Spring Security Flashcards
What is authentication and authorization? Which must come first?
Authentication is the process of verifying the validity of the Principal’s credentials.
Authorization is the process of making decision whether an authenticated user is allowed to perform a certain action within the application.
Authorization depends on authentication. A user has first to be authenticated in order for authorization to take place. The result of the authentication process is establishing whether the user has the right to access the application and what actions the user can perform based on roles.
Is security a cross cutting concern? How is it implemented internally?
Security is a cross-cutting concern. Spring Security is implemented using Spring AOP with separation of concerns in mind.
Steps of configuring Spring security:
* declare the security filter for the application
* define the Spring Security context
* configure authentication and authorization
What is the security filter chain?
The security filter chain is a chain of spring managed beans (filters) that handle requests in a secured web environment. This chain of filters has the following key responsibilities:
- driving authentication
- enforcing authorization
- managing logout
- maintaining SecurityContext in HttpSession
What is the delegating filter proxy?
The DelegatingFilterProxy bean delegates the calls to a list of chained security filter beans (security filter chain) and acts as an interceptor for secured requests (mostly by the configured url-pattern).
Are you able to add and/or replace individual filters?
The Spring Secuity framework is built on the foundation of ACEGI Security 1.x. At the beginning, the security filter beans where manually configured and could be used individually, but this led to complex XML configurations that where verbose and prone to errors. Starting with Spring Security 2.0, the filter beans are created and initialized with default values, and manual configuration is not recommended unless it is necessary to change default Spring Security behavior.
You can do that in both XML and Java ways and moreover you can choose to place that filter before/instead or after some predefined filter.
For XML in with attributes: * before * position * after In Java in the class that extends WebSecurityConfigurerAdapter you have to override the method with following signature: protected void configure(HttpSecurity http) and do as follows:
@Configuration
@EnableWebSecurity
public class CustomWebSecurityConfiguration
extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.addFilterAfter( // <= PAY ATTENTION TO THIS
new OurCustomFilter(), UsernamePasswordAuthenticationFilter.class // <= afterFilter);
}
}
In the notes several predefined filters were shown. Do you recall what they did and what
order they occurred in?
- ChannelProcessingFilter - used if redirection to another protocol is necessary
- SecurityContextPersistenceFilter - used to set up a security context and copy changes from it to HttpSession
- ConcurentSessionFilter - used for concurrent session handling package
- LogoutFilter - used to log a principal out. After logout a redirect will take place to the configured view
- BasicAuthenticationFilter - used to store a valid Authentication token in the security context
- JaasApiIntegrationFilter - this bean attempts to obtain a JAAS Subject and continue the FilterChain running as that Subject.
- RememberMeAuthenticationFilter - used to store a valid Authentication and use it if the security context did not change
- Anonymous AuthenticationFilter - used to store an anonymous Authentication and use it if the security context did not change
- ExceptionTranslationFilter - used to translate Spring Security exceptions in HTTP corresponding error responses
- FilterSecurityInterceptor - used to protect URIs and raise access denied exceptions
Why do you need the intercept-url?
from is used to define the URL for the requests that we want to have some security constraints. This tag has a pattern attribute that accepts either ANT style paths or regex for matching the required resources. Access attribute accepts comma-separated roles that will be allowed to access the resource (any match will grant the access).
The order of defining the URL patterns is important - the most restrictive must be on top; otherwise a more relaxed rule will be applied and some URL will be accessible to users that should not have access to them.
Does Spring Security support password hashing? What is salting?
Spring Security uses PasswordEncoder for encoding passwords. This interface has a Md5PasswordEncoder that allows for obtaining hashes of the password – that will be persisted. The problem is that there are “dictionaries” of hashes available on the internet and some hacker may just match the hash with a record from those dictionaries and gain unauthorized (from system’s point of view authorized) access. To avoid that you can add some “salt” to the password before it is hashed. Salt (which is some appended string) is some random value – a simpler implementation is to use the user id.
There is a implementation of PasswordEncoder – BCryptPasswordEncoder that generates the salt automatically and thus you don’t have to bother about this.
How is a Principal defined?
A principal is a user, device or system that can perform some actions in the application. The principal is established during the authentication process. An implementation of AuthenticationManager called ProviderManager sends an Authentication to a list of AuthernticationProviders and those return an Authentication with all the credentials.
This authentication is held in the SecurityContext.
So for obtaining current principal we have to do something like:
Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal();
In which order do you have to write multiple intercept-url’s?
The order of defining the URL patterns is important - the most restrictive must be on top; otherwise a more relaxed rule will be applied and some URL will be accessible to users that should not have access to them.
Is it enough to hide sections of my output (e.g. JSP-Page)?
It is not enough, because entering URL directly (not through links) will still provide access to the resource.
Therefore, has to be configured for secured resources.
Why do you need method security? What type of object is typically secured at the method
level (think of its purpose not its Java type).
If we secure only the web layer there may be a way to access service layer in case we expose some REST endpoints. That’s why usually services are secured at method level.
What do @Secured and @RolesAllowed do? What is the difference between them?
There annotations are used to declare some methods as secured. The difference between them is that @Secured is a Spring annotation while @RolesAllowed is a JSR250 annotation.
To enable @Secured or @RolesAllowed annotations:
* Java config: Anotate @Configuration class with @EnableGlobalMethodSecurity(securedEnabled = true // jsr250Enabled = true)
* XML config:
What is a security context?
Context that holds security information about the current thread of execution. This information includes details about the principal. Context is held in the SecurityContextHolder. It must also be configured as root application context.
In which security annotation are you allowed to use SpEL?
@PreAuthorize @PostAuthorize @PreFilter @PostFilter For them to be accessible you have to enable the pre-post-attribute to “enabled” in the element.
