Introduction

• Spring Security is a powerful and highly customizable authentication and access-control framework.
• It is supplied as a "ready made aspect" , from spring security framework , that can be easily plugged in spring MVC application or RESTful web service.
• It is "THE" standard for securing Spring-based applications. Spring Security is a framework that focuses on providing both authentication and authorization to Java applications.
• Like all Spring projects, the real power of Spring Security is found in how easily it can be extended to meet custom requirements.

Features

1. Comprehensive and extensible support for both Authentication and Authorization
2. Protection against attacks like session fixation, clickjacking, cross site request forgery(CSRF), etc..
3. Servlet API integration (Uses Servlet Filter chain)
4. Integration with Spring Web MVC.

Spring Security Architecture

Development Steps

1. Add Spring Security Starter Dependency
   • Add spring security starter dependency in pom.xml
   • Effect -> all end points - protected (secured) - in accessible
     • Entire spring boot app
       • under the authentication lock.
2. Defaults Offered by Spring Security
   • protects all endpoints (including swagger)
   • supplies auto generated login n logout pages
     • to support form login based authentication
     • suitable in MVC web applications
   • supports HTTP Basic authentication for REST clients
   • suplies default user
     • name : user
     • password - randomly generated by spring security
   • Offers CSRF(Cross Site Request Forgery) protection
     • Creates HttpSession object , to store spring security context (info)
   • 2.1 Why CSRF protection is NOT required in REST APIs ?
     • CSRF attacker basically uses cookies to forge your requests, to the vulnearable web site.
     • Since in RESTful web service , we will NOT use HttpSession or jsessionid cookie (since its stateless architecture) , you can disable the CSRF protection.
     • It's definitely required in monolithic web app using HttpSession.
   • 2.2 Customize spring security , by adding security config class
     • disable CSRF protection
     • session creation policy - stateless
     • disable form login based authentication
     • enable basic authentication scheme , for REST clients
     • replace spring security generated user name (user) n password by custom user name n password.
       • using application.properties file.
   • 2.2 Identify Security requirements for your backend application
     • any one (un protected => permit all ) should be able to access
       • swagger ui , user sign in , user sign up , list all available restaurants
     • only authenticated users
       • should be able assign address
     • only user logged in under customer role
       • should be able to place order
     • only user logged in under admin role
       • should be able to add food item | update restaurant | delete restaurant
3. Add User Details in Application Properties
   • Add spring sec user name n password in app properties file , to replace auto generated details.
     • user details are stored in mem.
4. Test Endpoints
   • Test end points using
     • browser - form login
     • postman - basic auth.
   • 4.2 Add Spring security configuration
     • to disable CSRF protection
     • (Since CSRF protection is required in - stateful web app n not in stateless REST APIs - where entire state management is done on client side)
5. Authentication Done, No Authorization
   • Authentication was done BUT no authorization!
6. Override Defaults
   • To override defaults -
     • create spring configuration class
     • Annotations
       • @Configuration
       • @EnableWebSecurity
       • @EnableMethodSecurity
7. Add User Details Service Bean
   • Add a Bean (@Bean annotated method)
     • to supply user details
       • using ready made imple class of UserDetailsService i/f
         • InMemoryUserDetailsManger - class
           • added user details (name , pwd, Collection roles)
           • UserDetails - i/f - implemented by User class - spring sec class
8. Add Security Filter Chain Bean
   • Add a Bean (@Bean annotated method)
     • to supply authorization rules, disable form login , disable CSRF ,enable basic auth , disable session ,
     • To return : SecurityFilterChain
     • Depcy (method arg) - HttpSecurity
     • disable CSRF protection (since RESTful web service - stateless)
     • authorized HTTP reqs
       • permit all
         • swagger ("/v*/api-docs/","/swagger-ui/")
         • user siginin , user signup
         • public end points (eg - view products , check available flights...)
       • only authentication (eg - add product to cart)
       • authentication + authorization (eg - add product)
       • disable form login
       • enable basic auth (to be replaced later by JWT - more secure)
       • HTTP session management - disable HTTP session