Spring Security 3.x Cookbook

Spring Security 3.x Cookbook

By : Anjana Mankale

Buy this Book

Spring Security 3.x Cookbook

By: Anjana Mankale

Buy this Book

Overview of this book

Web applications are exposed to a variety of threats and vulnerabilities at the authentication, authorization, service, and domain object levels. Spring Security can help secure these applications against those threats. Spring Security is a popular application security solution for Java applications. It is widely used to secure standalone web applications, portlets, and increasingly REST applications. It is a powerful and highly customizable authentication and access-control framework. It is the de-facto standard for securing Spring-based applications and it is currently used to secure numerous demanding environments including government agencies, military applications, and central banks. "Spring Security 3.x Cookbook" is a repository of recipes to help you successfully secure web applications against threats and vulnerabilities at the authentication and session level layers using the Spring Security framework. We will not only explore Spring-based web applications, but also Java-based and Grails-based applications that can use Spring Security as their security framework. Apart from conventional web applications, we will also look at securing portlets, RESTful web service applications, and other non-web applications. This book will also take you through how to integrate Spring Security with other popular web frameworks/technologies such as Vaadin, EJB, and GWT. In addition to testing and debugging the implemented security measures, this book will also delve into finer aspects of Spring Security implementation such as how it deals with concurrency, multitenancy, and customization, and we will even show you how to disable it. This book gives you an overview of Spring Security and its implementation with various frameworks. It starts with container-based authentication before taking you on a tour of the main features of Spring Security. It demonstrates security concepts like BASIC, FORM, and DIGEST authentication and shows you how to integrate the Spring Security framework with various frameworks like JSF, struts2, Vaadin, and more. The book also demonstrates how to utilize container managed security without JAAS. Then, we move on to setting up a struts2 application before showing you how to integrate Spring Security with other frameworks like JSF, Groovy, Wicket, GWT, and Vaadin respectively. This book will serve as a highly practical guide and will give you confidence when it comes to applying security to your applications. It's packed with simple examples which show off each concept of Spring Security and which help you learn how it can be integrated with various frameworks.

Spring Security 3.x Cookbook

Credits

About the Author

About the Reviewers

www.PacktPub.com

Preface

Free Chapter

Basic Security

Introduction

JAAS-based security authentication on JSPs

JAAS-based security authentication on servlet

Container-based basic authentication on servlet

Form-based authentication on servlet

Form-based authentication with open LDAP and servlet

Hashing/Digest authentication on servlet

Basic authentication for JAX-WS and JAX-RS

Enabling and disabling the file listing

Spring Security with Struts 2

Introduction

Integrating Struts 2 with Spring Security

Struts 2 application with basic Spring Security

Using Struts 2 with digest/hashing-based Spring Security

Using Spring Security logout with Struts 2

Authenticating databases with Struts 2 and Spring Security

Getting the logged-in user info in Struts 2 with Spring Security

Displaying custom error messages in Struts 2 for authentication failure

Authenticating with ApacheDS with Spring Security and Struts 2 application

Spring Security with JSF

Introduction

Integrating JSF with Spring Security

JSF with form-based Spring Security

JSF and form-based authentication using Spring Security to display logged-in user

Using JSF with digest/hashing-based Spring Security

Logging out with JSF using Spring Security

Authenticating database with Spring Security and JSF

ApacheDS authentication with JSF and Spring Security

Authentication error message with JSF and Spring Security

Spring Security with Grails

Introduction

Spring Security authentication with Groovy Grails setup

Spring Security with Grails to secure Grails controller

Spring Security authentication with Groovy Grails logout scenario

Spring Security with Groovy Grails Basic authentication

Spring Security with Groovy Grails Digest authentication

Spring Security with Groovy Grails multiple authentication

Spring Security with Groovy Grails LDAP authentication

Spring Security with GWT

Introduction

Spring Security with GWT authentication using Spring Security Beans

Form-based authentication with GWT and Spring Security

Basic authentication with GWT and Spring Security

Digest authentication with GWT and Spring Security

Database authentication with GWT and Spring Security

LDAP authentication with GWT and Spring Security

Spring Security with Vaadin

Introduction

Spring Security with Vaadin – basic authentication

Spring Security with Vaadin – Spring form-based authentication

Spring Security with Vaadin – customized JSP form-based authentication

Spring Security with Vaadin – using Vaadin form

Spring Security with Wicket

Introduction

Spring Security with Wicket – basic database authentication

Spring Security with Wicket – Spring form-based database authentication

Spring Security with Wicket – customized JSP form-based database authentication

Spring authentication with Wicket authorization

Multitenancy using Wicket and Spring Security

Spring Security with ORM and NoSQL DB

Introduction

Spring Security with Hibernate using @preAuthorize annotation

Spring Security with Hibernate using authentication provider with @preAuthorize annotation

Spring Security with Hibernate using UserDetailsService with Derby database

Spring Security with MongoDB

Spring Security with Spring Social

Introduction

Spring Security with Spring Social to access Facebook

Spring Security with Spring Social to access Twitter

Spring Security with multiple authentication providers

Spring Security with OAuth

Spring Security with Spring Web Services

Introduction

Applying Spring Security on RESTful web services

Spring Security for Spring RESTful web service using the cURL tool

Integrating Spring Security with Apache CXF RESTful web service

Integrating Spring Security with Apache CXF SOAP based web service

Integrating Spring Security with Apache Camel

Hashing/Digest authentication on servlet

In the previous authentication mechanisms, the client sends the user credentials and the container validates.

The client doesn't attempt to encrypt the password.

So, our application is still not safe and is vulnerable to attacks.

This section is about passing an encrypted user credential to the server and telling the server which encryption algorithm can be used to decrypt the data.

JBoss is the application server that I have chosen to demonstrate it.

Getting ready

Modify Login-config.xml
Create encrypt-users. properties
Create encrypt-roles. properties

How to do it....

Modify the web.xml file:

<login-config>
    <auth-method>DIGEST</auth-method>
    <realm-name>PACKTSecurity</realm-name>
</login-config>

Now, modify the jboss-web.xml file. The realm name is used for hashing:

<?xml version="1.0" encoding="UTF-8"?>
<!-- <jboss-web> -->
<!-- <security-domain>java:/jaas/other</security-domain> -->
<!-- </jboss-web> -->
<jboss-web>
<security-domain>java:/jaas/encryptme</security-domain>
</jboss-web>

Modify the login-config.xml file

<application-policy name="encryptme">
    <!--this is used to demonstrate DIGEST Authentication
    -->
    <authentication>
      <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
        flag="required"/>
    <module-option name="usersProperties">encrypt-users.properties</module-option>
    <module-option name="rolesProperties">encrypt-roles.properties</module-option>
    <module-option name="hashAlgorithm">MD5</module-option>
    <module-option name="hashEncoding">rfc2617</module-option>
    <module-option name="hashUserPassword">false</module-option>
    <module-option name="hashStorePassword">true</module-option>
    <module-option name="passwordIsA1Hash">true</module-option>
   <module-option name="storeDigestCallback">
                org.jboss.security.auth.spi.RFC2617Digest
    </module-option>	
    </authentication>
  </application-policy>

Now, we need to tell JBoss to encrypt the user's password. To do that perform the following steps:
- Go to E:\JBOSS5.1\jboss-5.1.0.GA\common\lib
- Open jbosssx-server.jar
- Go to the folder where JBoss is installed. I have installed JBoss on my E:
- Now on the command line, write cd E:\JBOSS5.1\jboss-5.1.0.GA>
- And then paste the following command: java -cp client/jboss-logging-spi.jar;common/lib/jbosssx-server.jar org.jboss.security.auth.spi.RFC2617Digest anjana "PACKTSecurity" role1
- Now edit Encrypt-users. properties:
```
anjana=e3b6b01ec4b0bdd3fc1ff24d0ccabf1f
```
- Encrypt roles and update roles.properties

How it works...

The previous example demonstrates the digest authentication mechanism. The password given in the J2EE container is encrypted using the MD5 algorithm. The container decrypts it and verifies the user credentials against the decrypted password. The authentication mechanism is digest and the container pops up a login dialog box for the digest mechanism similar to the basic authentication mechanism.

The following screenshot shows the workflow:

It behaves like basic authentication, but uses the encrypted password along with the realm name to decrypt.

Spring Security 3.x Cookbook

By : Anjana Mankale

Spring Security 3.x Cookbook

By: Anjana Mankale

Overview of this book

Related Content you might be interested in

Current Title:

Spring Security 3.x Cookbook

Hashing/Digest authentication on servlet

Getting ready

How to do it....

How it works...

See also