Securing Apps from the Ground Up with the Spring Security Framework

Image for Securing Apps from the Ground Up with the Spring Security Framework

How can a programming language created in the 1990s still be topping lists as one of the most popular languages around? By getting the job done and providing software engineers with powerful, mature tools for developing (and securing) some of the biggest enterprise applications around.

That’s the story for The Java Platform, an ecosystem that’s been been a de-facto programming environment for enterprise software. It’s incredibly stable, widely compatible, and can create scalable foundations for a variety of large software projects—both legacy and new. Its enduring relevance is pretty evident: It topped the list of popular programming languages in 2016, coming in second in popularity on GitHub and second on Indeed.com’s list of popular, in-demand programming jobs.

But Java is more than a language. It’s a sprawling package of tools that make this object-oriented language able to do a lot on the enterprise-level. And when it comes to security—arguably the top priority for developers and organizations from small to medium to enterprise—it doesn’t fall short either, thanks to the Spring Security framework.

Here’s a closer look at this framework and how it’s helping secure Java applications.

awesome job post

THE IMPORTANCE OF APPLICATION-LEVEL SECURITY

When you’re talking enterprise software, there’s a major headline aside from scalability and stability issues: security. Enterprise organizations know they’re a target for hackers, making security a frequent concern. Solid security requires a layered approach, bolstering everything from network connections and the server to encryption of in-transit data and endpoint security.

One key part of that equation is application-level security—in other words, writing an application securely from the ground up so it has all the necessary access controls to let the right people in and keep the wrong people out. This type of security accounted for a spike in demand for developers proficient in the Java Spring Security framework according to a recent Upwork Skills Index, proof that Java still reigns and security concerns do, too.

The Spring Framework + J2EE

When you choose Java for an application, you’re not just choosing the programming language; you’re adopting an entire ecosystem comprising Core Java, various IDEs, libraries, the Java Virtual Machine (JVM), and frameworks like Struts, Stripes, and Swing. The Java Enterprise Edition (EE) platform in particular is tailored specifically to enterprise clients who need certain functionalities baked in. However, J2EE applications come with some drawbacks and flaws commonly associated with Java: mainly, bulky, excessive, and duplicate code. J2EE applications can also be difficult to unit test.

That’s where the Spring Framework comes in, simplifying certain functionalities with built-in patterns and practices. Note: As with all frameworks, Spring is not going to be a silver bullet and it’s always possible to overcomplicate code, but it does offer some great benefits. It’s specifically known for its “dependency injection” and inversion control capabilities—object-oriented programming (OOP) practices that can be handy for eliminating duplicate methods and for unit testing.

Spring also lets you pick and choose from numerous packages like Spring Cloud, Spring Mobile, Spring Data, and an excellent solution for built-in authentication and authorization measures, Spring Security.

AUTHENTICATION AND AUTHORIZATION MADE EASY

Implementing the Spring Security framework is an excellent way to add login functionality to an app or RESTful API web service—any role-based authorization and authentication measures like OpenID, OAuth 2.0 and SAML. Doing this lets you control who can access your application and what they’re able to do once they’ve accessed it by creating “roles” that have access to different resources of your application, then assigning one or more of these roles to users.

A few features and extensions of Spring Security include:

  • ID and password services: Identification and verification through IDs and passwords, with password encryption algorithms.
  • Authentication: This verifies the identity of the user accessing the application by providing proof that “you are who you say you are.” Learn more in this article about authentication. You can specify the authentication provider of your choice in Spring, like OpenID.
  • Authorization: This allows an application to securely access and use protected information on another application’s behalf. Learn more in this article about authorization. Spring offers support for both OAuth and OAuth 2.
  • SAML and LDAP extensions for authentication and federation
  • Kerberos extensions for authentication without usernames and passwords
  • Protection against attacks like session fixation, clickjacking, cross-site request forgery
  • Integration with Java Servlet APIs
  • Grails plugins

Implementing Spring Security In Your Application

Spring isn’t just compatible with Java applications—it can also be used in other projects, e.g. AngularJS applications. Let’s go a little deeper into how to actually to do that with the following:

  • Key objects in the context of Spring Security
  • The authentication process in Spring Security
  • Connecting Spring Security itself to the project

Key context objects to know in Spring Security

Java is an object-oriented language, its key components are objects, classes, and methods. Here are a few objects to know.

