Spring Security Architecture
Last Updated :
31 Oct, 2022
Spring Security framework adds two important capabilities to web applications,
- Authentication
- Authorization/Access Control
This framework provides protection against popular security issues like SCRF attacks, or Fixation attacks. It provides a secure and standard way to set up user login functionality in web applications and thus provides quick user authentication and access control.
Authentication
Authentication is the process of verifying the identity of the computer user. It is the process of verifying the user and devices before allowing them to access the resources. In Java, the AuthenticationManager interface is responsible for handling authentication events.
Example:
The AuthenticationManager interface method “authenticate()” returns authentication (i.e if authentication= true )if it verifies the identity. The AuthenticationException is thrown if it identifies an invalid identity or principal. It returns null if he cannot decide the identity.
Authorization/Access Control
When a user or a device is authenticated, the next step is authorization which is the process of allowing the authority to perform certain tasks or operations. In Java, AccessDecisionManager and AccessDecsionVoter classes help in the authorization process.
Example:
The class ConfigAttribute provides the secure object metadata to provide the permission required to access it. The AccessDecisionVoter handles the Spring Expression Language (SpEL) expressions. ConfigAttribute is an interface that contains only one method that returns a string that defines the rules for access control.
Advantages
- Provides support for Java Configuration
- Provides support for integration with Spring MVC
- Provides protection against major security issues
- Provides efficient portability
Sample Java Configuration File
Java
import org.springframework.context.annotation.*;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.*;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
@EnableWebSecurity
public class WebSecurityConfig implements WebMvcConfigurer {
@Bean
public UserDetailsService userDetailsService()
throws Exception
{
InMemoryUserDetailsManager manager
= new InMemoryUserDetailsManager();
manager.createUser(User.withDefaultPasswordEncoder()
.username( "AbhijeetRathore" )
.password( "Abhijeet123" )
.roles( "USER" )
.build());
return manager;
}
protected void configure(HttpSecurity http)
throws Exception
{
http.antMatcher( "/" )
.authorizeRequests()
.anyRequest()
.hasRole( "ADMIN" )
.and()
.httpBasic();
}
}
|
Like Article
Suggest improvement
Share your thoughts in the comments
Please Login to comment...