Spring boot security basics

-
Hello geeks, here i came up with another blog series on spring security, Where I am going to explore some of the basic concepts behind the spring boot security as well as hands on examples. 



This is going to be the first blog in this series on spring boot security, so please follow all blogs in order to better understanding of the concepts.

                                                Before we begin to deep dive into spring security, we need to under stand why we need application level security. Since we have already OS level security, server level security then why we need this application level security. The answer is pretty much self explanatory, since we are developing APIs in java, these end points are explicitly exposed to end user that's why all the already applied security on OS level and server are forcefully by passed here.

So, all in all we need another application level security here. For this spring security came to the rescue here.



     In real spring security is a filters standing between your application and  all the incoming request coming to the application server. It verifies each and every request made to server and validates it, is it authenticated and authorized to access the requested end point on the basis of some pre defined authorized and authentication rules.


So, Spring security is an application frame work which provides:
  •  Login and logout functionality.
  •  Allow/block access to URLs to users.
  •  Allow/block access to URLs to logged in users and with certain roles(access control).
It handles a lots of vulnerabilities on it's own with providing any extra configurations, like Session fixationsclick jacking, click site and request forgery.

Types of authentication can be achieved using spring boot are as follows:-

  • Username/password base authentication
  • SSO/Okta/LDAP (Single sign on authorization)
  • App level authorization
  • Intra App authorization using OAuth
  • Micro-Service security
  • Method level security

5 core concepts in spring-security

 

  •  Authentication: It is a way to uniquely identifies the requesting user by tany one of the following methods:-

    Knowledge based authentication by providing user name/password or pin or question ( like pet name etc.) that are actually provided by end user at the time of registration.
    Possession base authentication is some thing like only you are at the possession of providing that information like OTP, access card etc, that only you can have this.
    Multi factor authentication is the combination of both above knowledge base and possession based authentication to make sign in more secure.

  • Authorization: It is a boolean check that confirms that is requested user is eligible to perform requested operation or not.

  • Principal: It is the environment or preferences a user has configured to his account, you can things principal as current logged in user. where he has configured things according to his preferences, this may be different for different user account.

  • Granted Authority: It is a list of authorized activities to a particular user account. Like a user can  view his balance, language preferences, transactions history. But he is not allowed to delete a particular transaction history.

  • Role: It is the granted authority, or you can say it is a collection of granted authority based on certain position like admin has approx all granted authority present into the system but a user has not. So admin and users are two different role here.

    That's all required core concepts to dive into spring security, in the next blog I will implement a sample spring boot service using spring security. 

    Hope you enjoyed this blog and find this useful.
Location: Rourkela, Odisha, India

Comments

Post a Comment

Popular posts from this blog

Jasper report integration in Spring boot/Spring MVC.

-
Image
Hi folks,                   Here we came up with another interesting poc, which is the necessity of almost every project when its come to reporting. Jasper reporting is one of the powerful and secure reporting tool available in market.                 In this blog post we are leveraging the power of it to generate a pdf/html report with dynamic data populated by the backend and making the generated report as a downloadable form on the client.  Before we deep dive into coding part, let me set up the context of POC application.  We are creating a Spring Boot starter web project with dependency of jasper and jstl.  We are using a few UI cdn libraries to render UI and make backend call from UI.  Then after we will hit rest API from UI and get downloadable report into browser/client. Here are the pom dependencies. Pom.xml <?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2
Read more

FireBase Crud operation in Spring Boot

-
Image
                       Hello Geeks, hope you are healthy and doing well in this tough time. In this particular blog post, I am going to share the simple way in which you can connect to Google's firebase real-time database. Of course, we will use some of the basic dependencies to connect our spring boot to firebase. I am going to use maven based configuration. Here, I am sharing a sample spring boot application with simple crud operation on firebase real-time DB. So, first of all, initialize our application from the  spring initializer  and extract, import the downloaded project into your favorite IDE. Dependencies I am adding here : Spring boot starter web Spring firebase admin Here is my pom.xml. <?xml version="1.0" encoding="UTF-8"?> <project xmlns= "http://maven.apache.org/POM/4.0.0" xmlns:xsi= "http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation= "http://maven.apache.org/POM/
Read more

Hybris Overview and b2c installation initialization

-
Image
Hi Geeks,                  This is my first blog after a long gap. Today I'm going to share step by step process to set up an e-commerce suite with installation and initialization. Hybris is one of the trending eCommerce suites in the market along with its competitors.               Table of Content 1. Overview 2. Prerequisites before installation 3. Installation 4. Initialization 5. Verifying Installation 6. URLs Overview             Hybris is a  multichannel e-commerce product management solution. Key competitors of Hybris are Oracle's ATG, Open Source Magento, IBM's WebSphere Commerce. Hybris is a set of individual extensions. It is an omnichannel commerce solution. In 1997, it is initialized by a Switzerland company named Hybris. Later in August  2013, it is acquired by SAP. You need a license to run hybris.  Hybris run of java and core concept of spring framework. It leverages all-powerful concepts of Java, Jquery, JDBC, and Spring concepts like dependency injection,
Read more