SecurityContextHolder. This object contains information about the current security context of the application, which includes detailed information about the user (Principal) currently working with the application. By default, SecurityContextHolder uses theThreadLocal to store such information, which means that the security context is always available for methods that are running on the same stream. To change the storage strategy for this information, you can use the static method of class SecurityContextHolder.setStrategyName (String strategy).

UserDetailsService. This object is used to create a UserDetails object by implementing the single method of this interface:

UserDetails loadUserByUsername (String username) throws UsernameNotFoundException

More About Using Spring Security Authentication

How does Spring Security Authentication work? Here are a few steps to know.

  1. The user logs in with a name (username or email) and a password. These two credentials are combined into an instance of the class UsernamePasswordAuthenticationToken (which is itself an instance of the Authentication interface). Then, they’re passed to the AuthenticationManager for verification.
  2. If the password does not match the username, the BadCredentialsException is returned along with the message “Bad Credentials.”
  3. If the password and username match, it will return a populated Authentication instance.
  4. The user sets a security context by calling the SecurityContextHolder.getContext () method setAuthentication (…), where the object that returned the AuthenticationManager is passed.

Connecting Spring Security Framework to your application

Ready to give it a try? Here’s some code to get you started.

pom.xml

<properties>
<spring.version>3.1.4.RELEASE</spring.version>
</properties>
<!-- Spring Security -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>${spring.version}</version>
</dependency>

 

web.xml

<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

 

security.xml

<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd">

<http access-denied-page="/error403.jsp">
<intercept-url pattern="/index*" access="ROLE_USER,ROLE_ANONYMOUS"/>
<intercept-url pattern="/add*" access="ROLE_USER"/>
<intercept-url pattern="/delete/*" access="ROLE_ADMIN"/>
<form-login login-page="/login.jsp" default-target-url="/index" authentication-failure-url="/login.jsp?error=true"/>
<logout logout-url="/logout" logout-success-url="/index"/>
<anonymous username="guest" granted-authority="ROLE_ANONYMOUS"/>
<remember-me/>
</http>

<authentication-manager>
<authentication-provider>
<user-service>
<user name="admin" password="pass" authorities="ROLE_ADMIN,ROLE_USER"/>
<user name="user1" password="1111" authorities="ROLE_USER"/>
<user name="user2" password="2222" disabled="true" authorities="ROLE_USER"/>
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>

Important Considerations When Using Security.xml

It is assumed that on the login.jsp page there is a form with action = “/ j_spring_security_check” which contains input for name and password with name = “j_username” and name = “j_password”, and checkbox c name = “_ spring_security_remember_me.” These are all special values that Spring Security requires or it will not send the parameters on to the security context.

After a successful authentication, the user is redirected to the /index page. If you don’t specify the form and URL in http spring-security, the basic authentication will occur by default, or you can connect to the basic authentication by forcing in http spring-security .

On the url / index *, users with ROLE_USER rights as well as guests can access. Note: Any connections that have not been authenticated receive the username guest and the rights ROLE_ANONYMOUS).

Access to url / add * is restricted to users with ROLE_USER rights. Access to url / delete * is limited only to users with ROLE_ADMIN rights

Want more information?

The above example is a basic sample of how to use Spring Security. If you want customize the Spring Security Framework further, visit either of these pages for more information.

Conclusion

Whether you’re building a new Java-based web application or have an existing application and want to bolster security by setting up Spring Security, there are plenty of pros who can help you get started. Supplement your development team with a Spring Security specialist from Upwork today.

Upwork is a freelancing marketplace where businesses of all sizes can find talented professionals across multiple disciplines and categories. If you are a business and are looking to get projects done, consider signing up!

Join Upwork
Carey Wodehouse

by - Freelance Content Marketer and Writer

Carey Wodehouse is a freelance content marketer and writer based in Richmond, VA who’s worked for clients ranging from online retailers and global market research… more