Spring Security:
Spring Security is a framework which provides various security features like: authentication, authorization to create secure Java Enterprise Applications.
It is a sub-project of Spring framework which was started in 2003 by Ben Alex. Later on, in 2004, It was released under the Apache License as Spring Security 2.0.0.
This framework targets two major areas of application are authentication and authorization.
Authentication:
It is the process of knowing and identifying the user that wants to access.
Authorization:
It is the process to allow authority to perform actions in the application.
Spring Security framework supports wide range of authentication models. These models either provided by third parties or framework itself. Spring Security supports integration with all of these technologies.
HTTP BASIC authentication headers
HTTP Digest authentication headers
HTTP X.509 client certificate exchange
LDAP (Lighweight Directory Access Protocol)
Form-based authentication
OpenID authentication
Automatic remember-me authentication
Kerberos
JOSSO (Java Open Source Single Sign-On)
AppFuse
AndroMDA
Mule ESB
DWR(Direct Web Request)
The beauty of this framework is its flexible authentication nature to integrate with any software solution. Sometimes, developers want to integrate it with a legacy system that does not follow any security standard, there Spring Security works nicely.
Advantages:
Spring Security has numerous advantages. Some of that are given below.
Comprehensive support for authentication and authorization.
Protection against common tasks
Servlet API integration
Integration with Spring MVC
Portability
CSRF protection
Java Configuration support
Spring Security Features:
LDAP (Lightweight Directory Access Protocol)
Single sign-on
JAAS (Java Authentication and Authorization Service) LoginModule
Basic Access Authentication
Digest Access Authentication
Remember-me
Web Form Authentication
Authorization
Software Localization
HTTP Authorization
LDAP (Lightweight Directory Access Protocol):
It is an open application protocol for maintaining and accessing distributed directory information services over an Internet Protocol.
Single sign-on:
This feature allows a user to access multiple applications with the help of single account(user name and password).
JAAS (Java Authentication and Authorization Service) LoginModule:
It is a Pluggable Authentication Module implemented in Java. Spring Security supports it for its authentication process.
Basic Access Authentication:
Spring Security supports Basic Access Authentication that is used to provide user name and password while making request over the network.
Digest Access Authentication:
This feature allows us to make authentication process more secure than Basic Access Authentication. It asks to the browser to confirm the identity of the user before sending sensitive data over the network.
Remember-me:
Spring Security supports this feature with the help of HTTP Cookies. It remember to the user and avoid login again from the same machine until the user logout.
Web Form Authentication:
In this process, web form collect and authenticate user credentials from the web browser. Spring Security supports it while we want to implement web form authentication.
Authorization:
Spring Security provides the this feature to authorize the user before accessing resources. It allows developers to define access policies against the resources.
Software Localization:
This feature allows us to make application user interface in any language.
HTTP Authorization:
Spring provides this feature for HTTP authorization of web request URLs using Apache Ant paths or regular expressions.
Features added in Spring Security 5.0:
OAuth 2.0 Login:
This feature provides the facility to the user to login into the application by using their existing account at GitHub or Google. This feature is implemented by using the Authorization Code Grant that is specified in the OAuth 2.0 Authorization Framework.
Reactive Support
From version Spring Security 5.0, it provides reactive programming and reactive web runtime support and even, we can integrate with Spring WebFlux.
Modernized Password Encoding
Spring Security 5.0 introduced new Password encoder DelegatingPasswordEncoder which is more modernize and solve all the problems of previous encoder NoOpPasswordEncoder.
Spring Project Modules:
In Spring Security 3.0, the Security module is divided into separate jar files. The purpose was to divide jar files based on their functionalities, so, the developer can integrate according to their requirement.
It also helps to set required dependency into pom.xml file of maven project.
The following are the jar files that are included into Spring Security module.
spring-security-core.jar
spring-security-remoting.jar
spring-security-web.jar
spring-security-config.jar
spring-security-ldap.jar
spring-security-oauth2-core.jar
spring-security-oauth2-client.jar
spring-security-oauth2-jose.jar
spring-security-acl.jar
spring-security-cas.jar
spring-security-openid.jar
spring-security-test.jar
Core - spring-security-core.jar:
This is core jar file and required for every application that wants to use Spring Security. This jar file includes core access-control and core authentication classes and interfaces. We can use it in standalone applications or remote clients applications.
It contains top level packages:
org.springframework.security.core
org.springframework.security.access
org.springframework.security.authentication
org.springframework.security.provisioning
Remoting - spring-security-remoting.jar
This jar is used to integrate security feature into the Spring remote application. We don't need it until or unless we are creating remote application. All the classes and interfaces are located into org.springframework.security.remoting package.
Web - spring-security-web.jar
This jar is useful for Spring Security web authentication and URL-based access control. It includes filters and web-security infrastructure.
All the classes and interfaces are located into the org.springframework.security.web package.
Config - spring-security-config.jar
This jar file is required for Spring Security configuration using XML and Java both. It includes Java configuration code and security namespace parsing code. All the classes and interfaces are stored in org.springframework.security.config package.
LDAP - spring-security-ldap.jar
This jar file is required only if we want to use LDAP (Lighweight Directory Access Protocol). It includes authentication and provisioning code. All the classes and interfaces are stored into org.springframework.security.ldap package.
OAuth 2.0 Core - spring-security-oauth2-core.jar
This jar is required to integrate Oauth 2.0 Authorization Framework and OpenID Connect Core 1.0 into the application. This jar file includes the core classes for OAuth 2.0 and classes are stored into the org.springframework.security.oauth2.core package.
OAuth 2.0 Client - spring-security-oauth2-client.jar
This jar file is required to get client support for OAuth 2.0 Authorization Framework and OpenID Connect Core 1.0. This module provides OAuth login and OpenID client support. All the classes and interfaces are available from org.springframework.security.oauth2.client package.
OAuth 2.0 JOSE - spring-security-oauth2-jose.jar
It provides Spring Security's support for the JOSE (Javascript Object Signing and Encryption) framework. The JOSE framework provides methods to establish secure connection between clients. It contains following collection of specifications:
JWT (JSON Web Token)
JWS (JSON Web Signature)
JWE (JSON Web Encryption)
JWK (JSON Web Key)
All the classes and interfaces are available into these two packages:
org.springframework.security.oauth2.jwt
org.springframework.security.oauth2.jose.
ACL - spring-security-acl.jar
This jar is used to apply security to domain object in the application. We can access classes and code from the org.springframework.security.acls package.
CAS - spring-security-cas.jar
It is required for Spring Security?s CAS client integration. We can use it to integrate Spring Security web authentication with CAS single sign-on server. The source code is located into org.springframework.security.cas package.
OpenID - spring-security-openid.jar
This jar is used for OpenID web authentication support. We can use it to authenticate users against an external OpenID server. It requires OpenID4Java and top level package is org.springframework.security.openid.
Test - spring-security-test.jar
This jar provides support for testing Spring Security application.
How does CodersArts helps you ?
CodersArts provide :
Spring boot assignment Help
Help in development Projects
Mentorship from Experts Live 1:1 session
Course and Project completions
CourseWork help
留言