Spring Security features - spring

What security features does Spring provide that are not already provided by the Java EE specs?
In the Java EE specs we have:
A range of sevlet security options in the web.xml. Most people will configure basic or form based authentication. They link their Java EE application to an LDAP server - which stores users / groups. Request will be encrypted and come in over HTTPS.
Possibility to annotate any EJB and only allow certain roles execute certain methods
Ability to check user principle at runtime programmatically
So what security extras does Spring 3.0 give me?

Even if you just need some fairly simple authentication, Spring Security provides support for lots of simple but useful features (think of redirecting after logout, redirecting to login page on all URLs, remember-me). With Java EE you'll end up writing this yourself and - possibly - screwing up so you'll have an insecure app.
Spring Security works well with many standards/protocols/etc. out of the box (LDAP, JAAS, X.509). There's also more advanced stuff like SSO or ACLs. And if the standard functionality doesn't suit you, you can customize this fairly easily, often requiring just a little code.
What I also like is that it's fairly non-intrusive, your controller/action/… classes typically don't have to be involved.
That said, if you use it for the first time, it takes some time to set Spring Security up and get used to it.
(Finally, here's their own feature list: http://static.springsource.org/spring-security/site/features.html)

One killer Feature are ACLs!
#See: Spring Security Reference Chapter 17. Domain Object Security (ACLs)
And I have the feeling that Spring Security is much easier to customize. For example if you need a User Management where the User can self register and get some of this privileges limitedly and some others after this email address has been confirmed.

Related

ABAC support for Spring Security or Apache Shiro

I'm trying to find any open-source or commercial implementation of Attribute-Based Access Control(ABAC) paradigm that will work together with Spring Security or Apache Shiro frameworks. Right now I can't find any of them.
I don't think I'm a first one who needs such kind of functionality - so could you please recommend frameworks that will support this ?
Also, can Permissions in Apache Shiro be considered as a particular case of ABAC paradigm implementation ?
jCasbin is a powerful and efficient open-source access control library for Java projects. It provides support for enforcing authorization based on various access control models. ABAC is one of the models that is supported by jCasbin.
ABAC: syntax sugar like a resource. The owner can be used to get the attribute for the resource.
In jCasbin, an access control model is abstracted into a CONF file based on the PERM metamodel (Policy, Effect, Request, Matches). So switching or upgrading the authorization mechanism for a project is just as simple as modifying a configuration. You can customize your own access control model by combining the available models. For example, you can get RBAC roles and ABAC attributes together inside one model and share one set of policy rules.
It supports Spring boot via plugin: jcasbinspring-boott-plugin
Also, there is another opensource project called EasyAback. (The original project documents are written in Russian and I translated them and moreover added some other documents and diagram link)
This github sample shows how ABAC can be implemented on top of spring-security framework using Spring Expression Language (SPEL). An excellent blog describes the sample code using a simple web app. Having come from an XACML background I found this project to be very familiar to XACML. It essentially maps XACML concepts to define policy's in JSON (instead of XACML / XML) and using a familiar spring-security API and framework.
Disclaimer: I work for Axiomatics
Axiomatics provides an Attribute Based Access Control (ABAC) implementation that integrates with different environments:
Native Spring Security integration
integration with other Java apps via our SDK and API
integration with API gateways e.g. Apigee
database security
We have had customers integrate with Apache Shiro . Apache Shiro are a simplified form of ABAC. They can be integrated with ABAC.
Axiomatics' implementation relies on XACML.
For an open source Java alternative, you can find several on the XACML Wikipedia page: AuthzForce, Apache OpenAZ, WSO2 Balana. For AuthzForce, you can find Java code samples of ABAC/XACML authorization filters using either an embedded Java PDP or a (remote) RESTful PDP.

The best web login approach

I am developing a jsp dynamic web project on eclipse.
I want to create an website with login functionality. I intend to store users' accounts and passwords in MySQL database. Of course, different users have different roles and rights to access different web pages. What is the best approach to implement it?
So far, I know these approaches:
1) Users enter accounts/passwords in login.jsp. LoginServlet then connects to MySQL database to check if it is correct. AuthenticationFilters will make sure only users with rights can access certain pages.
2) Use Role Based Authentication by declaring user roles in web.xml. I find this approach is not flexible, because I need to declare roles in advance.
3) Use HttpServletRequest's login/logout methods. I have not studied it.
Is my understanding correct? Could someone gives me some suggestions? Some clues would be very helpful!
Besides, I know that using POST alone to send passwords is not safe enough. Many websites suggest to use HTTPS connections. So if using HTTPS connections, does it affect the approach I choose to implement the login function?
Thanks!
--
Now, I know I need to use Spring. But Spring seems difficult for me... In Spring website I cant find out the link to download jar files. The user guide says I need to use Gradle or Maven, which I haven't used before, and have no idea why I need them. Besides, there are many Spring projects. Which one should I choose? Spring framework?
--
Have you looked into using Spring Security? It's built for just that. You don't need to be familiar with Spring but it may help.
Here are a couple of tutorials that use database authentication:
1: Spring Security Authentication and Authorization Example with Database Credentials
2: Spring Security Login Example with Database
Edit:
You don't have to Maven or Gradle. You can simply add the jars to your build path and they will work. The only projects you need to implement for the login to work is the Spring Framework and Spring Security.
To use Spring Security without Maven or Gradle:
Download the Spring Framework jars, unzip them, and add them to your project and build path. It's probably a good idea to find a hello world tutorial using Spring to get you started. A quick Google search should turn up many results.
After you have Spring implemented in your project, download the Spring Security jars, unzip those, and add them to your build path. The links to the tutorials that I previously posted will get you started. They may take a little while to go through and you may not understand exactly what is happening behind the scenes, but once you get it set up is works outstanding. I'm also not sure if you are using xml configuration or Java config but I believe those tutorials are for xml.
Spring Security was built so that it could be added to any project and have you up and running with basic configuration in about 15 minutes. After you get the basic login going (it will use the generic login form), you can search for how to implement your own custom login form, add permissions or restrictions to users and url patters, adding custom filters, etc. I encourage you to spend some time learning it as it is highly flexible and customizable.

Spring Security without a login form

I am writing a java application using Spring. The application will be deployed to a Java EE container in a Linux environment, being accessed by Windows users.
Is there a way I can authenticate these users into the application without using any forms?
EDIT:
The first thing that I need to do is identify who the user is. After reading Block 87's article, I should start looking at SPNEGO and setting up each of the environments. From that point, I should be able to implement #ticktock's answer.
Yes, you just need to replace the UsernamePasswordFormFilter with your own authentication filter. Easiest if you extend AbstractAuthenticationProcessingFilter. You'll probably have to provide your own AuthenticationProvider as well.

Spring Web Application Authentication (advise)

I'm going to start the development of an web application system with multiple modules. The system will be built over Springframework, which is the reason why I'm going to use Spring Security. However, I have doubts about the choice of the authentication system.
The idea is to create restufull services that will be consumed by extjs pages (in case of web application) and mobile application.
Please suggest alternative authentication systems (more current). I have minimal expertise in system security and I'm worried about how to protect user credentials while maintaining a high level of response speed.
Even though you have no prior experience with Spring Security, I would still recomend that you use it:
It works very well out of the box with minumum configuration effort.
There is alot of support available because it has become the de facto standard security implementation on many full stack solutions. It is unlikely that you will run into a problem that has not been solved before
Spring Security is very robust and well tested.
out-of-the box integration for almost anything i can think of
finally, spring-security is ment for the springframework. The integration is flawless. Why give up the best part the framework has to offer?
Response speed should not be a criteria when selecting security framwork. Usually repsonse speed is slow due to bad software design or configuration issues. I have never ecountered a system that was slow due to the selected security framework.
I started using Spring Security a few years ago. It took me less than a week to set it up and It has worked properly ever since.
If you need to go for simple authentication then this can easily be achieved mentioning it in Deployment Descriptors , you can specify Authorization Constraint, Security Constraints for Resources, Authentication mechanism and all . pls have a look at this link :
http://docs.oracle.com/javaee/6/tutorial/doc/gkbaa.html

Best approach to secure (using roles and permissions) web application?

Thinking to use Spring security but is there better than that? Also, thinking to use CAS (Central Authentication Service) to integrate with Spring security for Single Sign On? Any suggestions? It might be different question but any idea how to use spring taglib in GWT to hide certain things based on user role?
I would recommend also the great (but maybe easier) security library from Apache: Shiro.
Here is the documentation to integrate with CAS: http://shiro.apache.org/cas.html.
Thinking to use Spring security but is there better than that?
Maybe
Also, thinking to use CAS (Central Authentication Service) to integrate with Spring security for Single Sign On? Any suggestions?
Spring Security integrates seamlessly with CAS, you just need to do namespace based configuration and add beans when required on the client side.
See Documentation
It might be different question but any idea how to use spring taglib in GWT to hide certain things based on user role?
Yes, you can do that using the security taglib like provided you include your GWT widgets into JSPs:
Here is a tutorial on how to do that but haven't tested it.
custom-integration-of-gwt-widgets-into-jsps
and the-role-of-jsps-in-a-gwt-world/
See also:
http://www.springbyexample.org/examples/simple-gwt-spring-webapp-gwt.html
how to conditionally show jsp content to logged in users with Spring security

Resources