Spring Security – XML Configuration

Spring Security – XML Configuration ”; Previous Next In Spring boot based projects, java based configuration are preferred but we”ve equivalent XML Configurations as well. In this article, we”ll used XML based Spring Security Configurations as shown below: <beans:beans //… <http auto-config=”true”> <intercept-url pattern=”/admin” access=”hasRole(”ROLE_ADMIN”)” /> <intercept-url pattern=”/**” access=”hasRole(”ROLE_ADMIN”)”/> </http> <authentication-manager> <authentication-provider> <user-service> <user name=”admin” password=”{noop}1234″ authorities=”ROLE_ADMIN” /> </user-service> </authentication-provider> </authentication-manager> <beans:bean id =”passwordEncoder” class = “org.springframework.security.crypto.password.NoOpPasswordEncoder” factory-method = “getInstance”> </beans:bean> </beans:beans> http − The parent of all web-related namespace functionality. Here, we can configure which URLs to intercept, what permissions are required, which type of login to use, and all such configuration. auto-config − Setting this attribute to true automatically sets up form-login, basic login, and logout functionalities. Spring Security generates them by using standard values and the features enabled. intercept-url − It sets the pattern of the URLs that we want to protecte, using the access attribute. access − It specifies which users are permitted to access the URL specified by the pattern attribute. It is done on the basis of the roles and permissions of a user. We can use SPEL with this attribute. authentication-manager − The <authentication-manager> is used to configure users, their passwords, and roles in the application. These users will be one who can access the protected parts of the application given they have the appropriate roles. A DaoAuthenticationProvider bean will be created by the <authentication-provider> and the <user-service> element will create an InMemoryDaoImpl. All authentication-provider elements will allow the users to be authenticated by providing the user information to the authentication-manager. password-encoder − This will register a password encoder bean. To keep things simple here we have used the NoOpPasswordEncoder. In order to register this security-config.xml in Spring Boot Application, we can import it as shown below: @SpringBootApplication @ImportResource(“classpath:/spring/spring-security.xml”) public class FormloginApplication { public static void main(String[] args) { SpringApplication.run(FormloginApplication.class, args); } } Let us start actual programming with Spring Security. Before you start writing your example using Spring framework, you have to make sure that you have set up your Spring environment properly as explained in Spring Security – Environment Setup Chapter. We also assume that you have a bit of working knowledge on Spring Tool Suite IDE. Now let us proceed to write a Spring MVC based Application managed by Maven, which will ask user to login, authenticate user and then provide option to logout using Spring Security Form Login Feature. Create Project using Spring Initializr Spring Initializr is great way to start with Spring Boot project. It provides a easy to use User Interface to create a project, add dependencies, select java runtime etc. It generates a skeleton project structure which once downloaded can be imported in spring tool suite and we can proceed with our readymade project structure. We”re choosing a maven project, naming the project as formlogin, with java version as 21. Following dependencies are added: Spring Web Spring Security Thymeleaf Spring Boot DevTools Thymeleaf is a templating engine for Java. It allows us to quickly develop static or dynamic web pages for rendering in the browser. It is extremely extensible and allows us to define and customize the processing of our templates in fine detail. In addition to this, we can learn more about Thymeleaf by clicking this link. Let”s move on to generate our project and download it. We then extract it to a folder of our choice and use any IDE to open it. I shall be using Spring Tools Suite 4. It is available for free downloading from the https://spring.io/tools website and is optimized for spring applications. pom.xml with all relevant dependencies Let”s take a look at our pom.xml file. It should look something similar to this − pom.xml <?xml version=”1.0″ encoding=”UTF-8″?> <project xmlns=”http://maven.apache.org/POM/4.0.0″ xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance” xsi:schemaLocation=”http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd”> <modelVersion>4.0.0</modelVersion> <parent> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-parent</artifactId> <version>3.3.1</version> <relativePath/> <!