Presentation is loading. Please wait.

Presentation is loading. Please wait.

CS520 Web Programming Declarative Security (II)

Published byRandolf McGee Modified over 6 years ago

Similar presentations

Presentation on theme: "CS520 Web Programming Declarative Security (II)"— Presentation transcript:

1 CS520 Web Programming Declarative Security (II)
Chengyu Sun California State University, Los Angeles

2 Security Requirements of Web Applications
Authentication Authorization (Access Control) URL Method invocation Domain object View

3 Spring Security A security framework for Spring-based applications
Addresses all the security requirements of web applications

4 How Does Spring Security Work
Intercept requests and/or responses Servlet filters Spring handler interceptors Intercept method calls Spring method interceptors Modify views Spring Security Tag Library

5 Servlet Filter Intercept, examine, and/or modify request and response
Servlet/JSP

6 Servlet Filter Example
web.xml <filter> and <filter-mapping> Modify request Modify response

7 Spring Handler Interceptor
Serve the same purpose as servlet filter Configured as Spring beans, i.e. support dependency injection Handler Interceptor request response Controller

8 Intercept Request/Response
What can we do by intercepting the request?? Request Controller /member/index.html Response What can we do by intercepting the response??

9 Intercept Method Call BeforeAdvice Method Invocation
What can we do in BeforeAdvice?? Method Invocation User getUserById(1) AfterAdvice What can we do in AfterAdvice??

10 Adding Spring Security to a Web Application …
Dependencies spring-security-config spring-security-taglibs

11 … Adding Spring Security to a Web Application
web.xml <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class> org.springframework.web.filter.DelegatingFilterProxy </filter-class> </filter> <filter-mapping> <url-pattern>/*</url-pattern> </filter-mapping>

12 Spring Security Authentication
Login and logout Authenticate against a database Access Principal in application code Implement your own User Service

13 HTTP Security Configuration
<http auto-config=“true” /> <http> <form-login /> <http-basic /> <logout /> </http>

14 Login <form action=“/login” method=“POST”>
User: <input type=“text” name=“username” /> Password: <input type=“password” name=“password” /> <input type=“hidden” name=“_csrf” value=“…” /> <input type=“submit” name=“submit” value=“Login” /> </form> More information about Cross Site Request Forgery (CSRF) attack at

15 Customize <form-login>
login-page authentication-failure-url More at Example: CSNS2

16 Logout URL: /logout Requires a POST request with a _csrf parameter
<form action=“/logout” method=“POST”> <input name=“_csrf” type=“hidden” value=“${_csrf.token}” /> <input name=“submit” type=“submit” value=“Logout” /> </form>

17 Customize <logout>
logout-success-url More at

18 Authentication Manager
JDBC Authentication Provider LDAP Authentication Provider PreAuthenticated Authentication Provider User Service Authentication Sources LDAP Servlet Container database

19 Authentication Sources Supported
Database LDAP JAAS CAS OpenID SiteMinder X.509 Windows NTLM Container-based JBoss Jetty Resin Tomcat

20 Authenticate Against a Database – Configuration
applicationContext.xml <authentication-manager> <authentication-provider> <jdbc-user-service data-source-ref="dataSource" /> </authentication-manager> Spring Security namespace:

21 Authenticate Against A Database – Default Schema
create table users ( username string primary key, password string, enabled boolean ); create table authorities ( username string references users(username), authority string -- role name

22 Authenticate Against A Database – Customization
<jdbc-user-service> users-by-username-query authorities-by-username-query <authentication-provider> <password-encoder> user-service-ref

23 Customize <jdbc-user-service> ...
class User { Integer id; String username; String password; boolean enabled; String ; Set<String> roles; } id username password enabled authorities user_id authority

24 … Customize <jdbc-user-service>
select u.username, a.authority from users u, authorities a where u.username = ? and u.id = a.user_id <authentication-manager> <authentication-provider> <jdbc-user-service data-source-ref="dataSource" authorities-by-username-query=“…”/> </authentication-manager>

25 Access Authenticated User in Application Code …
If Spring Security does all the authentication work, how can we tell which user has logged in in our application code?

26 … Access Authenticated User in Application Code
SecurityContextHolder .getContext() .getAuthentication() .getPrincipal(); See SecurityUtils in CSNS2 for more examples

27 Authentication An object representing an authentication request or an authenticated user after the request is processed Implements Authentication interface

28 Principal Contains information about the authenticated user
Implements UserDetails interface Default implementation of Principal only includes limited user information such as username, password, and roles.

