Can spring Acegi security be used for a social networking application where users can set their security preferences to share their data only with their friends?
The common scenario of the Acegi tutorials is where you want to authorize actions per user role, but what about authorizing users to view specific data, say, only their friends'?
Is it possible to use Acegi for that? How?
Short answer: yes.
Note that Acegi is now part of Spring, and is now known as Spring Security.
As to how to it, that's a much more complicated question, and likely has as many right answers as those willing to try. Your final solution will depend on the needs of the app your developing, the environment your in, and the organization you are designing for. I'll assume that you want everyone (or most) to see the basic information, and that the sensitive information only appears on the page if the requester is a friend.
I believe the most basic means of all will involve using the SecurityContext within your servlet/controllers/resources (far too many ways to design a web app to make assumptions here), and page templates (jsf, jsp, etc..., etc..), to get get access to the currently authenticated user, and include only the information that user is allowed to access.
The fundamental elements of Spring Security are
- Security Interceptor
- Authentication Manager
- Access Decision Manager
- Run-As Manager
- After-Invocation Manager
The actual implementation of a security interceptor will depend on what resource is being secured. If you’re securing a URL in a web application, the security interceptor will be implemented as a servlet filter. But if you’re securing a method invocation, aspects will be used to enforce security.
A security interceptor does little more than intercept access to resources to enforce security. It does not actually apply security rules. Instead, it delegates that
responsibility to the various managers.
Through using proper manager(s) you will manage to fulfill your requirements.
Reference: Manning Spring in Action 2nd Edition August 2007
Related
I have a Spring MVC web application protected with Spring Security. Life seems so calm until I was forced to do a Static Application Security Testing (SAST) and the tool threw a bunch of security issues. Have a look at here:
I have gone through all CVEs and got a rough picture about the vulnerabilities. I have a few queries:
How a web application is vulnerable to such exploitation, when a security framework like (Spring Security) is integrated with it?
Can I ignore all those vulnerabilities since Spring Security might have some sort of workaround for all those vulnerabilities?
From the Spring Security manual:
Spring Security is a powerful and highly customizable authentication
and access-control framework. It is the de-facto standard for securing
Spring-based applications.
Think of spring security as an authentication framework, it covers one piece of the security puzzle.
As an example, let's have a look at the #1 of the OWASP Top 10 Application Security Risks: A1 - Injection
Assume you use a jar for accessing an SQL database (e.g. hibernate) and it has an injection vulnerability, then your application could be vulnerable as well. However even if hibernate doesn't have any security bugs, if a programmer concatenates an SQL query together without correctly escaping the user input the application is vulnerable to an injection attack.
Spring security doesn't protect your application from either of these injection attacks.
If a jar has a vulnerability and you are calling the vulnerable methods/features then your app may also have that vulnerability, it depends a lot on what the vulnerability is and how its executed and how your application is configured to use the jar.
For a quick look over the other OWASP Top 10 Application Security Risks:
A1-Injection - No protection from Spring Security
A2-Broken Authentication and Session Management - Spring Security can help manage some of these, however a miss configured spring security will expose these.
A3-Cross-Site Scripting (XSS) - No protection from Spring Security
A4-Insecure Direct Object References - No added protection from Spring Security (Spring Security gives you the tool to manage this)
A5-Security Misconfiguration - No protection from Spring Security
A6-Sensitive Data Exposure - Spring Security can assist with this however it also depends a lot on how you store and manage your data (E.g. log files)
A7-Missing Function Level Access Control - If the access control has been missed, Spring Security can't help you, however spring security makes it easy to add these
A8-Cross-Site Request Forgery (CSRF) - Spring Security (depending on how your application is configured) will assist you or even manage this risk for you.
A9-Using Components with Known Vulnerabilities - This is the CVE's you have listed in your question - No protection from Spring Security
A10-Unvalidated Redirects and Forwards - Spring Security could be used to manage this however it doesn't protect your application from this out of the box
The list of CVEs found during the STAT of your application is an example of A9-Using Components with Known Vulnerabilities have a look at the OWASP wiki for more information.
Example Attack Scenarios
Component vulnerabilities can cause almost any type of risk
imaginable, ranging from the trivial to sophisticated malware designed
to target a specific organization. Components almost always run with
the full privilege of the application, so flaws in any component can
be serious, The following two vulnerable components were downloaded
22m times in 2011.
Apache CXF Authentication Bypass – By failing to provide an identity token, attackers could invoke any web service with full
permission. (Apache CXF is a services framework, not to be confused
with the Apache Application Server.)
Spring Remote Code Execution – Abuse of the Expression Language implementation in Spring allowed attackers to execute arbitrary code,
effectively taking over the server.
Every application using either of these vulnerable libraries is
vulnerable to attack as both of these components are directly
accessible by application users. Other vulnerable libraries, used
deeper in an application, may be harder to exploit.
Note from the last paragraph above, the deeper the component (jar) is the harder it is to exploit, however, that doesn't mean a determined entity can't exploit them.
