I am a beginner and i read some part of Spring Security.
from docs,
Spring Security provides you with a very flexible framework for your
authentication and authorization requirements,
But i didn't get the actual goal behind Spring Security. Why i need spring security as i can achieve same thing by simple java filter manually.
What Spring Security make sense to worth using it?
Appreciate if anyone can explain in simple words and mention some use cases for that.
refer
http://docs.spring.io/spring-security/site/docs/3.2.x/reference/htmlsingle/faq.html#faq-web-xml
Spring Security isn't only for protecting pages it can also protect methods, do ACL on your domain objects. Prevent (or at least make it more difficult) to do session hijacking, it also has support for concurrent session usage (a single user can login only max x times at once).
The current release also has support for security headers and out-of-the-box CSFR protection for your forms.
Next to all that it provides, out-of-the-box, multiple ways of storing your security related data be it in files, database, ldap, active directory
Whilst you might be able to do simple protection of pages in a filter it doesn't give you any of the added benefits of Spring Security.
Finally Spring Security has been battle tested and is used by many companies, small to large, whilst your simple custom filter isn't.
I have configured security on the enterprise projects using both the ways: Here is the benefits using Spring Security over writing Filter:
1) Ease to Use & Configure
2) Multiple Auth Provider (i.e. LDAP, SSO, etc)
3) Maintainabilty
4) Ease to implement Session Management
5) Ease to implement Remember Me Functionality
Related
I'm building a simple project management web application and I'm having some problems finding the best practices for storing the current logged user without recurring to spring security.
I was thinking of creating a filter or maybe a interceptor to reduce code but I'm still struggling with how to actually store the user. Is it better to had a specific header to the request or is there a more elegant way to do this?
You can use spring session to maintain the login information in you app in a better way, there are various options available in spring to replace normal HttpSession like Spring Session JDBC.
See Here: https://spring.io/projects/spring-session
I have a Spring MVC web application protected with Spring Security. Life seems so calm until I was forced to do a Static Application Security Testing (SAST) and the tool threw a bunch of security issues. Have a look at here:
I have gone through all CVEs and got a rough picture about the vulnerabilities. I have a few queries:
How a web application is vulnerable to such exploitation, when a security framework like (Spring Security) is integrated with it?
Can I ignore all those vulnerabilities since Spring Security might have some sort of workaround for all those vulnerabilities?
From the Spring Security manual:
Spring Security is a powerful and highly customizable authentication
and access-control framework. It is the de-facto standard for securing
Spring-based applications.
Think of spring security as an authentication framework, it covers one piece of the security puzzle.
As an example, let's have a look at the #1 of the OWASP Top 10 Application Security Risks: A1 - Injection
Assume you use a jar for accessing an SQL database (e.g. hibernate) and it has an injection vulnerability, then your application could be vulnerable as well. However even if hibernate doesn't have any security bugs, if a programmer concatenates an SQL query together without correctly escaping the user input the application is vulnerable to an injection attack.
Spring security doesn't protect your application from either of these injection attacks.
If a jar has a vulnerability and you are calling the vulnerable methods/features then your app may also have that vulnerability, it depends a lot on what the vulnerability is and how its executed and how your application is configured to use the jar.
For a quick look over the other OWASP Top 10 Application Security Risks:
A1-Injection - No protection from Spring Security
A2-Broken Authentication and Session Management - Spring Security can help manage some of these, however a miss configured spring security will expose these.
A3-Cross-Site Scripting (XSS) - No protection from Spring Security
A4-Insecure Direct Object References - No added protection from Spring Security (Spring Security gives you the tool to manage this)
A5-Security Misconfiguration - No protection from Spring Security
A6-Sensitive Data Exposure - Spring Security can assist with this however it also depends a lot on how you store and manage your data (E.g. log files)
A7-Missing Function Level Access Control - If the access control has been missed, Spring Security can't help you, however spring security makes it easy to add these
A8-Cross-Site Request Forgery (CSRF) - Spring Security (depending on how your application is configured) will assist you or even manage this risk for you.
A9-Using Components with Known Vulnerabilities - This is the CVE's you have listed in your question - No protection from Spring Security
A10-Unvalidated Redirects and Forwards - Spring Security could be used to manage this however it doesn't protect your application from this out of the box
The list of CVEs found during the STAT of your application is an example of A9-Using Components with Known Vulnerabilities have a look at the OWASP wiki for more information.
Example Attack Scenarios
Component vulnerabilities can cause almost any type of risk
imaginable, ranging from the trivial to sophisticated malware designed
to target a specific organization. Components almost always run with
the full privilege of the application, so flaws in any component can
be serious, The following two vulnerable components were downloaded
22m times in 2011.
Apache CXF Authentication Bypass – By failing to provide an identity token, attackers could invoke any web service with full
permission. (Apache CXF is a services framework, not to be confused
with the Apache Application Server.)
Spring Remote Code Execution – Abuse of the Expression Language implementation in Spring allowed attackers to execute arbitrary code,
effectively taking over the server.
Every application using either of these vulnerable libraries is
vulnerable to attack as both of these components are directly
accessible by application users. Other vulnerable libraries, used
deeper in an application, may be harder to exploit.
Note from the last paragraph above, the deeper the component (jar) is the harder it is to exploit, however, that doesn't mean a determined entity can't exploit them.
In summary, Spring Security is a great tool for managing authentication and access-controls in your application but it isn't a magic bullet to fix all security problems.
My web app is using Spring Security 3 as login manager and users data (username, password, etc) are saved on database.
Now we added external applications that are supposed to use the same login page internally to the first app. That could be a problem especially for performance reasons. Is it possible take out the "spring security part" as a separate module? How can I keep in this case the redirection working in the main application? Design suggestions?
You seem to need a Single Sign On concept implemented.
Spring security supports two of those out of the box. You could refer to this answer for details.
In our organization we are developing an ldap based Authentication, and Authorization
with Single Sign On on feature. Upon developing this generic module, there will be tens of other modules which will be dependent on it. The tool sets are -
Spring
Hibernate
Tomcat 7
openAm/openSSO
openldap
postgresql
We will have simple authentication mechanism but very complex authorization scheme. We are not sure what will be the right approach for authorization. Should we put the authentication as well as authorization logic in LDAP or should we use it for authentication only? In that case we will have to mess around with the OpenAM/OpenSSO. Is there any other approach? like spring security, CAS, JOSSO, .. ? Whatever the approach, it has to be very scalable and maintainable. Any suggestion or help would be greatly appreciated.
Thanks,
Nazrul
You may have a look at Apache Shiro: http://shiro.apache.org/. It is a easy-to-use security framework that supports most of the existing security technologies including LDAP and Single Sign On.
Also, through subtyping AuthenticatingRealm and AuthorizingRealm (from the Shiro API), you can implement your authenticating and authorizing strategies no matter how complex they are.
Most commonly, you will implement your own:
AuthenticatingRealm
AuthorizingRealm
AuthenticationToken
AuthrozationToken
PremissionResolver
and so on...
You probably would want to look at this before you move on in making any decision.
http://grzegorzborkowski.blogspot.com/2008/10/spring-security-acl-very-basic-tutorial.html
For the authorization, you can look at externalized authorization frameworks based on XACML, the eXtensible Access Control Markup Language.
It is an OASIS standard that implements attribute-based access control which gives you a lot of flexibility into how you design your authorization.
Can spring Acegi security be used for a social networking application where users can set their security preferences to share their data only with their friends?
The common scenario of the Acegi tutorials is where you want to authorize actions per user role, but what about authorizing users to view specific data, say, only their friends'?
Is it possible to use Acegi for that? How?
Short answer: yes.
Note that Acegi is now part of Spring, and is now known as Spring Security.
As to how to it, that's a much more complicated question, and likely has as many right answers as those willing to try. Your final solution will depend on the needs of the app your developing, the environment your in, and the organization you are designing for. I'll assume that you want everyone (or most) to see the basic information, and that the sensitive information only appears on the page if the requester is a friend.
I believe the most basic means of all will involve using the SecurityContext within your servlet/controllers/resources (far too many ways to design a web app to make assumptions here), and page templates (jsf, jsp, etc..., etc..), to get get access to the currently authenticated user, and include only the information that user is allowed to access.
The fundamental elements of Spring Security are
- Security Interceptor
- Authentication Manager
- Access Decision Manager
- Run-As Manager
- After-Invocation Manager
The actual implementation of a security interceptor will depend on what resource is being secured. If you’re securing a URL in a web application, the security interceptor will be implemented as a servlet filter. But if you’re securing a method invocation, aspects will be used to enforce security.
A security interceptor does little more than intercept access to resources to enforce security. It does not actually apply security rules. Instead, it delegates that
responsibility to the various managers.
Through using proper manager(s) you will manage to fulfill your requirements.
Reference: Manning Spring in Action 2nd Edition August 2007