SlideShare a Scribd company logo

Spring security

Download as PPTX, PDF
Saurabh Sharma, profile picture
Saurabh Sharma

This document provides an overview of Spring Security, including what it is, how it handles authentication and authorization, and how to configure it. Spring Security provides comprehensive security services for Java enterprise applications, including authentication support for databases, LDAP, CAS, and custom authentication. It handles authentication through establishing a user's identity and authorization through controlling user access to resources. The document discusses configuring Spring Security through Java configuration and XML files, and covers topics like security filters, access control patterns, and the basic authentication process.

Education
1 of 20
Downloaded 63 times
1
2
Most read
3
4
5
6
7
8
9
10
11
12
Most read
13
14
15
16
17
18
19
20
Spring Security [ Security Reloaded ]
Topics • What is security? • Acquaring & integrating Spring Security • HTTP BASIC authentication (Basic & Form Login/Logout options) • Authorization • Security Interceptors, Filters • Authentication Manager & Provider, Authorization Manager & Provider • Advance concept of integration By: SAURABH SHARMA | http://javazone.techsharezone.com 2
What is security? • Spring Security provides comprehensive security services for J2EE-based enterprise software applications. Its powerful, flexible and pluggable. • Formerly known as “Acegi Security”. • Authentication – Database, LDAP, CAS, OpenID, Pre-Authentication, custom, etc. • Authorization – URL based, Method based (AOP) • Its not Firewall, proxy sever, instruction detection system, OS security, JVM security etc. By: SAURABH SHARMA | http://javazone.techsharezone.com 3
Major Operations • Authentication (Prove who you say you are!) – process of establishing a principal (user, system etc. which can perform an action in application) • Authorization (We know who you are but are you allowed to access what you want) – process of deciding whether a principal allowed to perform an action (access-control -> admin, leader, member, contractor, anonymous etc.) Authorization process establishes identity of the principal , which is used for authorizationdecision. By: SAURABH SHARMA | http://javazone.techsharezone.com 4
Servlet Filters By: SAURABH SHARMA | http://javazone.techsharezone.com 5
Security Use Case By: SAURABH SHARMA | http://javazone.techsharezone.com 6
Spring Security Setup • JARs • Schema By: SAURABH SHARMA | http://javazone.techsharezone.com 7
Basic Architecture By: SAURABH SHARMA | http://javazone.techsharezone.com 8
Configuration 1 • WEB-INF/web.xml Proxies requests to a bean with ID “springSecurityFilterChain” By: SAURABH SHARMA | http://javazone.techsharezone.com 9
Filter Proxy By: SAURABH SHARMA | http://javazone.techsharezone.com 10
FilterChainProxy (springSecurityFilterChain) Pseudocode By: SAURABH SHARMA | http://javazone.techsharezone.com 11
Unauthorized Request to Protect Resource By: SAURABH SHARMA | http://javazone.techsharezone.com 12
Configuration 2 • WEB-INF/spring-security.xml By: SAURABH SHARMA | http://javazone.techsharezone.com 13
Ant Patterns • Spring Security uses an “AntPathRequestMatcher” to determine if a URL matches the current URL. The following rules are used when matching: a.Query parameters are not included in the match. b.The contextPath is not included in the match. c.? Matches one character. d.* matches zero or more characters (not a directory delimiter i.e. /) e.**matches zero or more ‘directories’ in a path. By: SAURABH SHARMA | http://javazone.techsharezone.com 14
Ant patterns - Examples • Ant pattern examples that assume a context path of/messages By: SAURABH SHARMA | http://javazone.techsharezone.com 15
Cont… By: SAURABH SHARMA | http://javazone.techsharezone.com 16
Cont.. • Be careful when using pattern matching By: SAURABH SHARMA | http://javazone.techsharezone.com 17
Request log in page By: SAURABH SHARMA | http://javazone.techsharezone.com 18
Authenticating via username & password By: SAURABH SHARMA | http://javazone.techsharezone.com 19
By: SAURABH SHARMA | http://javazone.techsharezone.com 20

More Related Content

What's hot (20)

PDF
Spring Security 5.5 From Taxi to Takeoff
VMware Tanzu
 
PDF
OAuth 2.0
Uwe Friedrichsen
 
PDF
Getting started with Spring Security
Knoldus Inc.
 
