Spring Security 3. rpafktl Pen source. intruders with this easy to follow practical guide. Secure your web applications against malicious

Spring

Security

3

Secure

_{your web}

_{applications against}

malicious

intruders

with

this

_easy

to

follow

_practical

_guide

Peter Mularien

rpAfKTl°Pen

source

II nv.IV I I communityexperiencedistilled

cfb

<A>

PUBLISHING

Table of Contents

Preface 1

Chapter

1:

_Anatomy

ofan Unsafe Application 9

Security

audit 10

About the_sample

_application

10

The JBCP _{pets application} architecture 11

Application

technology 12

Reviewing

the audit results 13

Authentication 15

Authorization 16

Database Credential

_Security

16

Sensitive Information 17

Transport-Level Protection 17

Using Spring

Security 3 to address

_security

concerns 18

Why

Spring Security? 18

Summary

19

Chapter

2:

_Getting

Started with

_{Spring Security}

21

Core_{security concepts} 22

Authentication 22

Authorization 23

Securing

our

application

in three easy_steps 26

Implementing

a

Spring Security

XMLconfiguration file 26

Adding

the _{Spring DelegatingFilterProxy}to your web.xmlfile 27

Adding

the _Spring

_Security

XML

_{configuration}

file referencetoweb.xml 28

Mind the

_gaps!

30

Common_problems 31

Security is _complicated: The architecture of secured web_requests 32

How_requests are

processed?

32

How users areauthenticated? 37

What is_{spring_security_login}andhowdidwe_gethere? 41

Where do theuser's credentials_getvalidated? 43 Whengoodauthenticationgoes bad? 44

How

_requests

are authorized? 45

Configurationofaccessdecisionaggregation 49

Access_{configuration using spring expression language} 51

Summary 55

Chapter

3:

_Enhancing

the User

_Experience

57

Customizing

the

_login

_page 57

Implementing a custom

login

_page 59

Implementingthe_logincontroller 59

AddingtheloginJSP 60

ConfiguringSpring Securitytouse ourSpring MVClogin _page 61

Understanding logout functionality

63

Addinga _Log Out linktothe site header 63

How_logoutworks 64

Changingthe_logoutURL 66

Logoutconfigurationdirectives 66

Rememberme 67

Implementingthe remember me option 67

How rememberme works 68

Remembermeand theuserlifecycle 71

Remembermeconfigurationdirectives 72

Is remember mesecure? 73

Authorization rules_{differentiating}remembered and_fullyauthenticated sessions 74 Building an IP-aware remembermeservice 75

Customizingthe rememberme_signature 79

Implementing password change

management 80

Extending

the

_in-memory

credentialstore to_support

_{password change}

80 Extending InMemoryDaolmpIwith InMemoryChangePasswordDaolmpI 81

Configuring Spring Securitytouse InMemoryChangePasswordDaolmpI 82

Buildingachange password _page 83

Addingachange passwordhandler to AccountController 84

Exercise notes 85

Summary 86

Chapter

4:

Securing

Credential Storage 87

Database-backed authentication with

_Spring

_Security 88

Configuring

a database-resident authentication store 88

Creatingthe default_{Spring Security} schema 88

Configuringthe HSQL embedded database 89

Configuring JdbcDaolmpIauthenticationstore 89 Addinguserdefinitions to the schema 90

Table_ofContents Howdatabase-backed authentication works 90

Implementing

a customJDBC UserDetailsService 92

Creating acustom JDBC UserDetailsService class 92

AddingaSpringBean declaration for the custom UserDetailsService 92

Out of thebox JDBC-based usermanagement 93

Advanced

_{configuration}

of_JdbcDaolmpI 95

Configuring

group-based authorization 96

Configuring JdbcDaolmpItouse _groups 97

Modifyingtheinitialload SQL_script 97

Modifyingtheembeddeddatabase creation declaration 98

Using a

_legacy

orcustom schemawith database-resident authentication 98 Determiningthe correctJDBCSQL_queries 99

Configuringthe_JdbcDaolmpItouse customSQLqueries 100

Configuring

secure_{passwords 101}

Configuring password encoding

104

ConfiguringthePasswordEncoder 104

ConfiguringtheAuthenticationProvider 104

Writingthe database_{bootstrappassword encoder} 105

Configuringthe_{bootstrap password} encoder 105

Would you likesomesalt withthat

password?

