spring security

Spring Security

Security is a concern for an application to provide its services consistently. There can be many security aspects, to protect your application from threats or potential attacks. To deal with the security issues its recommended that we must understand or make aware about the potential vulnerabilities such as session-hijacking, cross site scripting and request forgery which we need to taking into account right from the start of application development.

owasp.org particular website keeps details of top ten list of application vulnerabilities also some useful stuff to refer.

Following two types of approaches we can go with in case of Spring

1)      Name space based application security

2)      Spring bean approach where we wire up all implementation classes.

We will be doing the name space based security arrangements as it’s the latest and less work to do instead the Spring bean security.

 Security Requirements:

J2EE traditional security approaches for EJB or Servlet based applications is not so comprehensive and transferable to different platform, most of the case you will end-up deploying security setting for the same code or package in different environments or physical sites, which makes security an overhead and repeated process for multiple deployment of the same package.

However, spring security found to be comprehensive and tightly coupled with your package to give more flexibility when you move your configurations.

Following are the two most important sectors in the Security of a web application:

1)                  Authentication

2)                  Authorization

In Spring, authentication process is assigning or allocating a principle who can perform actions of application feature, who can be any thing such as a user, another system, module and device.

Authorization, is a process of deciding whether a principle is allowed to perform any action within our application.

Authorization usually to be provided to user with a UI component or screen, however authentication is something like assigning a role to the principle’s id.

At authentication level,  Spring security supports a wide range of authentication models, which are usually provided by third party components or may be developed. However, spring provides its own authentication features.

Authentication:

Spring currently supports authentication integration with many technologies however following is a some important one and mostly used technologies:

1)      Http Basic

2)      Http Digest

3)      LDAP

4)      Form based authentication

5)      OpenID

6)      AndroMDA

7)      Tapestery

Apart from theses, we can have our own security system depends on the requirement.

Authorization:

Irrespective of above mentioned authentication mechanism, spring provides a set of authorization capabilities:

1)                  Authorizing a web request.

2)                  Authorizing a method access.

3)                  Authorizing a domain object instance.

I will take some examples in my next post to show how actually it works in spring.