– lookup parent from repository –> </parent> <groupId>com.tutorialspoint.security</groupId> <artifactId>formlogin</artifactId> <version>0.0.1-SNAPSHOT</version> <name>formlogin</name> <description>Demo project for Spring Boot</description> <url/> <licenses> <license/> </licenses> <developers> <developer/> </developers> <scm> <connection/> <developerConnection/> <tag/> <url/> </scm> <properties> <java.version>21</java.version> </properties> <dependencies> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-thymeleaf</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId> </dependency> <dependency> <groupId>org.thymeleaf.extras</groupId> <artifactId>thymeleaf-extras-springsecurity6</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-devtools</artifactId> <scope>runtime</scope> <optional>true</optional> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-test</artifactId> <scope>test</scope> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-test</artifactId> <scope>test</scope> </dependency> </dependencies> <build> <plugins> <plugin> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-maven-plugin</artifactId> </plugin> </plugins> </build> </project> Spring Security Configuration XML Following is the complete code of spring security configuration file created in /src/main/resources/spring/ folder as spring-security.xml. spring-security.xml <?xml version=”1.0″ encoding=”UTF-8″?> <beans:beans xmlns=”http://www.springframework.org/schema/security” xmlns:beans=”http://www.springframework.org/schema/beans” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance” xsi:schemaLocation=”http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd”> <http auto-config=”true”> <intercept-url pattern=”/admin” access=”hasRole(”ROLE_ADMIN”)” /> <intercept-url pattern=”/**” access=”hasRole(”ROLE_ADMIN”)”/> </http> <authentication-manager> <authentication-provider> <user-service> <user name=”admin” password=”{noop}1234″ authorities=”ROLE_ADMIN” /> </user-service> </authentication-provider> </authentication-manager> <beans:bean id =”passwordEncoder” class = “org.springframework.security.crypto.password.NoOpPasswordEncoder” factory-method = “getInstance”> </beans:bean> </beans:beans> Spring Boot Application Following is the content of FormloginApplication class where we”ve imported the spring-security.xml from classpath. FormloginApplication.java package com.tutorialspoint.security.formlogin; import org.springframework.boot.SpringApplication; import org.springframework.boot.autoconfigure.SpringBootApplication; import org.springframework.context.annotation.ImportResource; @SpringBootApplication @ImportResource(“classpath:/spring/spring-security.xml”) public class FormloginApplication { public static void main(String[] args) { SpringApplication.run(FormloginApplication.class, args); } } Controller Class In this class, we”ve created a mapping for “/” endpoint, for “/admin” for the index page, and admin page of this application. AuthController.java package com.tutorialspoint.security.formlogin.controllers; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.GetMapping; @Controller public class AuthController { @GetMapping(“/”) public String home() { return “index”; } @GetMapping(“/admin”) public String admin() { return “admin”; } } Views Create index.html in /src/main/resources/templates folder with following content to act as a home page. index.html <!DOCTYPE html> <html xmlns=”http://www.w3.org/1999/xhtml” xmlns:th=”https://www.thymeleaf.org” xmlns:sec=”https://www.thymeleaf.org/thymeleaf-extras-springsecurity3″> <head> <title> Hello World! </title> </head> <body> <h1 th:inline=”text”>Hello World!</h1> <a href=”/logout” alt=”logout”>Sign Out</a> </body> <html> Let”s create admin.html in /src/main/resources/templates folder with following content to act as a Admin page. admin.html <!DOCTYPE html> <html xmlns=”http://www.w3.org/1999/xhtml” xmlns:th=”https://www.thymeleaf.org” xmlns:sec=”https://www.thymeleaf.org/thymeleaf-extras-springsecurity6″> <head> <title> Hello Admin! </title> </head> <body> <p>Admin Console</p> <a href=”/logout” alt=”logout”>Sign Out</a> </body> <html> Running the Application Once we”ve all component ready let”s run the Application. Right Click on the project, select Run As and then Spring Boot App. It will boot up the application and once application is started, we can run localhost:8080 to check the changes. Output Now open localhost:8080, you can see our login page. Login Page with Admin

Spring Security – Quick Guide

Spring Security – Quick Guide ”; Previous Next Spring Security – Form Login with Database Contents Introduction and Overview Basic components of Spring Security AuthenticationFilter AuthenticationManager AuthenticationProvider UserDetailsService PasswordEncoder Spring Security Context Form Login Login with a Database Login Attempts Limit Getting Started (Practical Guide) Introduction and Overview In addition to providing various inbuilt authentication and authorization options, Spring Security allows us to customize our authentication process as much as we want. Starting from a custom login page to our very own customized authentication providers and authentication filters, we can pretty much customize every aspect of the authentication process. We can define our own authentication process which can range from basic authentication using a username and a password to a complex one such as two-factor authentication using tokens and OTP’s. Also, we can use various databases – both relational and non-relational, use various password encoders, lock malicious users out of their accounts, and so on. Today, we are going to discuss three such customizations, namely – custom form-login, a database provided authentication, and limiting login attempts. Though these are pretty basic use-cases, yet these still will let us have a closer look into Spring Security’s authentication and authorization process. We are also going to set up a registration page through which the users will be able to register themselves with our application. First of all, let’s take a look at the architecture of Spring Security. It starts with servlet filters. These filters intercept requests, perform operations on them, and then pass the requests on to next filters in the filter chain or request handlers or block them if they do not meet certain conditions. It is during this process that Spring Security can authenticate requests and perform various authentication checks on the requests. It can also prevent unauthenticated or malicious requests from accessing our protected resources by not allowing them to pass through. Thus our application and resources stay protected. Components of Spring Security Architecture The basic components of Spring Security, as we can see in the above diagram are given below. We shall discuss them briefly as we go along. We shall also discuss their roles in the authentication and authorization process. AuthenticationFilter This is the filter that intercepts requests and attempts to authenticate it. In Spring Security, it converts the request to an Authentication Object and delegates the authentication to the AuthenticationManager. AuthenticationManager It is the main strategy interface for authentication. It uses the lone method authenticate() to authenticate the request. The authenticate() method performs the authentication and returns an Authentication Object on successful authentication or throw an AuthenticationException in case of authentication failure. If the method can’t decide, it will return null. The process of authentication in this process is delegated to the AuthenticationProvider which we will discuss next. AuthenticationProvider The AuthenticationManager is implemented by the ProviderManager which delegates the process to one or more AuthenticationProvider instances. Any class implementing the AuthenticationProvider interface must implement the two methods – authenticate() and supports(). First, let us talk about the supports() method. It is used to check if the particular authentication type is supported by our AuthenticationProvider implementation class. If it is supported it returns true or else false. Next, the authenticate() method. Here is where the authentication occurs. If the authentication type is supported, the process of authentication is started. Here is this class can use the loadUserByUsername() method of the UserDetailsService implementation. If the user is not found, it can throw a UsernameNotFoundException. On the other hand, if the user is found, then the authentication details of the user are used to authenticate the user. For example, in the basic authentication scenario, the password provided by the user may be checked with the password in the database. If they are found to match with each other, it is a success scenario. Then we can return an Authentication object from this method which will be stored in the Security Context, which we will discuss later. UserDetailsService It is one of the core interfaces of Spring Security. The authentication of any request mostly depends on the implementation of the UserDetailsService interface. It is most commonly used in database backed authentication to retrieve user data. The data is retrieved with the implementation of the lone loadUserByUsername() method where we can provide our logic to fetch the user details for a user. The method will throw a UsernameNotFoundException if the user is not found. PasswordEncoder Until Spring Security 4, the use of PasswordEncoder was optional. The user could store plain text passwords using in-memory authentication. But Spring Security 5 has mandated the use of PasswordEncoder to store passwords. This encodes the user’s password using one its many implementations. The most common of its implementations is the BCryptPasswordEncoder. Also, we can use an instance of the NoOpPasswordEncoder for our development purposes. It will allow passwords to be stored in plain text. But it is not supposed to be used for production or real-world applications. Spring Security Context This is where the details of the currently authenticated user are stored on successful authentication. The authentication object is then available throughout the application for the session. So, if we need the username or any other user details, we need to get the SecurityContext first. This is done with the SecurityContextHolder, a helper class, which provides access to the security context. We can use the setAuthentication() and getAuthentication() methods for storing and retrieving the user details respectively. Moving on, let’s now discuss the three custom implementations we are going to use for our application. Form Login When we add Spring Security to an existing Spring application it adds a login form and sets up a dummy user. This is Spring Security in auto-configuration mode. In this mode, it

Spring Security – Project Modules

Spring Security – Project Modules ”; Previous Next Spring Security codebase is divided into multiple jars based on different functionalities and their dependencies on third party libraries. In case of Maven, we need to set the required dependencies accordingly. Following is the list of jars that constitutes the Spring Security project. Core − spring-security-core.jar Web − spring-security-web.jar Config − spring-security-config.jar LDAP − spring-security-ldap.jar ACL − spring-security-acl.jar CAS − spring-security-cas-client.jar OpenID − spring-security-openid.jar OpenID − spring-security-web.jar Let”s explore details of each jar of Spring Security. Core − spring-security-core.jar Core jar contains top level packages required by any application using Spring Security. It supports standalone applications, remote clients, service layer for method security and user provisioning using JDBC. Following packages are part of core jar containing core classes for authentication, access control, remoting support and basic provisioning classes. org.springframework.security.core org.springframework.security.access org.springframework.security.authentication org.springframework.security.provisioning org.springframework.security.remoting Web − spring-security-web.jar Web jar provides web authentication services, URL based access control. It supports Servlet API. Following package is part of web jar containing filter classes and other web security related classes. org.springframework.security.web Config − spring-security-config.jar Config jar carries security namespace parsing codebase, It is needed in case of Spring Security XML namespace is used for configuration. Following package is part of config jar. org.springframework.security.config LDAP − spring-security-ldap.jar LDAP jar provides ldap authentication services and ldap provisioning code. It is required when we”re to use LDAP authentication or LDAP managed entries are to be used. Following package is part of ldap jar. org.springframework.security.ldap ACL − spring-security-acl.jar ACL jar provides specialized Domain Object ACL implementation. It is used to provide securty to domain specific object instances in the application. Following package is part of acl jar. org.springframework.security.acl CAS − spring-security-cas-client.jar CAS jar provides CAS client integration classes. It is required in case of CAS Single Sign-on Server is to be integrated with Spring Security Web authentication. Following package is part of cas jar. org.springframework.security.cas OpenId − spring-security-openid.jar OpenId jar provides OpenId web authentication services, and is used to authenticate users against external OpenId server. Following package is part of openid jar. org.springframework.security.openid Print Page Previous Next Advertisements ”;

Spring Security – Architecture

Spring Security – Architecture ”; Previous Next Spring Security is one of Spring Project or Module to secure a Spring based application. Spring security provides us many in-built features to implement authentication and authorization in our application. We can use these features with our changes to secure an application very quickly. In addition to this, Spring Security also allows plenty of customizations to the features mentioned before to implement our own complex authentications and authorizations. Spring Security Architecture Spring Security Architecture starts with servlet filters. These filters intercept requests, perform operations on them, and then pass the requests on to next filters in the filter chain or request handlers or block them if they do not meet certain conditions. It is during this process that Spring Security can authenticate requests and perform various authentication checks on the requests. It can also prevent unauthenticated or malicious requests from accessing our protected resources by not allowing them to pass through. Thus our application and resources stay protected. Components of Spring Security Architecture The basic components of Spring Security, as we can see in the above diagram are given below. We shall discuss them briefly as we go along. We shall also discuss their roles in the authentication and authorization process. The basic components of Spring Security, as we can see in the above diagram are given below. We shall discuss them briefly as we go along. We shall also discuss their roles in the authentication and authorization process. AuthenticationFilter This is the filter that intercepts requests and attempts to authenticate it. In Spring Security, it converts the request to an Authentication Object and delegates the authentication to the AuthenticationManager. AuthenticationManager It is the main strategy interface for authentication. It uses the lone method authenticate() to authenticate the request. The authenticate() method performs the authentication and returns an Authentication Object on successful authentication or throw an AuthenticationException in case of authentication failure. If the method can’t decide, it will return null. The process of authentication in this process is delegated to the AuthenticationProvider which we will discuss next. AuthenticationProvider The AuthenticationManager is implemented by the ProviderManager which delegates the process to one or more AuthenticationProvider instances. Any class implementing the AuthenticationProvider interface must implement the two methods – authenticate() and supports(). First, let us talk about the supports() method. It is used to check if the particular authentication type is supported by our AuthenticationProvider implementation class. If it is supported it returns true or else false. Next, the authenticate() method. Here is where the authentication occurs. If the authentication type is supported, the process of authentication is started. Here is this class can use the loadUserByUsername() method of the UserDetailsService implementation. If the user is not found, it can throw a UsernameNotFoundException. On the other hand, if the user is found, then the authentication details of the user are used to authenticate the user. For example, in the basic authentication scenario, the password provided by the user may be checked with the password in the database. If they are found to match with each other, it is a success scenario. Then we can return an Authentication object from this method which will be stored in the Security Context, which we will discuss later. UserDetailsService It is one of the core interfaces of Spring Security. The authentication of any request mostly depends on the implementation of the UserDetailsService interface. It is most commonly used in database backed authentication to retrieve user data. The data is retrieved with the implementation of the lone loadUserByUsername() method where we can provide our logic to fetch the user details for a user. The method will throw a UsernameNotFoundException if the user is not found. PasswordEncoder Until Spring Security 4, the use of PasswordEncoder was optional. The user could store plain text passwords using in-memory authentication. But Spring Security 5 has mandated the use of PasswordEncoder to store passwords. This encodes the user’s password using one its many implementations. The most common of its implementations is the BCryptPasswordEncoder. Also, we can use an instance of the NoOpPasswordEncoder for our development purposes. It will allow passwords to be stored in plain text. But it is not supposed to be used for production or real-world applications. Spring Security Context This is where the details of the currently authenticated user are stored on successful authentication. The authentication object is then available throughout the application for the session. So, if we need the username or any other user details, we need to get the SecurityContext first. This is done with the SecurityContextHolder, a helper class, which provides access to the security context. We can use the setAuthentication() and getAuthentication() methods for storing and retrieving the user details respectively. Moving on, let’s now discuss the three custom implementations we are going to use for our application. Form Login When we add Spring Security to an existing Spring application it adds a login form and sets up a dummy user. This is Spring Security in auto-configuration mode. In this mode, it also sets up the default filters, authentication-managers, authentication-providers, and so on. This setup is an in-memory authentication setup. We can override this auto-configuration to set up our own users and authentication process. We can also set up our custom login method like a custom login form. Spring Security only has to made aware of the details of the login form like – the URI of the login form, the login processing URL, etc.. It will then render our login form for the application and carry out the process of authentication along with the other provided configurations or Spring’s own implementation. A custom form setup will only have to abide by certain rules to be integrated with Spring Security. We need to have a username parameter and a password parameter and the parameter names should be “username” and “password” since those are the default names. In case, we use our own parameter names for these fields in the custom we have