Security
Last updated
Was this helpful?
Last updated
Was this helpful?
. All OAuth 2.0 Client and Resource Server features implemented by Spring. The matrix may be used to determine which project to use based on your OAuth 2.0 Client and Resource Server requirements.
Authentication. It is how we verify the identity of who is trying to access a particular resource. A common way to authenticate users is by requiring the user to enter a username and password. Once authentication is performed we know the identity and can perform authorization.
Password storage.
PasswordEncoder
is used to perform one way password transformation to store it securely (DelegatingPasswordEncoder)
Cross Site Request Forgery (CSRF). The reason that a CSRF attack is possible is that the HTTP request from the victim’s website and the request from the attacker’s website are exactly the same. This means there is no way to reject requests coming from the evil website and allow requests coming from the bank’s website. To protect against CSRF attacks we need to ensure there is something in the request that the evil site is unable to provide so we can differentiate the two requests.
When should you use CSRF protection? Our recommendation is to use CSRF protection for any request that could be processed by a browser by normal users. If you are only creating a service that is used by non-browser clients, you will likely want to disable CSRF protection.
Security HTTP Response Headers.
Default Security HTTP Response Headers
Spring provides Filter
implementation named DelegatingFilterProxy
which is a bridge for Servlet container lifecycle and Spring ApplicationContext.
DelegatingFilterProxy
can be registered via standard Servlet container mechanism, but delegate all the work to a Spring Bean that implements Filter
FilterChainProxy is a special Filter provided by Spring Security that allows delegating to many Filter instances through SecurityFilterChain.
FilterChainProxy is a starting point for all of Spring Security Servlet support.
FilterChainProxy clears SecurityContext to avoid memory leaks
FilterChainProxy can be used to determine which SecurityFilterChain should be used.
ExceptionTranslationFilter invokes FilterChain.doFilter(request, response) to invoke the rest of application
3. If (AccessDeniedException) => AccessDeniedHandler.handleAccessDenied();
SecurityContextHolder uses ThreadLocal to store details.
ProviderManager is the most commonly user implementation of AuthenticationManager.
each AuthenticationProvider knows how to perform a specific type of authentication.
e.g. one is able to validate username/password
another is able to validate SAML assertion
In fact, multiple ProviderManager instances might share the same parent AuthenticationManager. Common for scenarios where there are multiple SecurityFilterChain instances that have some authentication in common.
By default ProviderManager will clear any sensitive credentials info from Authentication object which is returned by a successful authentication request.
Used to send an HTTP response that requests credentials from a client.
Based on subclass of AbstractAuthenticationProcessingFilter certain type of Authentication is created. E.g. for UserPasswordAuthenticationFilter UserPasswordAuthenticationToken is created from username and password from HttpServletRequest.
Authentication is passed to AuthenticationManager.
Reading username and password from HttpServletRequest
FormLogin
Basic Authentication
Digest Authentication
Storage mechanisms
Simple (in-memory)
Relational DB (JDBC Authentication)
Custom data stores with UserDetailService
LDAP storage with LDAP Authentication
When the username and password submitted:
When a client receives WWW-Authenticate header it knows it should retry with a username and password.
JdbcUserDetailsManager extends JdbcDaoImpl (which implements UserDetailsService)
There is a support for groups.
Did not have a look
FilterInvocationSecurityMetadataSource
by default ExpressionBasedFilterInvocationSecurityMetadataSource is used
AccessDecisionManager
How is it glued to Filters => AbstractSecurityInterceptor. Subclasses
FilterSecurityInterceptor
This is about cache control header. Cache-Control.
This is about man-in-the-middle attack. HsTsHeaderWriter
Header which helps to protect: X-XSS-Protection: 1; mode=block
mode block means block the rendering
X-Content-Type-Options: nosniff
@RolesAllowed("ROLE_somerole")
@Secured("ROLE_somerole")
@PreAuthorize("hasRole('ADMIN')")
check happens before method is invoked
Spring expression language is used
@PostAuthorize("@authz.check(returnObject, principal?.user) ")
see CommonOAuth2Provider.java ClientRegistrationRepository.java OAuth2AuthorizationRequestRedirectFilter.java OAuth2LoginAuthenticationFilter.java OAuth2LoginAuthenticationProvider.java
FilterChainProxy is a great place to start debugging
This is a heart of Spring Security authentication model.
You should not use Digest Authentication in modern applications because it is not considered secure. The most obvious problem is that you must store your passwords in plaintext, encrypted, or an MD5 format. All of these storage formats are considered insecure. Instead, you should store credentials using a one way adaptive password hash (i.e. bCrypt, PBKDF2, SCrypt, etc) which is not supported by Digest Authentication.
InMemoryUserDetailsManager
implements .
The default schema is also exposed as a classpath resource named org/springframework/security/core/userdetails/jdbc/users.ddl
.
uses UserDetailsService to retrieve UserDetails. DaoAuthenticationProvider validates UserDetails and returns Authentication with proper principal.
Do not forget to prefix roles with ROLE_