- About
- Documentation.
- HTTP Basic Authentication.
- Spring Security Description.
- Application Security Key Terms.
- Authentication Providers.
- Password Storage.
- Spring Security Authentication Components.
- Spring Security Modules.
- Spring Security for Common Vulnerabilities.
- Spring Security XXS Prevention.
- In Memory User Details Manager.
- Help
- Spring Security focuses on Application Security
- Spring Security does not address other levels of security
- Application Security focuses on who can do what within the context of an application
- Spring Security provides:
- Protection from common security exploits
- Integration with external security products, such as LDAP
- Provides utilities for password encoding
- Identity - A unique actor, typically an individual aka user
- Credentials - Usually a user id and password
- Authentication - Is how the application verifies the identity of the requestor
- Spring Security has a variety of methods for Authentication
- Typically the user provides credentials, which are validated
- Authorization - Can a user perform an action?
- Using the user’s identity, Spring Security determines if they are authorized to perform action
- Authentication Providers - Verify users identities
- Authentication Providers supported by Spring Security:
- In Memory
- JDBC/Database
- Custom
- LDAP/Active Directory
- Keycloak
- ACL (Access Control List)
- OpenID
- CAS
- Authentication Filter - A filter for a specific Authentication type in the Spring Security filter chain. (ie basic auth, remember me cookie, etc)
- Authentication Manager - Standard API interface used by filter
- Authentication Provider - The implementation of Authentication - (in memory, database, etc)
- User Details Service - Service to provide information about user
- Password Encoder - Service to encrypt and verify passwords
- Security Context - Holds details about authenticated entity
- Spring Security supports a variety of methods to store and verify passwords
- NoOp Password Encoder - plain text, not recommended - for legacy systems
- BCrypt - uses bcrypt password hashing
- Argon2 - Uses Argon2 algorithm
- Pbkdf2 - Uses PBKDF2 algorithm
- SCrypt - Uses scrypt algorithm
- Custom - Roll your own? Not recommended!
- Core - Core modules of Spring Security
- Remoting - Only needed for support of RMI operations
- Web - Support of web applications
- Config - Provides support for XML and Java configuration
- LDAP - for integration with LDAP identity providers
- OAuth 2.0 Core - Core of OAuth 2.0 Authorization and OpenID
- OAuth 2.0 Client - Client support for OAuth 2.0 and OpenID clients
- OAuth 2.0 JOSE - Provides support for JOSE (Javascript Object Signing and Encryption)
- OAuth 2.0 Resource Server - Support for OAuth 2.0 Resource Servers
- ACL - Support for Access Control Lists
- CAS - Support for Central Authentication Service
- OpenID - Authenticate users with external OpenID server
- Test - Testing Support for Spring Security
- Spring Security has built in support to address several common vulnerabilities
- Cross-site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
- Security HTTP Response Headers
- Variety of headers can be set to improve browser security
- Redirect to HTTPS
- Header ‘X-XSS-Protection’ is set to ‘1; mode=block’
- Tells browser to to block XSS code when detected
- Modern Browsers are starting to deprecate this in favor of Content Security Policy (CSP)
- Content Security Policy - Spring Security does not implement a default value
- Spring Security can easily be configured
- Refer to OWASP for best practices
- Link to OWASP recommendations in lesson resources
- Implements User Details Service
- Used by Spring Boot Auto-configuration
- Non-persistent implementation - uses in-memory map
- Mainly used for testing and demonstration purposes
- Not normally used in production systems