This repository contains various Spring Boot + Security related concepts and techniques.
-
basic-spring-security - you will learn
- How to add spring security dependency?
- How to use Spring default password?
- How to override the default username and password?
-
basic-spring-security - you will learn
- How to use
InMemoryUserDetailsManagerto store your username and password in order to anthenticate the given user.
- How to use
-
basic-spring-security - you will learn
- How to use MySQL database to validate username and password (plain text) using
NoOpPasswordEncoder. - How to use MySQL database to validate username and password (bcrypt encoder) using
BCryptPasswordEncoder - How to use
DaoAuthenticationProviderandUserDetailsService
- How to use MySQL database to validate username and password (plain text) using
-
basic-spring-security - you will learn
- How to customize Spring security to use your own Login Form implementation to validate the given username and password instead spring provided default implementation.
-
basic-spring-security - you will learn
- How to use Spring Boot + Security + OAuth2 token to validate the user account using Google API SSO.
Authentication - HTTP Authentication - Forms Authentication - Certificate - Tokens (JWT)
Authorization Privileges / Authorities Roles
-
In Spring Security, granted authorities and roles are a form of expressing a privilege/permission for an authenticated user
-
We express them using plain names
- Granted Authorities - Roles (Small action based) (Larger scope) READ_PROFILE ROLE_ADMIN EDIT_PROFILE ROLE_USER DELETE_PROFILE ROLE_SALES ACCESS_PUBLIC_API ROLE_MANAGEMENT
HTTP Basic Authentication
In the context of HTTP, basic authentication is the process for browser to request a username and password when making a request in order to authentify the user
Client/
Browser ----------- Get /home --------------------------> Server
401 Unauthorized
WWW-Authenticate: Basic realm="localhost"
<------------------------------------------------ ==> this step it will show a popup dialog to enter username and password
Authorization: Basic sgsgasgasgaswtrw25252141=
----------- Get /home -------------------------->
<------------200 OK-------------------------------
return some resource from server
Encoding of username and password
username: karthi
password: testing
- Name and Password are combined (Ex: karthi:testing)
- Browser will encode this to Base64 format (Ex: Ssgsgsoj252522sgsS)
- Transmit in HTTP header (Ex: Authorization:Basic Ssgsgsoj252522sgsS)
Stuff you need to know about Basic Authentication
- It is very simple. It doesn't require cookie, session identifiers, or login page
- Transmitted credentials are not encrypted. They are encoded with Base64 in transit, but not encrypted or hashed in any way.
- Basic Authentication is typically used in conjunction with HTTPS to provide confidentiallity.
- In this case, user can't grab the given username and password. Becuase, it uses HTTPS layer.
- HTTP does not provide a method for a web server to instruct the client to "log out"
- This authentication mechanism is not handled by your app, but the browser
- Simpler definition:
- HTTP Basic is the simplest form of authentication. In conjunction with SSL, it is considered the bare minimum for protecting non-sensitive resources.
- Otherwise, go with a more secure solution.
Form Based Authentication
It is the process of authenticating a user by presenting a custom HTML page that will collect credentials and by directing the authentication responsibility to the web application that collects the form data.
Login:
Client ---------------- GET /home ---------------------------> Server
<-----If not authenticated REDIRECT to login page -----
Login form will be displayed
------------- POST form data (username + password) ----> [Session][Created]
<----- If OK create SESSION ID and return auth cookie --
-------------- GET /employees/reports/all -------------->
<---- 200 OK --------------------------------------------
Logout:
Client ---------------- GET /logout ---------------------------> Server
<------- SESSION is invalidated & Redirected to /login -- [Session][removed]
Stuff you need to know about Forms Authentication
- The application is responsible for dealing with form data and performing the actual authorization phase.
- Infrastructure handled by Spring Secutrity.
- It is the most widespread form of authentication, well sutied for self-contained apps.
- The user credentials are conveyed in the clear to the web application, so use SSL to keep them safe in transit.
- This technique is inherently phishable, so use SSL and certificates from trusted organizations.
- Not suited for public REST endpoints given to third party apps or customers. Only self-contained.
Simpler definition:
Forms Authentication is the most used method for authorizing users and works like a charm for self-contained apps that do not expose public API's to other parties.
Token Based Authentication using JWT (JSON Web Token)
JSON Web Token (JWT) is a compact and safe way to transmit data between two parties. The information can be trusted because it is digitally signed.
Login:
|------------------ |-------------------|
| |--- User sign in (Credentials, Facebook, Google, etc) -->| Auth Server |
| | | |
| Client (Outside)|<--- Authenticated. Token {JWT} created and returned ----|___________________|
| your app domain)|
| | |-------------------|
| |--->GET /report/all HEADER Authorization: Bearer {JWT}-->| Application |
| | | (REST) |
| |<------------- 200 OK -----------------------------------| |
| | | |
| |--->POST /product HEADER Authorization: Bearer {JWT} --->| |
| | | |
| |<------------- 200 OK -----------------------------------|___________________|
-------------------
JWT Structure:
JSON Web Token consist of three parts separated by dots(.)
1. Header
2. Payload (Data)
3. Signature
Example: hhhh.ppppppp.ssssssss
Refer: https://jwt.io
When should you use them?
Mobile ----------- {JWT} ------ www.myapp.com
Auth Server +
REST API
WEB ------------ {JWT} ---------
3rd Party1 ----- {JWT} ---------
3rd Party2 ----- {JWT} ---------
SSL & HTTPS
HTTP is a combination of HTTP plus SSL security layer on top of it. HTTPS is just HTTP that delivers data securely between endpoints.
HTTP is not Secure
------------------
Client/Browser <-------- http://mymailserver.com --------> MailServer
john.does
password
In this above HTTP transaction, some malicious user can try to intercept/hack the given username and password.
HTTPS is secure
---------------
Client/Browser <-------- https://mymailserver.com --------> MailServer
john.does
password
In this method, the malicious user can't see the given information. It will be secure.
How HTTPS works?
----------------
This is where SSL Certificate come in to play.
Security in HTTPS communication is ensured by using SSL certificates
Self-Signed (Created by you) - Good for development
Signed by Trusted Authority (Comodo, Symantec, DigiCert, etc.) - For Production
Flow
----
Broswer/
Client Machine ----------- HTTPS request ---------------------> Server
<--- Server sends certificate with public key--
SSL Verification. If OK browser sends
back session key
----------------------------------------------->
<------------------------------------------------------------------->
Secure communication by encrypting all data with session key
SSL is mandatory for any web application, regardless of the chosen security config.