Introduction to Spring Security

Recently I have given presentation on Spring Security framework. Before I talk about Spring Security, I will brief you about what is all about security framework and why it is really important?

You must have heard word “Security” many times. In your day-to-day life as well as while writing a simple computer program. Dictionary meaning of Security is “degree of protection against danger, lost and criminals”. Well “Criminals” in computer world is none other than “Hacker”. :) I hope you are aware of what does “Hacker” mean? :)

So let’s see how Security is important for an enterprise and it’s software applications. In today’s world security has become ever-moving target for an enterprise. All enterprise wants their system to be as secure as possible in its own right. In IT realm security is categorized as “Layers of Security”. i.e.each layer should be secured enough. There are 4 Layers of Security which are listed below.

Transport Layer Security – this is generally achieved using SSL protocol. provides security and data integrity over network such as internet, intranet, VPN.

Network Security – this is achieved using IPSec

Data/Information Security – this can be achieved using message encryption techniques like using X.509 Certificate.

Application Security – this is generally achieved using Security frameworks like Spring Security, Java EE Security.

I believe you must have learnt “layers of security” during your Engineering/Graduation (probably as a part of “Computer Networking” subject) :). No worries if you have forgotten, I will help you to give basic understanding..if you still not understand. you can search on google!!!!! :)

Now let’s get back to our main topic…

Here I will talk about Application Security which is taken care by security framework like Spring Security. Security framework generally take care of Authentication, Authorization (i.e. Access Control mechanism), Encryption, Session management (i.e. preventing men-in-middle attack, session hijacking) , Auditing and logging.

Now let’s talk about what is Spring Security (aka Acegi Security)? Earlier it was known as Acegi Security framework which is merged with Spring and now known as Spring Security framework.

Spring Security provides comprehensive services (i.e. Authentication, Authorization, Encryption, etc) for J2EE based enterprise s/w application.

Let me talk about why this framework is gaining popularity.

• Lack of depth of security in Servlet and EJB Specifications. These specifications support primary authentication and authorization services like BASIC, FORM and Digest authentication and method level authorization services.
• Again they are not portable at EAR and WAR level so if you switch to other Application Server environment, you may have to reconfigure these settings.
• Since Spring Security is built upon Core Spring, you can leverage core spring features like Dependency Injection (DI), AOP (Aspect Oriented Programming), PropertyConfigurator, etc.
• Apart from that Spring Security provides dozen of useful, entirely customizable security features. I will discuss few of them here.

Now let’s talk about Spring Authentication and Authorization one-by-one.

Authentication i.e. “Check if the principal (i.e. users or system) is who he/she says he/she is”.

Sprint Security provides easy integration with different types of authentication mechanism. I have listed few of them below. You can get full list in Spring Security docs.

• HTTP BASIC authentication
• HTTP Digest authentication
• HTTP Form based authentication
• HTTP X.509 client certificate exchange
• LDAP
• OpenID authentication (OpenID is also gaining popularity and major companies liek Google, Microsoft, Sun, Oracle, Yahoo support OpenID authentication) you can get more details on http://en.wikipedia.org/wiki/OpenID )
• Computer Associates Siteminder
• Central Authentication Service ( known as CAS package, a popular Single Sign-On (SSO) system)
• “Remember-me” authentication
• Anonymous, Run-as and JAAS (Java Authentication and Authorization Service)
• Also support for container( i.e. Tomcat, JBoss, Jetty) based authentication mechanism

Apart from above listed support, framework also provides integration with Grails, Mule ESB, Tapestry and last but not the least your own Authentication Mechanism. Spring also supports Channel Security (through HTTPS) with JCaptcha (a java based s/w application to ensure that response is not generated by computer).

i have talked much about authentication support provided by framework. Now let’s discuss about authorization support provided by framework.

Authorization i.e. “how an application grants access to content and functions to some principals and not others”

Advanced authorization capabilities is one of the reason for gaining popularity of this framework. Irrespective of your authentication mechanism, you can use framework’s Authorization services in your application.

So if we go by the definition of authorization, we want service layers methods and objects to be accessed by specific users based on roles defined either in the property file, database,LDAP or some other repositories. Spring Security provides three types of interceptors to achieve this functionality.

• AOP Alliance (MethodInvocation) Security Interceptor
• AspectJ (JoinPoint) Security Interceptor
• FilterInvocation Security Interceptor

Don’t think how these interceptor works, i will discuss it in next article. For your knowledge, Interceptors are used to intercept request and do some processing on it, like authentication, authorization, logging, auditing, etc.

Note: All authentication and authorization is provided by Spring Security framework is based on various Filters. I will discuss this in detail in next article.

I hope you have now basic understanding of Spring Security and it’s features. In next article i will show you example how simple web application can be easily configured with Spring Security. It is more configuration based and less coding..i am sure you must be happy :)

I would suggest you to also explore other security frameworks in J2EE arena, like Java EE Security, OWASP(Open Web Application Security Project) Enterprise Security API, BoncyCastle, jGuard.

Don’t forget to visit my next article which will be continuation of this!!!! Have a nice day :)