Spring Security Overview
================================================================================
.. only:: html
.. contents:: Table of Contents
:local:
Overview
--------------------------------------------------------------------------------
| Two main functionalities namely, "Authentication" and "Authorization" are provided by Spring Security
| for the security of applications.
| Authentication functionality identifies a user and thus prevents unauthorized access through spoofing.
| Authorization functionality controls the access to system resources
| according to the authority of the authenticated (logged-in) user.
| Moreover, it has functionality for assigning HTTP headers.
| Spring Security overview is shown in diagram below.
.. figure:: ./images/spring_security_overview.png
:alt: Spring Security Overview
:width: 80%
:align: center
**Picture - Spring Security Overview**
| Spring Security implements authorization and authentication processes
| with help of a group of ServletFilters that interact across several levels.
| Further, it also provides password hashing functionality, JSP authorized tag library etc.
Authentication
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
| Authentication is the action that checks validity of a request. When connecting to the network or server,
| through combination of user name and password, it further verifies whether the user has the required authority and
| also whether the person to be authenticated is really the user himself.
| For the details on how to use authentication in Spring Security, refer to \ :doc:`Authentication`\ .
Password hashing
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
| In password hashing, the original password is replaced with a hash value that is derived from the plaintext password using hash function.
| For the details on how to use it in Spring Security, refer \ :doc:`PasswordHashing`\ .
Authorization
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
| Authorization is the functionality to verify whether the authenticated user is allowed to use the resource that he is trying to access,
| using access control process.
| For details on how to use authorization in Spring Security, refer to \ :doc:`Authorization`\ .
.. _howtouse_springsecurity:
How to use
--------------------------------------------------------------------------------
| Following settings need to be defined for using Spring Security.
pom.xml settings
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
| To use Spring Security, following dependency needs to be added to pom.xml.
.. code-block:: xml
org.terasoluna.gfw
terasoluna-gfw-security-core
org.terasoluna.gfw
terasoluna-gfw-security-web
.. tabularcolumns:: |p{0.10\linewidth}|p{0.90\linewidth}|
.. list-table::
:header-rows: 1
:widths: 10 90
* - Sr. No.
- Description
* - | (1)
- | terasoluna-gfw-security-core is not web dependent. As a result, when using from a domain layer project,
| only terasoluna-gfw-security-core should be added to dependency.
* - | (2)
- | terasoluna-gfw-web provides web related functionalities. It is dependent on terasoluna-gfw-security-core as well. Hence,
| for Web projects, only terasoluna-gfw-security-web should be added to dependency.
Web.xml settings
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
.. code-block:: xml
:emphasize-lines: 5,13-20
contextConfigLocation
classpath*:META-INF/spring/applicationContext.xml
classpath*:META-INF/spring/spring-security.xml
org.springframework.web.context.ContextLoaderListener
springSecurityFilterChain
org.springframework.web.filter.DelegatingFilterProxy
springSecurityFilterChain
/*
.. tabularcolumns:: |p{0.10\linewidth}|p{0.90\linewidth}|
.. list-table::
:header-rows: 1
:widths: 10 90
* - Sr. No.
- Description
* - | (1)
- | In addition to applicationContext.xml, add the Spring Security configuration file to
| the class path in contextConfigLocation. In this guideline, it is "spring-security.xml" file.
* - | (2)
- | filter-name should be defined as the Bean name to be used internally in Spring Security, namely, "springSecurityFilterChain".
* - | (3)
- Spring Security filter settings to enable various functionalities.
* - | (4)
- Enable the settings for all requests.
spring-security.xml settings
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
| spring-security.xml is placed under the path specified in web.xml.
| Normally, it is set in src/main/resources/META-INF/spring/spring-security.xml.
| Please refer subsequent chapters for detailed explanation, as the following example is just a template.
* spring-mvc.xml
.. code-block:: xml
.. tabularcolumns:: |p{0.10\linewidth}|p{0.90\linewidth}|
.. list-table::
:header-rows: 1
:widths: 10 90
* - Sr. No.
- Description
* - | (1)
- | Spring EL expressions of access attribute can be enabled by setting use-expressions="true".
\
.. note::
For the Spring EL expressions enabled by use-expressions="true", please refer to the following.
\ `Expression-Based Access Control `_\
Appendix
--------------------------------------------------------------------------------
.. _SpringSecurityAppendixSecHeaders:
Settings to assign a secure HTTP header
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
As shown below, security related headers can be set automatically in HTTP response by setting \ ````\ element in \ ````\ of spring-security.xml.
By assigning these HTTP response headers, Web browser can detect an attack and deal with it.
This setting is not mandatory; however, it is recommended for strengthening security.
.. code-block:: xml
In this setting, HTTP response headers related to following fields are set.
* Cache-Control
* X-Content-Type-Options
* Strict-Transport-Security
* X-Frame-Options
* X-XSS-Protection
.. tabularcolumns:: |p{0.2\linewidth}|p{0.5\linewidth}||p{0.3\linewidth}|
.. list-table::
:header-rows: 1
:widths: 20 50 30
* - HTTP header name
- Issues due to inappropriate settings (also includes cases where settings are not performed).
- Behavior in case of appropriate settings
* - | \ ``Cache-Control``\
- | In some cases, the contents that can be viewed by a logged-in user are cached and can also be viewed by another user, after the first user logs out.
- | Instruct such that the contents are not cached and ensure that the browser always fetches server information.
* - | \ ``X-Content-Type-Options``\
- | In some cases, browser determines operation contents just by checking the content details without using Content-Type. This may result in execution of unexpected scripts.
- | Ensure that the browser does not determine the operation contents just by checking the content details without using Content-Type. Restrict script execution if the MIME type does not match.
* - | \ ``Strict-Transport-Security``\
- | In spite of expecting access to a secure page by HTTPS, there is a possibility of HTTP-origin attack when the page is accessed using HTTP (Example: Man-In-The-Middle-Attack (MITM) intercepts a user's HTTP request and redirects it to a malicious site.)
- | Once a legitimate web site is accessed using HTTPS, the browser automatically uses only HTTPS, thereby preventing the Man In The Middle Attack such as being redirected to a malicious site.
* - | \ ``X-Frame-Options``\
- | If screen of malicious Web site A is made unavailable for viewing and instead a legitimate site B is embedded using \ ``