PPTX
Springboot Microservices
NexThoughts Technologies
 
PPTX
Hashicorp Vault ppt
Shrey Agarwal
 
PDF
OAuth2 and Spring Security
Orest Ivasiv
 
PDF
Jwt Security
Seid Yassin
 
PDF
OIDC4VP for AB/C WG
Torsten Lodderstedt
 
PPTX
Understanding JWT Exploitation
AkshaeyBhosale
 
PDF
Introduction to OpenID Connect
Nat Sakimura
 
PDF
Introduction to JWT and How to integrate with Spring Security
Bruno Henrique Rother
 
PDF
Microservices with Java, Spring Boot and Spring Cloud
Eberhard Wolff
 
PDF
Json web token
Mayank Patel
 
PPTX
IdP, SAML, OAuth
Dan Brinkmann
 
ODP
OAuth2 - Introduction
Knoldus Inc.
 
PPTX
Spring Security 5
Jesus Perez Franco
 
PDF
JWT-spring-boot-avancer.pdf
Jaouad Assabbour
 
PPTX
Spring Boot
Jiayun Zhou
 
PPTX
An Introduction to OAuth 2
Aaron Parecki
 
PDF
JSON Web Token
Deddy Setyadi
 
Spring Security 5.5 From Taxi to Takeoff
VMware Tanzu
 
OAuth 2.0
Uwe Friedrichsen
 
Getting started with Spring Security
Knoldus Inc.
 
Springboot Microservices
NexThoughts Technologies
 
Hashicorp Vault ppt
Shrey Agarwal
 
OAuth2 and Spring Security
Orest Ivasiv
 
Jwt Security
Seid Yassin
 
OIDC4VP for AB/C WG
Torsten Lodderstedt
 
Understanding JWT Exploitation
AkshaeyBhosale
 
Introduction to OpenID Connect
Nat Sakimura
 
Introduction to JWT and How to integrate with Spring Security
Bruno Henrique Rother
 
Microservices with Java, Spring Boot and Spring Cloud
Eberhard Wolff
 
Json web token
Mayank Patel
 
IdP, SAML, OAuth
Dan Brinkmann
 
OAuth2 - Introduction
Knoldus Inc.
 
Spring Security 5
Jesus Perez Franco
 
JWT-spring-boot-avancer.pdf
Jaouad Assabbour
 
Spring Boot
Jiayun Zhou
 
An Introduction to OAuth 2
Aaron Parecki
 
JSON Web Token
Deddy Setyadi
 

Viewers also liked (8)

PPTX
Spring Security
Manish Sharma
 
PDF
Design pattern is_everywhere_by_saurabh_sharma
Saurabh Sharma
 
PDF
What's New in spring-security-core 2.0
Burt Beckwith
 
PDF
Recharge api by_saurabh_sharma
Saurabh Sharma
 
PPTX
Spring security
Slimen Belhaj Ali
 
PPT
Spring Security Introduction
Mindfire Solutions
 
PDF
Fun With Spring Security
Burt Beckwith
 
PPTX
Spring Security 3
Jason Ferguson
 
Spring Security
Manish Sharma
 
Design pattern is_everywhere_by_saurabh_sharma
Saurabh Sharma
 
What's New in spring-security-core 2.0
Burt Beckwith
 
Recharge api by_saurabh_sharma
Saurabh Sharma
 
Spring security
Slimen Belhaj Ali
 
Spring Security Introduction
Mindfire Solutions
 
Fun With Spring Security
Burt Beckwith
 
Spring Security 3
Jason Ferguson
 
Ad

Similar to Spring security (20)

PPTX
Slides for the #JavaOne Session ID: CON11881
Masoud Kalali
 
PDF
Java EE 6 Security in practice with GlassFish
Markus Eisele
 
PPT
Top Ten Proactive Web Security Controls v5
Jim Manico
 
PPTX
Android pentesting the hackers-meetup
kunwaratul hax0r
 
PPTX
Web security
Padam Banthia
 
PPTX
Owasp top10salesforce
gbreavin
 
PDF
AWS Frederick Meetup 07192016
Gaurav "GP" Pal
 
PDF
Security in practice with Java EE 6 and GlassFish
Markus Eisele
 
PPTX
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
SecuRing
 
PPTX
Ten Commandments of Secure Coding
Mateusz Olejarka
 
PDF
Javantura v4 - Security architecture of the Java platform - Martin Toshev
HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
PDF
Javacro 2014 Spring Security 3 Speech
Fernando Redondo Ramírez
 
PPTX
Security testautomation
Linkesh Kanna Velu
 
PPTX
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
Martin Toshev
 
ODP
Introduction to OWASP & Web Application Security
OWASPKerala
 
PDF
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
Philippe Gamache
 
PDF
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
Philippe Gamache
 
PPTX
Spa Secure Coding Guide
Geoffrey Vandiest
 
PDF
THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS
Markus Eisele
 
PDF
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Slides for the #JavaOne Session ID: CON11881
Masoud Kalali
 
Java EE 6 Security in practice with GlassFish
Markus Eisele
 
Top Ten Proactive Web Security Controls v5
Jim Manico
 
Android pentesting the hackers-meetup
kunwaratul hax0r
 
Web security
Padam Banthia
 
Owasp top10salesforce
gbreavin
 
AWS Frederick Meetup 07192016
Gaurav "GP" Pal
 
Security in practice with Java EE 6 and GlassFish
Markus Eisele
 
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
SecuRing
 
Ten Commandments of Secure Coding
Mateusz Olejarka
 
Javantura v4 - Security architecture of the Java platform - Martin Toshev
HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Javacro 2014 Spring Security 3 Speech
Fernando Redondo Ramírez
 
Security testautomation
Linkesh Kanna Velu
 
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
Martin Toshev
 
Introduction to OWASP & Web Application Security
OWASPKerala
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
Philippe Gamache
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
Philippe Gamache
 
Spa Secure Coding Guide
Geoffrey Vandiest
 
THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS
Markus Eisele
 
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Ad

Recently uploaded (20)

PPTX
Sonnet 130_ My Mistress’ Eyes Are Nothing Like the Sun By William Shakespear...
DhatriParmar
 
PPTX
ENGLISH 8 WEEK 3 Q1 - Analyzing the linguistic, historical, andor biographica...
OliverOllet
 
PDF
EXCRETION-STRUCTURE OF NEPHRON,URINE FORMATION
raviralanaresh2
 
PPTX
Unlock the Power of Cursor AI: MuleSoft Integrations
Veera Pallapu
 
PPTX
Translation_ Definition, Scope & Historical Development.pptx
DhatriParmar
 
PPTX
Rules and Regulations of Madhya Pradesh Library Part-I
SantoshKumarKori2
 
PPTX
The Future of Artificial Intelligence Opportunities and Risks Ahead
vaghelajayendra784
 
PPTX
Applications of matrices In Real Life_20250724_091307_0000.pptx
gehlotkrish03
 
PPTX
How to Close Subscription in Odoo 18 - Odoo Slides
Celine George
 
PDF
John Keats introduction and list of his important works
vatsalacpr
 
PDF
BÀI TẬP TEST BỔ TRỢ THEO TỪNG CHỦ ĐỀ CỦA TỪNG UNIT KÈM BÀI TẬP NGHE - TIẾNG A...
Nguyen Thanh Tu Collection
 
PPTX
Artificial Intelligence in Gastroentrology: Advancements and Future Presprec...
AyanHossain
 
PPTX
Cleaning Validation Ppt Pharmaceutical validation
Ms. Ashatai Patil
 
PDF
TOP 10 AI TOOLS YOU MUST LEARN TO SURVIVE IN 2025 AND ABOVE
digilearnings.com
 
PPTX
Command Palatte in Odoo 18.1 Spreadsheet - Odoo Slides
Celine George
 
PDF
My Thoughts On Q&A- A Novel By Vikas Swarup
Niharika
 
PPTX
PROTIEN ENERGY MALNUTRITION: NURSING MANAGEMENT.pptx
PRADEEP ABOTHU
 
PPTX
K-Circle-Weekly-Quiz12121212-May2025.pptx
Pankaj Rodey
 
PDF
The Minister of Tourism, Culture and Creative Arts, Abla Dzifa Gomashie has e...
nservice241
 
PPTX
Virus sequence retrieval from NCBI database
yamunaK13
 
Sonnet 130_ My Mistress’ Eyes Are Nothing Like the Sun By William Shakespear...
DhatriParmar
 
ENGLISH 8 WEEK 3 Q1 - Analyzing the linguistic, historical, andor biographica...
OliverOllet
 
EXCRETION-STRUCTURE OF NEPHRON,URINE FORMATION
raviralanaresh2
 
Unlock the Power of Cursor AI: MuleSoft Integrations
Veera Pallapu
 
Translation_ Definition, Scope & Historical Development.pptx
DhatriParmar
 
Rules and Regulations of Madhya Pradesh Library Part-I
SantoshKumarKori2
 
The Future of Artificial Intelligence Opportunities and Risks Ahead
vaghelajayendra784
 
Applications of matrices In Real Life_20250724_091307_0000.pptx
gehlotkrish03
 
How to Close Subscription in Odoo 18 - Odoo Slides
Celine George
 
John Keats introduction and list of his important works
vatsalacpr
 
BÀI TẬP TEST BỔ TRỢ THEO TỪNG CHỦ ĐỀ CỦA TỪNG UNIT KÈM BÀI TẬP NGHE - TIẾNG A...
Nguyen Thanh Tu Collection
 
