Book Image

Spring Security - Third Edition

By : Mick Knutson, Peter Mularien, ROBERT WILLIAM WINCH
Book Image

Spring Security - Third Edition

By: Mick Knutson, Peter Mularien, ROBERT WILLIAM WINCH

Overview of this book

Knowing that experienced hackers are itching to test your skills makes security one of the most difficult and high-pressured concerns of creating an application. The complexity of properly securing an application is compounded when you must also integrate this factor with existing code, new technologies, and other frameworks. Use this book to easily secure your Java application with the tried and trusted Spring Security framework, a powerful and highly customizable authentication and access-control framework. The book starts by integrating a variety of authentication mechanisms. It then demonstrates how to properly restrict access to your application. It also covers tips on integrating with some of the more popular web frameworks. An example of how Spring Security defends against session fixation, moves into concurrency control, and how you can utilize session management for administrative functions is also included. It concludes with advanced security scenarios for RESTful webservices and microservices, detailing the issues surrounding stateless authentication, and demonstrates a concise, step-by-step approach to solving those issues. And, by the end of the book, readers can rest assured that integrating version 4.2 of Spring Security will be a seamless endeavor from start to finish.

Related Content you might be interested in

Current Title:

Small book image
Spring Security - Third Edition
Mick Knutson | Peter Mularien | ROBERT WILLIAM WINCH
Nov, 2017 | 542 pages
Small book image
Hands-On Spring Security 5 for Reactive Applications
Tomcy John
Jul, 2018 | 268 pages
Small book image
OAuth 2.0 Cookbook
Adolfo Eloy Nascimento
Oct, 2017 | 420 pages
Small book image
Spring 5.0 Projects
Nilang Patel
Feb, 2019 | 442 pages
Table of Contents (19 chapters)
Preface
Preface
What this book covers
What you need for this book
Who this book is for
Conventions
Reader feedback
Customer support
Free Chapter
1
Anatomy of an Unsafe Application
Anatomy of an Unsafe Application
Security audit
Application technology
Authentication
Authorization
Summary
2
Getting Started with Spring Security
Getting Started with Spring Security
Hello Spring Security
A little bit of polish
Summary
3
Custom Authentication
Custom Authentication
JBCP calendar architecture
Logging in new users using SecurityContextHolder
Creating a custom UserDetailsService object
Creating a custom AuthenticationProvider object
Which authentication method to use?
Summary
4
JDBC-Based Authentication
JDBC-Based Authentication
Required dependencies
Using the H2 database
The default user schema of Spring Security
The UserDetailsManager interface
Support for a custom schema
Configuring secure passwords
The PasswordEncoder method
Using salt in Spring Security
Trying out the salted passwords
Summary
5
Authentication with Spring Data
Authentication with Spring Data
Spring Data JPA
Refactoring from SQL to ORM
Application services
The UserDetailsService object
Document database implementation with MongoDB
Summary
6
LDAP Directory Services
LDAP Directory Services
Understanding LDAP
Understanding how Spring LDAP authentication works
Determining roles with Apache Directory Studio
Configuring the UserDetailsContextMapper object
Updating AccountController to use LdapUserDetailsService
Explicit LDAP bean configuration
Integrating with Microsoft Active Directory via LDAP
Summary
7
Remember-Me Services
Remember-Me Services
What is remember-me?
MD5
Is remember-me secure?
Configuring the persistent-based remember-me feature
The remember-me architecture
Custom cookie and HTTP parameter names
Summary
8
Client Certificate Authentication with TLS
Client Certificate Authentication with TLS
How does client certificate authentication work?
Configuring client certificate authentication using Spring beans
Summary
9
Opening up to OAuth 2
Opening up to OAuth 2
The promising world of OAuth 2
Configuring OAuth 2 support in Spring Security
Executing the OAuth 2 provider connection workflow
Additional OAuth 2 providers
Is OAuth 2 secure?
10
Single Sign-On with the Central Authentication Service
Single Sign-On with the Central Authentication Service
Introducing the Central Authentication Service
High-level CAS authentication flow
Spring Security and CAS
Configuring basic CAS integration
Single logout
Clustered environments
Using proxy tickets
Customizing the CAS server
Getting the UserDetails object from a CAS assertion
Additional CAS capabilities
Summary
11
Fine-Grained Access Control
Fine-Grained Access Control
Gradle dependencies
Conditional rendering with the Thymeleaf Spring Security tag library
Interface-based proxies
JSR-250 compliant standardized rules
Summary
12
Access Control Lists
Access Control Lists
The conceptual module of ACL
Access control lists in Spring Security
Basic configuration of Spring Security ACL support
Summary
13
Custom Authorization
Custom Authorization
Authorizing the requests
Dynamically defining access control to URLs
Creating a custom expression
Summary
14
Session Management
Session Management
Configuring session fixation protection
Restricting the number of concurrent sessions per user
Configuring expired session redirect
Common problems with concurrency control
Other benefits of concurrent session control
Displaying active sessions for a user
Summary
15
Additional Spring Security Features
Additional Spring Security Features
Security vulnerabilities
Cross-Site Scripting
Cross-Site Request Forgery
Security HTTP response headers
Summary
16
Migration to Spring Security 4.2
Migration to Spring Security 4.2
Introduction
Sample migration
Deprecations
Summary
17
Microservice Security with OAuth 2 and JSON Web Tokens
Microservice Security with OAuth 2 and JSON Web Tokens
What are microservices?
Service-oriented architectures
Microservice security
The OAuth 2 specification
JSON Web Tokens
OAuth 2 support in Spring Security
Microservices client
Summary
18
Additional Reference Material
Additional Reference Material
Getting started with the JBCP calendar sample code

Trying out the salted passwords

Start up the application and try creating another user with the password user1. Use the H2 console to compare the new user's password, and observe that they are different.

Your code should now look like this: calendar04.05-calendar.

Spring Security now generates a random salt and combines this with the password before hashing our password. It then adds the random salt to the beginning of the password in plaintext, so that passwords can be checked. The stored password can be summarized as follows:

    salt = randomsalt()
    hash = hash(salt+originalPassword)
    storedPassword = salt + hash

This is the pseudocode for hashing a newly created password.

To authenticate a user, salt and hash can be extracted from the stored password, since both salt and hash are fixed lengths. Then, the extracted hash can be compared against a new hash, computed...

Previous Section
End of Section 10
Next Section