Manav Goyal

Spring Security - Java

  • Spring Security
    • Principal, Authentication, Authorization
    • Methods
      • Using HTTP
      • OAuth using HTTPs
    • Majorarily implented on service and presentation layer
    • SpringSecurityFilterChain is used to delegate every request to the chain of the security filters configured in the SpringContext
      • Filter chain is defined using configuration file web.xml > cst-root-ctx.xml > cst-spring-security.xml
      • Authentication provider manager creates principal roles
        • ROLE_MSD_USER, ROLE_MSD_ADMIN, ROLE_MSD_DBA
      • HTTP element used to give authorization using filters BasicAuthenticationFilter, LogoutFilter, UsernamePasswordAuthticationFilter
    • Authentication Mechanisms
      • InMemory
      • JDBC => Fetch info from Database
      • LDAP => Fetch info from lookup serer
    • Customing Access Denied Handler View
    • Customing Login Page
  • Authentication Provider
    • ProviderManager info in configuration file
  • Security Expression Language
    • Used to configure complex confuguration plan inside http element of spring security config
    • use-expression attribute should be set to true
    • Use expression inside the access attribute of <intercept-url>, which should evaluate to boolean value
    • Can be used in SPring config, pre-post annotations in DAO layer, JSP pages with security tag lib
    • Expressions
      • hasRole([role])
      • hasAnyRole([role1, role2])
      • hasAuthority([authority])
      • permitAll
      • denyAll
  • Concurrent Session Detection
    • Restrict the principal/user to perform one login
    • In web.xml add security listner to track the multiple logins
  • Service Layer Security
    • Can be implemented in all alyers but majorily implemented in peesentation and service layer
    • Annotations
      • @Secured({})
      • @RolesAllowed({})
      • @PreAuthorize, @PostAuthorize, @PreFilter, @PostFilter
Share: