Your Entry point in Spring Security (part 1)
Security is an ever evolving threat. It’s hard to keep track of new threats and vulnerabilities if you are not the one spending your waking hours tracking these developments. There are some common threats that you yourself need not handle you can simply outsource them. Spring Security is one such outsourcing option for java developers.
Spring security handles many common vulnerabilities out of the box. So you can focus more on the app. Spring Security provides highly customizable way of authentication, authorization. All this while providing protection from common threats such as session fixation, clickjacking, xss etc. This is particularly very useful for people like me who don’t have any security background. (Honestly, I don’t even understand how session fixation or clickjacking works). This makes spring security a must for spring boot project.
Let’s start with commonly used terms of spring boot :
- Authentication and Authorization: Recognizing a user is authentication. This is commonly done by username and password. (There are plethora of other ways). Once user identity is finalized. Authorization decides what different operation a user can and can not perform.
- Principal : Principal is the current logged in user.
- Granted Authority : Granted authority is a privilege to perform a certain operation. e.g. add_item privilege lets user add new item in system. So any user with this privilege can add item. Granted authority is more fine grained privilege.
- Role : Role and granted authorities are used interchangeably. Major difference being that role is a group of granted authorities. This makes it easier to handle user privileges. Lets say Role admin has granted authorities add_item, remove_item, change_price. When new user is added you can simply assign that user admin role instead of adding privileges one by one.
Adding Spring Security to spring boot project :
This step is very simple. If you are just starting your project you can go to Spring initializer and add spring security dependency.
If you already have a project you can add this dependency in pom.xml file.
When you add spring security dependency. You will observe that for any request , you will be asked to login. This is due to the filter added by spring security. This filter intercepts every request and redirects them to login page if they are not authenticated. This means that spring security has started its job without us writing any code.
Here is what spring security did just now. It added a login page, handled error message and created a user with password. You can see that password in console and use it to login with username “user”.
you can override default properties in application.properties and then use them to login. But this is not effective way we want to configure spring security authentication mechanism so we have better control over how things are handled.
Configuring Spring Security Authentication :
Spring security comes packed with entire suite of authentication functionality. This is handled by AuthenticationManager class. This class has authenticate() method which does the actual authentication. What we want to do is configure (not override) this class. For that we will user AuthenticationManagerBuilder class. This builder class helps us set properties which AuthenticationManager class uses to perform authentication.
To perform this create a class by extending WebSecurityConfigurerAdapter and annotate with @EnableWebSecurity. Override configure(AuthenticationManagerBuilder auth) method.
When we annotate with @EnableWebSecurity we told spring security to use this configure method instead of default one. in the configure method we have created an in memory authentication. Which means provided credentials will be used for authentication by AuthenticationManager.
Now we are almost done with our first interaction with spring security. Only things remaining is PasswordEncoder. Storing a plain String password is always discouraged and spring boot forces us to encode the password. Doing this is not that hard we only need to create a bean. You can create this in same class as that of configure method.
We have setup NoOpPasswordEncoder which doesn’t really encodes the password. But for starting point this is enough. You can explore other options.
Configuring Spring Security Authorization :
Authorization describes which operations a particular user can perform. We use Role to decide authorization status for a particular user.
We had overridden configure(AuthenticationManagerBuilder auth) to configure authentication similarly we will override configure(HttpSecurity http) to configure authorization.
We create a chain with http object. antMatchers act as regular expression to match url path. We start from most restrictive url at the top to least restrictive at the bottom. hasRole(..) match only a single role, hasAnyRole() match any of the given roles, permitAll() means that no authorization is required.
Now we are done. This should give you very surface level knowledge about spring security. How to setup project with Spring Security ? How it works ? and How to override default Authentication and Authorization of spring security ?
Part 2 is published now. Find it here.
