Spring Security

The Spring Security Namespace configuration is made up of the following two namespaces:

  • Web Application Security namespace (<http>) – defines protected urls
  • Authentication Services namespace – defines beans that will be used to authenticate users

Web Application Security (<http>)
After setting up web.xml, we use the <http> element to secure resources, ex:

  <http auto-config='true'>
    <intercept-url pattern="/**" access="ROLE_USER" />
  </http>

Authentication Services
Next we need a <authentication-manager> and one or more nested <authentication-provider>. A basic example is:

<authentication-manager>
  <authentication-provider>
    <jdbc-user-service data-source-ref="securityDataSource"/>
  </authentication-provider>
</authentication-manager>

An AuthenticationProvider is an interface with one method: authenticate(). By default <authentication-provider> creates a DaoAuthenticationProvider (a bean that retrieves its user details from a UserDetailsService object). The UserDetailsService object is abstract, but an implementation can be created using <jdbc-user-service> () and requires a data-source-ref to a database with Spring Security user-data-tables.

Database Schema

users
------------
username (PK)
password 
enabled 

authorities 
------------
username
authority
fk_authorities_users (FK to users.username)

We can use <jdbc-user-service> if we want to load user details from a database table which follows spring convention, or a JdbcDaoImpl if we want to customize our tables.

In-Memory
Another useful setup is the following InMemoryDaoImpl configuration:

<authentication-manager>
  <authentication-provider>
    <user-service>
      <user name="jimi" password="jimispassword" authorities="ROLE_USER, ROLE_ADMIN" />
      <user name="bob" password="bobspassword" authorities="ROLE_USER" />
    </user-service>
  </authentication-provider>
</authentication-manager>

Password Encryption
Passwords should be encrypted, a BCryptPasswordEncoder implementation is provided:

<beans:beanname="bcryptEncoder"class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>

<authentication-manager>
  <authentication-provider>
    <password-encoder ref="bcryptEncoder"/>
    ...
  </authentication-provider>
</authentication-manager>

UML Diagram
I created the following UML diagram to help me understand the relationships between the Spring Security classes: https://drive.google.com/file/d/0B1BmcF3igxYSM2RoQjJOVWRYVWc/edit?usp=sharing

References
http://docs.spring.io/spring-security/site/docs/3.0.x/reference/ns-config.html

Advertisements
Tagged with: ,
Posted in Spring, Spring Security

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: