CS520 Web Programming Declarative Security (II)

Slides:



Advertisements
Similar presentations
Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
Advertisements

Jason Ferguson.  “Vell, Jason’s just zis guy, you know?”  In the Air Force for 16.5 years  Two trips to Afghanistan ▪ Can say “get to work” and “get.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Web Application Security SSE USTC Qing Ding. Agenda General security issues Web-tier security requirements and schemes HTTP basic authentication based.
Securing web applications using Java EE Dr Jim Briggs 1.
A Brief Introduction 2012 Spring Security. What is it? Security toolkit for Java applications Primarily intended for web applications Open Source from.
WEB2P security Java web application security Dr Jim Briggs.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
Forms Review. 2 Using Forms tag  Contains the form elements on a web page  Container tag tag  Configures a variety of form elements including text.
Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.
Web Application Security Representation and Management of Data on the Web.
LDS Account and the Java Stack. Disclaimer This is a training NOT a presentation. – Be prepared to learn and participate in labs Please ask questions.
Introduction to Java web programming Dr Jim Briggs JWP intro1.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
03/07/08 © 2008 DSR and LDAP Authentication Avocent Technical Support.
TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series WebSEAL SSO, Session 1 Presented by: Andrew Quap.
1 Web Developer & Design Foundations with XHTML Chapter 6 Key Concepts.
Forms Authentication, Users, Roles, Membership Svetlin Nakov Telerik Corporation
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
WaveMaker Visual AJAX Studio 4.0 Training Authentication.
Using JavaBeans and Custom Tags in JSP Lesson 3B / Slide 1 of 37 J2EE Web Components Pre-assessment Questions 1.The _____________ attribute of a JSP page.
Chapter 5 Java Servlets. Objectives Explain the nature of a servlet and its operation Use the appropriate servlet methods in a web application Code the.
Struts J2EE web application framework “ Model 2 ” Model View Controller Controller Servlet Key features XML metadata Struts taglib Simplified form validation.
Lecturer: Prof. Piero Fraternali, Teaching Assistant: Alessandro Bozzon, Advanced Web Technologies: Struts–
Stanisław Osiński, 2002JSP – A technology for serving dynamic web content Java Server Pages™ A technology for serving dynamic web content Stanisław Osiński,
Fall CIS 764 Database Systems Design L8. Web ….
Using Spring Security and CAS JA-SIG Summer Conference Denver, CO June 24 – 27, 2007.
Dr. Mustafa Cem Kasapbaşı Security in ASP.NET. Determining Security Requirements Restricted File Types.
LDS Account and the Java Stack. Disclaimer This is a training NOT a presentation. – Be prepared to learn and participate in labs Please ask questions.
Building Secure Web Applications With ASP.Net MVC.
Role Management in.NET Shree Shalini Pusapati CS /17/20151.
Struts Framework Anna Paščenko. What is Struts?  An open source framework for building Java web applications.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
Access control 2/18/2009. TOMCAT Security Model Declarative Security:  the expression of application security external to the application, and it allows.
©SoftMoore ConsultingSlide 1 Filters. Filters can be used in a web application to intercept, examine, and possibly transform requests or responses associated.
Preface IIntroduction Objectives I-2 Course Overview I-3 1Oracle Application Development Framework Objectives 1-2 J2EE Platform 1-3 Benefits of the J2EE.
DEVELOPING ENTERPRISE APPLICATIONS USING EJB
15 Copyright © 2004, Oracle. All rights reserved. Adding JAAS Security to the Client.
LDS Account and the Java Stack. Disclaimer This is a training NOT a presentation. – Be prepared to learn and participate in labs Please ask questions.
The Chain of Responsibility Pattern (Behavioral) ©SoftMoore ConsultingSlide 1.
Securing Web Applications Lesson 4B / Slide 1 of 34 J2EE Web Components Pre-assessment Questions 1. Identify the correct return type returned by the doStartTag()
Expense Tracking System Developed by: Ardhita Maharindra Muskan Regmi Nir Gurung Sudeep Karki Tikaprem Gurung Date: December 05 th, 2008.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
CS520 Web Programming Declarative Security (I) Chengyu Sun California State University, Los Angeles.
Daniel Doubrovkine (dblock[at]dblock[dot]org) Single Sign-On w/ Tomcat & WAFFLE 6/8/2010 Tomcat -> Waffle ->
CS520 Web Programming Spring – Web MVC Chengyu Sun California State University, Los Angeles.
CS520 Web Programming Spring – Web MVC Chengyu Sun California State University, Los Angeles.
CS520 Web Programming Spring – Inversion of Control Chengyu Sun California State University, Los Angeles.
Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.
A deep dive into SPRING security
CS3220 Web and Internet Programming Database Access with JDBC
Chengyu Sun California State University, Los Angeles
CS5220 Advanced Topics in Web Programming Declarative Security
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
CollegeSource Security Application &
Registration, Login, Thymeleaf
Node.js Express Web Applications
CS5220 Advanced Topics in Web Programming Declarative Security
CS520 Web Programming Declarative Security
CS520 Web Programming Spring – Inversion of Control
CS5220 Advanced Topics in Web Programming Spring – Web MVC
CS320 Web and Internet Programming Cookies and Session Tracking
CS3220 Web and Internet Programming Cookies and Session Tracking
CS5220 Advanced Topics in Web Programming Spring – Web MVC
Chengyu Sun California State University, Los Angeles
CS3220 Web and Internet Programming Cookies and Session Tracking
CS5220 Advanced Topics in Web Programming Secure REST API
Chengyu Sun California State University, Los Angeles
CS3220 Web and Internet Programming Database Access with JDBC
CS3220 Web and Internet Programming Database Access with JDBC
Presentation transcript:

