. Custom login page in JSF
          4. Spring Security Facelets tag library
        2. Google Web Toolkit (GWT) integration
          1. Spring Roo and GWT
          2. Spring Security setup
          3. GwtAuthenticationEntryPoint
          4. GWT client updates
            1. AuthRequestTransport
            2. AuthRequiredEvent
            3. LoginOnAuthRequired
          5. Configuring GWT
          6. Spring Security configuration
          7. Method security
            1. Method security with Spring Roo
            2. Authorization with AspectJ
        3. Summary
      23. 15. Migration to Spring Security 3.1
        1. Migrating from Spring Security 2
        2. Enhancements in Spring Security 3
        3. Changes to configuration in Spring Security 3
          1. Rearranged AuthenticationManager configuration
          2. New configuration syntax for session management options
          3. Changes to custom filter configuration
        4. Changes to CustomAfterInvocationProvider
          1. Minor configuration changes
        5. Changes to packages and classes
        6. Updates in Spring Security 3.1
        7. Summary
      24. A. Additional Reference Material
        1. Getting started with the JBCP Calendar sample code
          1. Creating a new workspace
          2. Sample code structure
          3. Importing the samples
          4. Running the samples in Spring Tool Suite
            1. Creating a Tomcat v7.0 server
            2. Starting the samples within Spring Tool Suite
            3. Shutting down the samples within Spring Tool Suite
            4. Removing previous versions of the samples
            5. Using HTTPS within Spring Tool Suite
        2. Default URLs processed by Spring Security
        3. Logical filter names migration reference
        4. HTTPS setup in Tomcat
          1. Generating a server certificate
          2. Configuring Tomcat Connector to use SSL
        5. Basic Tomcat SSL termination guide
        6. Supplimentary materials
      25. Index