Artificial Intelligence in Gastroentrology: Advancements and Future Presprec...
AyanHossain
 
Cleaning Validation Ppt Pharmaceutical validation
Ms. Ashatai Patil
 
TOP 10 AI TOOLS YOU MUST LEARN TO SURVIVE IN 2025 AND ABOVE
digilearnings.com
 
Command Palatte in Odoo 18.1 Spreadsheet - Odoo Slides
Celine George
 
My Thoughts On Q&A- A Novel By Vikas Swarup
Niharika
 
PROTIEN ENERGY MALNUTRITION: NURSING MANAGEMENT.pptx
PRADEEP ABOTHU
 
K-Circle-Weekly-Quiz12121212-May2025.pptx
Pankaj Rodey
 
The Minister of Tourism, Culture and Creative Arts, Abla Dzifa Gomashie has e...
nservice241
 
Virus sequence retrieval from NCBI database
yamunaK13
 

Spring security

  • 2. Topics • What is security? • Acquaring & integrating Spring Security • HTTP BASIC authentication (Basic & Form Login/Logout options) • Authorization • Security Interceptors, Filters • Authentication Manager & Provider, Authorization Manager & Provider • Advance concept of integration By: SAURABH SHARMA | http://javazone.techsharezone.com 2
  • 3. What is security? • Spring Security provides comprehensive security services for J2EE-based enterprise software applications. Its powerful, flexible and pluggable. • Formerly known as “Acegi Security”. • Authentication – Database, LDAP, CAS, OpenID, Pre-Authentication, custom, etc. • Authorization – URL based, Method based (AOP) • Its not Firewall, proxy sever, instruction detection system, OS security, JVM security etc. By: SAURABH SHARMA | http://javazone.techsharezone.com 3
  • 4. Major Operations • Authentication (Prove who you say you are!) – process of establishing a principal (user, system etc. which can perform an action in application) • Authorization (We know who you are but are you allowed to access what you want) – process of deciding whether a principal allowed to perform an action (access-control -> admin, leader, member, contractor, anonymous etc.) Authorization process establishes identity of the principal , which is used for authorizationdecision. By: SAURABH SHARMA | http://javazone.techsharezone.com 4
  • 5. Servlet Filters By: SAURABH SHARMA | http://javazone.techsharezone.com 5
  • 6. Security Use Case By: SAURABH SHARMA | http://javazone.techsharezone.com 6
  • 7. Spring Security Setup • JARs • Schema By: SAURABH SHARMA | http://javazone.techsharezone.com 7
  • 8. Basic Architecture By: SAURABH SHARMA | http://javazone.techsharezone.com 8
  • 9. Configuration 1 • WEB-INF/web.xml Proxies requests to a bean with ID “springSecurityFilterChain” By: SAURABH SHARMA | http://javazone.techsharezone.com 9
  • 10. Filter Proxy By: SAURABH SHARMA | http://javazone.techsharezone.com 10
  • 11. FilterChainProxy (springSecurityFilterChain) Pseudocode By: SAURABH SHARMA | http://javazone.techsharezone.com 11
  • 12. Unauthorized Request to Protect Resource By: SAURABH SHARMA | http://javazone.techsharezone.com 12
  • 13. Configuration 2 • WEB-INF/spring-security.xml By: SAURABH SHARMA | http://javazone.techsharezone.com 13
  • 14. Ant Patterns • Spring Security uses an “AntPathRequestMatcher” to determine if a URL matches the current URL. The following rules are used when matching: a.Query parameters are not included in the match. b.The contextPath is not included in the match. c.? Matches one character. d.* matches zero or more characters (not a directory delimiter i.e. /) e.**matches zero or more ‘directories’ in a path. By: SAURABH SHARMA | http://javazone.techsharezone.com 14
  • 15. Ant patterns - Examples • Ant pattern examples that assume a context path of/messages By: SAURABH SHARMA | http://javazone.techsharezone.com 15
  • 16. Cont… By: SAURABH SHARMA | http://javazone.techsharezone.com 16
  • 17. Cont.. • Be careful when using pattern matching By: SAURABH SHARMA | http://javazone.techsharezone.com 17
  • 18. Request log in page By: SAURABH SHARMA | http://javazone.techsharezone.com 18
  • 19. Authenticating via username & password By: SAURABH SHARMA | http://javazone.techsharezone.com 19
  • 20. By: SAURABH SHARMA | http://javazone.techsharezone.com 20