CS520 Web Programming Declarative Security (II) Chengyu Sun California State University, Los Angeles

Security Requirements of Web Applications Authentication Authorization (Access Control) URL Method invocation Domain object View

Spring Security A security framework for Spring-based applications Addresses all the security requirements of web applications

How Does Spring Security Work Intercept requests and/or responses Servlet filters Spring handler interceptors Intercept method calls Spring method interceptors Modify views Spring Security Tag Library

Servlet Filter Intercept, examine, and/or modify request and response Servlet/JSP

Servlet Filter Example web.xml <filter> and <filter-mapping> Modify request Modify response

Spring Handler Interceptor Serve the same purpose as servlet filter Configured as Spring beans, i.e. support dependency injection Handler Interceptor request response Controller

Intercept Request/Response What can we do by intercepting the request?? Request Controller /member/index.html Response What can we do by intercepting the response??

Intercept Method Call BeforeAdvice Method Invocation What can we do in BeforeAdvice?? Method Invocation User getUserById(1) AfterAdvice What can we do in AfterAdvice??

Adding Spring Security to a Web Application … Dependencies spring-security-config spring-security-taglibs

… Adding Spring Security to a Web Application web.xml <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class> org.springframework.web.filter.DelegatingFilterProxy </filter-class> </filter> <filter-mapping> <url-pattern>/*</url-pattern> </filter-mapping>

Spring Security Authentication Login and logout Authenticate against a database Access Principal in application code Implement your own User Service

HTTP Security Configuration <http auto-config=“true” /> <http> <form-login /> <http-basic /> <logout /> </http>

Login <form action=“/login” method=“POST”> User: <input type=“text” name=“username” /> Password: <input type=“password” name=“password” /> <input type=“hidden” name=“_csrf” value=“…” /> <input type=“submit” name=“submit” value=“Login” /> </form> More information about Cross Site Request Forgery (CSRF) attack at http://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#csrf

Customize <form-login> login-page authentication-failure-url More at http://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#nsa-form-login Example: CSNS2

Logout URL: /logout Requires a POST request with a _csrf parameter <form action=“/logout” method=“POST”> <input name=“_csrf” type=“hidden” value=“${_csrf.token}” /> <input name=“submit” type=“submit” value=“Logout” /> </form>

Customize <logout> logout-success-url More at http://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#nsa-logout

Authentication Manager JDBC Authentication Provider LDAP Authentication Provider PreAuthenticated Authentication Provider User Service Authentication Sources LDAP Servlet Container database

Authentication Sources Supported Database LDAP JAAS CAS OpenID SiteMinder X.509 Windows NTLM Container-based JBoss Jetty Resin Tomcat

Authenticate Against a Database – Configuration applicationContext.xml <authentication-manager> <authentication-provider> <jdbc-user-service data-source-ref="dataSource" /> </authentication-manager> Spring Security namespace: http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd

Authenticate Against A Database – Default Schema create table users ( username string primary key, password string, enabled boolean ); create table authorities ( username string references users(username), authority string -- role name

Authenticate Against A Database – Customization <jdbc-user-service> users-by-username-query authorities-by-username-query <authentication-provider> <password-encoder> user-service-ref

Customize <jdbc-user-service> ... class User { Integer id; String username; String password; boolean enabled; String email; Set<String> roles; } id username password enabled email authorities user_id authority

… Customize <jdbc-user-service> select u.username, a.authority from users u, authorities a where u.username = ? and u.id = a.user_id <authentication-manager> <authentication-provider> <jdbc-user-service data-source-ref="dataSource" authorities-by-username-query=“…”/> </authentication-manager> http://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#nsa-jdbc-user-service

Access Authenticated User in Application Code … If Spring Security does all the authentication work, how can we tell which user has logged in in our application code?

… Access Authenticated User in Application Code SecurityContextHolder .getContext() .getAuthentication() .getPrincipal(); See SecurityUtils in CSNS2 for more examples

Authentication An object representing an authentication request or an authenticated user after the request is processed Implements Authentication interface

Principal Contains information about the authenticated user Implements UserDetails interface Default implementation of Principal only includes limited user information such as username, password, and roles.

Replace Default Principal Implementation Create a User class that implements UserDetails interface Create a User Service implementation (i.e. implementing UserDetailsService interface) Replace <jdbc-user-service> with your user service implementation in <authentication-provider>

Replace Default Principal Implementation Example CSNS2 User implements UserDetails interface UserDetailsServiceImpl implements UserDetailsService interface @Service(“userService”) <authentication-provider user-service-ref=“userService” /> in applicationContext.xml

Authorization Examples Users must log in to access user management functions A user can only view/edit their own account An administrator can view/edit all accounts Only administrators can create new accounts Operations not available to a user should be hidden from the user

Example: URL Security Users must log in to access user management functions authenticated is required to access /user/**

URL Security applicationContext.xml <http auto-config="true“ use-expressions=“true”> <intercept-url pattern="/user/**" access=“authenticated" /> </http>

Pattern for <intercept-url> Default to ANT path pattern, e.g. /user/list.html /user/* /user/** /user/*/*.html /**/*.html Case-insensitive

Spring Expression Language (SpEL) http://docs.spring.io/spring/docs/current/spring-framework-reference/html/expressions.html

Security-Related SpEL Methods and Properties hasIpAddress() hasRole() hasAnyRole() permitAll denyAll anonymous authenticated rememberMe fullyAuthenticated http://docs.spring.io/spring-security/site/docs/current/apidocs/org/springframework/security/web/access/expression/WebSecurityExpressionRoot.html

Example: Method Security A user can only edit their own account A user may only invoke userDao.saveUser() if the user object to be saved has the same username.

Enable Method Security applicationContext.xml <global-method-security pre-post-annotations=“enabled” />

@PreAuthorize(“SpEL expr”) Allow method invocation if the SpEL expression evaluates to true Throw an AccessDeniedException if the expression evaluates to false

More Security-Related SpEL Properties authentication principal Method parameter: #<param_name> Method return value: returnObject

Method Security Exercise: implement the following security constraints @PreAuthorize ("principal.username == #user.username") public User saveUser( User user ) Exercise: implement the following security constraints An administrator can edit all accounts Only administrators can create new accounts

Example: Object Security A user can only view their own account The user object returned by userDao.getUser() must have the same id as the user invoked the method

Object Security Exercise: implement the following security constraints @PostAuthorize ("principal.username == returnObject.username") public User getUser( Integer id ) Exercise: implement the following security constraints An administrator can view all accounts

Example: View Security Operations not available to a user should be hidden from the user ID Name Operations 1 admin Details | Edit 2 cysun Details | Edit 3 jdoe Details | Edit

Security Tag Library http://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#taglibs <authorize> access <authentication> property

View Security <security:authorize access="hasRole('ROLE_ADMIN') or principal.username == '${user.username}'"> <a href="viewUser.html?id=${user.id}">Details</a> | <a href="editUser.html?id=${user.id}">Edit</a> </security:authorize>

Conclusion Declarative security vs. Programmatic security Spring Security provides the best of both worlds Declarative security framework Portability and flexibility Separate security code from regular code

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.