Spring Security - owasp

batterycopperInternet and Web Development

Nov 12, 2013 (3 years and 4 months ago)

69 views

A Brief Introduction

2012

Spring Security

What is it?


Security toolkit for Java applications


Primarily intended for web applications


Open Source from Spring Source
(
http://www.springsource.org/spring
-
security
)


Current version is 3.1.1


Requires Java 1.5+ and Spring 3.0.7+


Authentication Support


Integrates with a wide variety of authentication mechanisms


HTTP (Basic/Digest/X.509 certificates)


LDAP (and Active Directory)


Distributed authentication / Single Sign
-
On


OAuth

1.0,
OpenID
, SAML, JA
-
SIG CAS


JEE Container
-
managed authentication


Header
-
based authentication (e.g.,
Siteminder
)


Custom implementations


And many more… (> 30)


Can support
multiple

mechanisms simultaneously

Authorization Support


Supports authorization based on URL / URL pattern


Similar to
url
-
pattern in web.xml file


Supports authorization based on method invocation


Done via Aspects


Supports the use of annotations


Both Spring
-
specific and JSR
-
250


Can use all three mechanisms at the same time


Also allows you to modify value returned, if needed

Simple Example (1)

web.xml

<filter>


<filter
-
name>
springSecFilter
</filter
-
name>


<filter
-
class>…
DelegatingFilterProxy
</filter
-
class>

</filter>


<filter
-
mapping>



<filter
-
name>
springSecFilter
</filter
-
name>



<
url
-
pattern>/*</
url
-
pattern>

</filter
-
pattern>



Still need Spring
config


Simple Example (2)

applicationContext.xml

(Spring configuration file)

<http pattern=“/
css
/*” security=“none”/>

<http pattern=‘/
login.jsp
’ security=‘none’/>


<http auto
-
config
=‘true’>


<intercept
-
url

pattern=‘/**’ access=‘ROLE_USER’/>



<form
-
login login
-
page=‘/
login.jsp
’/>

</http>



Will expect to have users defined in the XML this way…



Slightly More Complex…

applicationContext.xml

<
http pattern=“/
css
/*” security=“none”/>

<http pattern=‘/
login.jsp
’ security=‘none’/>


<http auto
-
config
=‘true’>


<intercept
-
url

pattern=‘/**’ access=‘ROLE_USER




requires
-
channel
=‘https’/>


<form
-
login login
-
page=‘/
login.jsp
’/>



<authentication
-
manager>



<authentication
-
provider>



<
jdbc
-
user
-
service data
-
source
-
ref=‘
securityDS
’/>



</authentication
-
provider>



</authentication
-
manager>

</http>


Other Features


Can configure Spring Security to detect timeouts


Detects requests submitted with expired session and redirects to
another location


Can be used to limit the number of concurrent logins by a user


Limit applies to all users not to specific one(s)


Supports steps to eliminate session fixation attacks


Via session
-
fixation
-
protection attribute on session
-
management
element.


Allows for user
-
defined filters to be included in the security
checking filter chain


Can specify both the additional filter and where in the chain to
execute it

Authorization Checking Support


Default (simple examples) authorization based on:


intercept
-
url


protect
-
pointcut


Annotations using:


Spring @Secured (e.g., @Secured(“ROLE_ADMIN”) )


JSR
-
250 annotations


Spring Pre/Post annotation (e.g.,
@
PreAuthorize
(“
hasAuthority
(‘ROLE_ADMIN’)”)


Annotations
only

effective when Spring used to instantiate
annotated classes!


More complex models supported by
subclassing

AccessDecisionManager

class

Questions?


Questions?