In summary, Spring Security is a great tool for managing authentication and access-controls in your application but it isn't a magic bullet to fix all security problems.
I'm new to Spring Security, and I can't grasp the basic workflow of it. I read again and again the official documentation but I feel more confused. I can't figure out what are exactly :
authentication manager/provider
authentication object
user detail
user details service
It seems that authentication object is built thanks to user detail but the latter need the former to be built (that's what I understood from the doc).
Does anyone have a simple explanation on how all of these things are used ?
Authentication manager allows multiple authentication providers (eg an in memory db and a normal db?). Authentication provider looks up a user details implementation, via whichever user details service has been specified. The authentication object is then created from that.
User service and user details implementation are completely independent of spring security, you do not need spring security to use them.
[Ref docs]
I am a beginner and i read some part of Spring Security.
from docs,
Spring Security provides you with a very flexible framework for your
authentication and authorization requirements,
But i didn't get the actual goal behind Spring Security. Why i need spring security as i can achieve same thing by simple java filter manually.
What Spring Security make sense to worth using it?
Appreciate if anyone can explain in simple words and mention some use cases for that.
refer
http://docs.spring.io/spring-security/site/docs/3.2.x/reference/htmlsingle/faq.html#faq-web-xml
Spring Security isn't only for protecting pages it can also protect methods, do ACL on your domain objects. Prevent (or at least make it more difficult) to do session hijacking, it also has support for concurrent session usage (a single user can login only max x times at once).
The current release also has support for security headers and out-of-the-box CSFR protection for your forms.
Next to all that it provides, out-of-the-box, multiple ways of storing your security related data be it in files, database, ldap, active directory
Whilst you might be able to do simple protection of pages in a filter it doesn't give you any of the added benefits of Spring Security.
Finally Spring Security has been battle tested and is used by many companies, small to large, whilst your simple custom filter isn't.
I have configured security on the enterprise projects using both the ways: Here is the benefits using Spring Security over writing Filter:
1) Ease to Use & Configure
2) Multiple Auth Provider (i.e. LDAP, SSO, etc)
3) Maintainabilty
4) Ease to implement Session Management
5) Ease to implement Remember Me Functionality
I am implementing a Spring Data REST based app and I would like to know if there is an elegant way to implement authentication and authorization rules using this framework or related frameworks.
All HTTP requests to the REST server must carry authentication headers, I need to check them and decide to authorize or not based on the HTTP method and the association of the authenticated user with the resource being requested. For example, (the app is the REST server of an e-learning system), the instructors can access only their own course sections, students can access only the courses sections they are subscribed, etc.
I would like to know if there is a default way to implement authorization in Spring Data REST. If the answer is no, could you make a suggestion for my issue? I am thinking about:
Servlet Filters
Spring Security
Spring Data REST Handlers (how to access the HTTP headers?)
The best bet for you is Spring Security.
That would help you achieve authorization is much simpler manner.
Spring Security would require you an implementation that looks at request headers and performs the log-in operation programmatically.
Refer the accepted answer here.. I had followed the same and implemented the security layer in front of my rest services ( which were build using RestEasy )
RESTful Authentication via Spring
There is an alternate method as well..
Refer
http://www.baeldung.com/spring-security-authentication-provider
In both cases you can disable the session creation by declaring the stateless authentication in spring security, this would help you improve the performance considerably when large volume of hits are made to the state-less REST services..
In our organization we are developing an ldap based Authentication, and Authorization
with Single Sign On on feature. Upon developing this generic module, there will be tens of other modules which will be dependent on it. The tool sets are -
Spring
Hibernate
Tomcat 7
openAm/openSSO
openldap
postgresql
We will have simple authentication mechanism but very complex authorization scheme. We are not sure what will be the right approach for authorization. Should we put the authentication as well as authorization logic in LDAP or should we use it for authentication only? In that case we will have to mess around with the OpenAM/OpenSSO. Is there any other approach? like spring security, CAS, JOSSO, .. ? Whatever the approach, it has to be very scalable and maintainable. Any suggestion or help would be greatly appreciated.
Thanks,
Nazrul
You may have a look at Apache Shiro: http://shiro.apache.org/. It is a easy-to-use security framework that supports most of the existing security technologies including LDAP and Single Sign On.
Also, through subtyping AuthenticatingRealm and AuthorizingRealm (from the Shiro API), you can implement your authenticating and authorizing strategies no matter how complex they are.
Most commonly, you will implement your own:
AuthenticatingRealm
AuthorizingRealm
AuthenticationToken
AuthrozationToken
PremissionResolver
and so on...
You probably would want to look at this before you move on in making any decision.
http://grzegorzborkowski.blogspot.com/2008/10/spring-security-acl-very-basic-tutorial.html
For the authorization, you can look at externalized authorization frameworks based on XACML, the eXtensible Access Control Markup Language.
It is an OASIS standard that implements attribute-based access control which gives you a lot of flexibility into how you design your authorization.