29 Replace Default Principal Implementation
Create a User class that implements UserDetails interface Create a User Service implementation (i.e. implementing UserDetailsService interface) Replace <jdbc-user-service> with your user service implementation in <authentication-provider>

30 Replace Default Principal Implementation Example
CSNS2 User implements UserDetails interface UserDetailsServiceImpl implements UserDetailsService interface @Service(“userService”) <authentication-provider user-service-ref=“userService” /> in applicationContext.xml

31 Authorization Examples
Users must log in to access user management functions A user can only view/edit their own account An administrator can view/edit all accounts Only administrators can create new accounts Operations not available to a user should be hidden from the user

32 Example: URL Security Users must log in to access user management functions authenticated is required to access /user/**

33 URL Security applicationContext.xml
<http auto-config="true“ use-expressions=“true”> <intercept-url pattern="/user/**" access=“authenticated" /> </http>

34 Pattern for <intercept-url>
Default to ANT path pattern, e.g. /user/list.html /user/* /user/** /user/*/*.html /**/*.html Case-insensitive

35 Spring Expression Language (SpEL)

36 Security-Related SpEL Methods and Properties
hasIpAddress() hasRole() hasAnyRole() permitAll denyAll anonymous authenticated rememberMe fullyAuthenticated

37 Example: Method Security
A user can only edit their own account A user may only invoke userDao.saveUser() if the user object to be saved has the same username.

38 Enable Method Security
applicationContext.xml <global-method-security pre-post-annotations=“enabled” />

39 @PreAuthorize(“SpEL expr”)
Allow method invocation if the SpEL expression evaluates to true Throw an AccessDeniedException if the expression evaluates to false

40 More Security-Related SpEL Properties
authentication principal Method parameter: #<param_name> Method return value: returnObject

41 Method Security Exercise: implement the following security constraints
@PreAuthorize ("principal.username == #user.username") public User saveUser( User user ) Exercise: implement the following security constraints An administrator can edit all accounts Only administrators can create new accounts

42 Example: Object Security
A user can only view their own account The user object returned by userDao.getUser() must have the same id as the user invoked the method

43 Object Security Exercise: implement the following security constraints
@PostAuthorize ("principal.username == returnObject.username") public User getUser( Integer id ) Exercise: implement the following security constraints An administrator can view all accounts

44 Example: View Security
Operations not available to a user should be hidden from the user ID Name Operations 1 admin Details | Edit 2 cysun Details | Edit 3 jdoe Details | Edit

45 Security Tag Library <authorize> access <authentication> property

46 View Security <security:authorize access="hasRole('ROLE_ADMIN')
or principal.username == '${user.username}'"> <a href="viewUser.html?id=${user.id}">Details</a> | <a href="editUser.html?id=${user.id}">Edit</a> </security:authorize>

47 Conclusion Declarative security vs. Programmatic security
Spring Security provides the best of both worlds Declarative security framework Portability and flexibility Separate security code from regular code

Download ppt "CS520 Web Programming Declarative Security (II)"

Similar presentations

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
Jason Ferguson.  “Vell, Jason’s just zis guy, you know?”  In the Air Force for 16.5 years  Two trips to Afghanistan ▪ Can say “get to work” and “get.

Jason Ferguson.  “Vell, Jason’s just zis guy, you know?”  In the Air Force for 16.5 years  Two trips to Afghanistan ▪ Can say “get to work” and “get.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Web Application Security SSE USTC Qing Ding. Agenda General security issues Web-tier security requirements and schemes HTTP basic authentication based.

Web Application Security SSE USTC Qing Ding. Agenda General security issues Web-tier security requirements and schemes HTTP basic authentication based.
Securing web applications using Java EE Dr Jim Briggs 1.

Securing web applications using Java EE Dr Jim Briggs 1.
A Brief Introduction 2012 Spring Security. What is it? Security toolkit for Java applications Primarily intended for web applications Open Source from.

A Brief Introduction 2012 Spring Security. What is it? Security toolkit for Java applications Primarily intended for web applications Open Source from.
WEB2P security Java web application security Dr Jim Briggs.

WEB2P security Java web application security Dr Jim Briggs.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
Forms Review. 2 Using Forms tag  Contains the form elements on a web page  Container tag tag  Configures a variety of form elements including text.

Forms Review. 2 Using Forms tag  Contains the form elements on a web page  Container tag tag  Configures a variety of form elements including text.
Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.

Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.
Web Application Security Representation and Management of Data on the Web.

Web Application Security Representation and Management of Data on the Web.
LDS Account and the Java Stack. Disclaimer This is a training NOT a presentation. – Be prepared to learn and participate in labs Please ask questions.

LDS Account and the Java Stack. Disclaimer This is a training NOT a presentation. – Be prepared to learn and participate in labs Please ask questions.
Introduction to Java web programming Dr Jim Briggs JWP intro1.

Introduction to Java web programming Dr Jim Briggs JWP intro1.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
03/07/08 © 2008 DSR and LDAP Authentication Avocent Technical Support.

03/07/08 © 2008 DSR and LDAP Authentication Avocent Technical Support.
TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series 2008 - WebSEAL SSO, Session 1 Presented by: Andrew Quap.

TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series WebSEAL SSO, Session 1 Presented by: Andrew Quap.
1 Web Developer & Design Foundations with XHTML Chapter 6 Key Concepts.

1 Web Developer & Design Foundations with XHTML Chapter 6 Key Concepts.
Forms Authentication, Users, Roles, Membership Svetlin Nakov Telerik Corporation www.telerik.com.

Forms Authentication, Users, Roles, Membership Svetlin Nakov Telerik Corporation
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
WaveMaker Visual AJAX Studio 4.0 Training Authentication.

WaveMaker Visual AJAX Studio 4.0 Training Authentication.

Similar presentations

Ads by Google