In the previous blog, We talked about the spring MVC which is one of the project which comes under Spring umbrella of projects. There is another great project from spring technology from the security point of view of the application, it is called spring security. Spring security is a spring-based security framework and is defacto standard for security implementation of spring based applications. Spring security provides many out-of-the-box security features that can be used directly out of the box such as login form, encryption for passwords, etc. Spring Security targets two major parts of the security concerns of an application they are namely Authentication and Authorization. We’ll be seeing these in-depth in this blog.
Why Spring Security?
Why Spring Security?
There are a lot of features spring security gives to you, some of them are as follows,
- Form-based login, logout. By just installing spring security into your spring boot project you can get this functionality.
- Common vulnerabilities can be handled easily. such as session hijacking, Cross-Site scripting, request forgery, etc.
- For new hacks, patches come quickly, thanks to diverse community support to the project.
- Allow or block specific URL or resources to a particular user or role.
There are many others, you can check them out on spring official docs here.
5 core concepts of Spring Security
Authentication is an identification mechanism to allow the system to understand who the user is. When you log into any application, you provide some information that lets’ system identifies that the person is the same as they are saying. You give some proof for your identification to the system. There are mainly three types of authentications.
- Knowledge-based authentication.
In this, the user provides some information to the system so that it can identify you. Popular Knowledge-based authentication is forex. Username & password login, Pin code, Pattern, Secret question, etc. KBA is good for the basic needs of an application. But the KBA kind of authentication is heavily based on information known to the user. Hence it can be stolen and easily someone else can access the user’s account.
- Possession Based Authentication
In Possession Based Authentication (I’ll be using PBA for short) users are identified based on the things they own forex. ID cards, key cards, OTP based login, etc. PBA is better than the KBA Since the system is identifying the user with the possession and not the information they have, which can be easily stolen.
- Multifactor Authentication
In Multifactor Authentication, both KBA and PBA are used to identify the user. It is also called a two-way authentication since it uses both techniques to identify a user. It’s a more secure and robust way to identify the user.
Authorization is a step after the authentication. In this the system already has authenticated the user, now we are interested in what the user can and cannot do. Authorization can be easily understood by this example Suppose there is a college application that has the following user types Student, teacher, HOD, principal, etc. Each one of them has different authorities. Students cannot change their marks, It needs a teacher or higher authorities. Teachers don’t have the authority to create a schedule. It can be done by hod or principal. Like this, every user can have some access restriction and some will not. This what can be accessed by whom is called Authorization.
In the context of spring security principal is the currently logged in user. All the data related to the currently logged-in user could be stored inside of the principal object. The application creates the principal when the user logs in to a system to identify the user and his authority in the context of the application. One user can have multiple accounts, but for each login separated principal is maintained to identify that entry only. The principal is not bound to the user because the user can have multiple accounts instead it is bound to his currently logged-in session.
4. Granted Authority
Granted Authorities is nothing but the configuration we do to perform authorization. that is how the application knows that the particular user is authorized to do task A but not task B. it has to be coded or configured somewhere. GA means to configure the user to allow him to for task A but restrict for task B.
The authorization is a very fine-grained action. There can be thousands of tasks which application can perform. So it is hard to fine-tune the access for these tasks for each user again and again. By using roles we can group these granted authorities into one bundle. So that whenever the user is created the system can assign the user with that role instead of the authorities.
Spring Security is a technology that is designed to make the developer focus on the development of better software. Rather than him worrying about the security part. Spring Security is a very vast topic, so I’ll highly recommend you to see the project yourself and read about it in-depth on the website spring.io where you can see other spring projects as well which are pretty cool. And again thanks for reading.