Book Image

Spring Security Essentials

By : Nanda Nachimuthu
Book Image

Spring Security Essentials

By: Nanda Nachimuthu

Overview of this book

<p>Spring Security is a framework that focuses on providing both authentication and authorization to Java applications. Like all Spring projects, the real power of Spring Security is how easily it can be extended to meet custom requirements. The popularity of the Spring framework is increasing and the security package of Spring addresses vast mechanisms of Security in a rich way. Due to an increasing number of applications for various business needs, the integration of multiple applications is becoming inevitable. The standard security procedures available across multiple implementations in Spring will protect vulnerable applications that are open to larger public and private audiences.</p> <p>Spring Security Essentials focuses on the need to master the security layer, which is an area not often explored by a Spring developer.</p> <p>At the beginning, we’ll introduce various industry standard security mechanisms and the practical ways to integrate with them. We will also teach you about some up-to-date use cases such as building a security layer for RESTful web services and applications.</p> <p>The IDEs used and security servers involved are briefly explained, including the steps to install them. Many sample projects are also provided to help you practice your newly developed skills. Step-by-step instructions will help you master the security layer integration with the Server, then implement the experience gained from this book in your own real-time application.</p>

Related Content you might be interested in

Current Title:

Small book image
Spring Security Essentials
Nanda Nachimuthu
Jan, 2016 | 164 pages
No titles found
Table of Contents (17 chapters)
Spring Security Essentials
Spring Security Essentials
Credits
Credits
About the Author
About the Author
About the Reviewer
About the Reviewer
www.PacktPub.com
www.PacktPub.com
Preface
Preface
Free Chapter
1
Getting Started with Spring Security
Getting Started with Spring Security
Spring custom user realms
Spring custom authorization constraints
Spring method-based authorization
Spring instance-based authorization
Spring Security with SOAP web services
Spring Security with RESTful web services
Spring Security with JSF2.0
Spring Security with Wicket
Spring Security with JAAS
Spring Security with SAML
Spring Security with LDAP
Summary
2
Spring Security with SAML
Spring Security with SAML
The basics and structure of SAML 2.0
SAML 2.0 assertions
SAML 2.0 protocols
SAML 2.0 bindings
Maven Recap
Gradle Recap
SAML open source implementations
The Spring Security SAML dependency
Spring Security with SAML classes
Spring Security SAML internals
Spring Security with SAML logout
Summary
3
Spring Security with LDAP
Spring Security with LDAP
A quick overview of LDAP
LDAP implementations
The 389 Directory Server (previously Fedora Directory Server)
Summary
4
Spring Security with AOP
Spring Security with AOP
AOP basics
AOP terminologies
Simple AOP examples
AOP Alliance
Summary
5
Spring Security with ACL
Spring Security with ACL
Spring ACL package and infrastructure classes
ACL implementation example and XML configuration for ACL
Summary
6
Spring Security with JSF
Spring Security with JSF
Maven dependencies
Summary
7
Spring Security with Apache Wicket
Spring Security with Apache Wicket
Apache Wicket project with Spring Integration
Summary
8
Integrating Spring Security with SOAP Web Services
Integrating Spring Security with SOAP Web Services
Creating SOAP web service with security
Client creation to consume the web service
Executing the project
Summary
9
Building a Security Layer for RESTful Web Services
Building a Security Layer for RESTful Web Services
Creating a RESTful web service
Spring Security configurations
Executing the project
Summary
10
Integrating Spring Security with JAAS
Integrating Spring Security with JAAS
JAAS package basics
Spring Security JAAS package components
Spring JAAS configurations
Spring JAAS implementation
Executing the project
Summary
Index
Index

Chapter 1. Getting Started with Spring Security

When we talk about enterprise security, three major areas of security—authentication, authorization, and access control list (ACL)—will play a major role. The Spring Framework 4.0.3 has a seven-layered architecture that includes a core container, context, Aspect-Oriented Programming (AOP), Data Access Object (DAO), Object-relational mapping (ORM), Web, and Model-View-Controller (MVC). To provide security features to all these layers, we have The Spring Security 3.2.3 module, which will provide security facilities such as user authentication and authorization, role-based authorization, database configuration, password encryption, and others.

In general, Spring developers focus on the seven layers to develop the web applications, and most of them will not be able to master the security mechanisms involved in different layers with different implementations as they might have to call the abstract programs in which the security implementations are built.

Spring 3.2.3 supports various authentication approaches for different industry standard connectivity for Java EE-based enterprise applications. Many people use Spring Security in the layers of Java EE's Servlet Specification and Enterprise Java Beans (EJB) Specification, which will limit the usage of proper Spring Security implementations. Due to this, many enterprise security scenarios are left unattended. Authentication is the process of creating a principal in the enterprise system for which a user needs to provide credentials. The role-based access privileges will be decided on a predefined role authorizer system from which the core system will read the access rights for the given principal. The advanced techniques of the Spring Security mechanisms are as follows:

  • Custom user realms

  • Custom authorization constraints

  • Method-based authorization

  • Instance-based authorization

  • Building a security layer for RESTful web services

The following modules of Spring 3.2.3 support the implementation of enterprise security:

  • Spring Security Core

  • Spring Security remoting

  • Spring Security Web

  • Spring Security configuration

  • Spring Security LDAP

  • Spring Security ACL

  • Spring Security CAS

  • Spring Security OpenID

Additionally, we will cover specific techniques such as JavaServer Faces (JSF) 2.0, Wicket, and Java Authentication and Authorization Service (JAAS). The following are the new security features provided in Spring 4.0, which we will talk about later:

  • Web socket support

  • Test support

  • Spring data integration

  • Cross-Site Request Forgery (CSRF) token argument resolver

  • Secure defaults

Most of these authentication levels are from third parties or developed by relevant standard bodies such as Internet Engineering Task Force (IETF). Spring Security has its own authentication features that will be useful to establish connections securely with third-party request headers, protocols, and single sign-on systems. We will have a detailed description of each system and mechanism in the following chapters.

Previous Section
End of Section 1
Next Section