106

Configuring

a salted_password 108

Declaringthe SaltSource_Springbean 109

Wiringthe PasswordEncoder to the SaltSource 109

Augmenting DatabasePasswordSecurerBean 109

Enhancing

the

_{change password functionality}

111

Configuring

a custom saltsource 111

Extendingthe database schema 112

Tweaking configurationofthe_{CustomJdbcDaolmpI}UserDetails service 112

Overridingthe baselineUserDetailsimplementation 113

Extendingthe_{functionality}ofCustomJdbcDaolmpI 113

Moving remembermetothe database 115

Configuring

database-resident remember metokens 115

AddingSQLto createtherememberme schema 115

Adding newSQLscripttotheembeddeddatabase declaration 116

Configuringremembermeservicestopersisttothedatabase 116 Are database-backed _persistenttokens more secure? 116

Securing

your sitewith SSL 117

Setting

up

Apache

Tomcat for SSL 117

Generatinga serverkeystore 118

ConfiguringTomcat's SSL Connector 118

Automatically securing portions

of the site 119

Secure_{port mapping} 121

Chapter

5: Fine-Grained Access Control 123

Re-thinking application

functionality

and _security 124

Planning for _application

_security

124

Planning

user roles 124

Planning page-level security

126

Methods of Fine-Grained authorization 127

Using

Spring Security Tag Libraryto _{conditionally} rendercontent 128 Conditional_renderingbased onURLaccessrules 128

Conditional_rendering based onSpring ELExpressions 129

Conditionallyrenderingthe_SpringSecurity2_way 130

Using

controller

_logic

to

_{conditionally}

render content 131

Adding conditional displayof the_LogIn link 131

Populatingmodeldatabased onusercredentials 132

Whatis the best_way to

_{configure in-page}

authorization? 132

Securing

the business tier 134

The basics of

_securing

businessmethods 135 Adding @PreAuthorizemethod annotation 136

Instructing SpringSecurityto usemethod annotations 136

Validatingmethod_security 136 Several flavors of method _security 137 JSR-250_compliantstandardizedrules 137 Method_{security using Spring's ©Secured}annotation 139 Method_securityrules_{using Aspect}Oriented_Programming 139

Comparingmethod authorization_types 140

How does method

_security

work? 141 Advanced method_security 144

Method _security rules _using bean decorators 145

Method

_security

rules

_{incorporating}

method _parameters 147 Howmethod _parameter

_binding

works 147

Securing

method data

_through

Role-based

_filtering

149

AddingRole-baseddata_filteringwith _@PostFilter 150

Pre-filteringcollectionswith method _@PreFilter 152

Whyuse a@PreFilteratall? 153 A fair_warning about method

_security

154

Summary 155

Chapter

6: Advanced

_{Configuration}

and Extension 157

Writing

a custom _security filter 158

IP

_filtering

at the servlet filter level 158

Writingourcustom servlet filter 158

Configuring the IP servlet filter 160

TableofContents

Writing

a custom AuthenticationProvider 162

Implementing simple single sign-on

with anAuthentication Provider 162

Customizingthe authentication token 163

Writingthe_requestheader_processing servlet filter 164

Writingthe_request header AuthenticationProvider 166

Combining AuthenticationProviders 167

Simulating single sign-on

with

_request

headers 169

Considerations when

_writing

acustom AuthenticationProvider 170

Session _managementand_concurrency 170

Configuring

session fixation

_protection

171

Understandingsession fixation attacks 171

Preventingsessionfixation attackswithSpring Security 172

Simulatingasession fixation attack 173

Comparing session-fixation-protection options 175

Enhancing

user

protection

with concurrent session control 176

Configuringconcurrent session control 176

Understandingconcurrent session control 177

Testingconcurrent session control 178 Configuringexpiredsessionredirect 179

Other benefits ofconcurrent session control 179

Displayingacount ofactiveusers 179

Displayinginformation about allusers 180

Understanding

and

_configuring

_{exception handling} 182

Configuring

"Access Denied"

_handling

184

Configuringan"Access Denied" destination URL 184

Addingcontroller_handlingof_{AccessDeniedException} 184

Writingthe Access Denied page 185 Whatcauses anAccessDeniedException 186

The

_importance

of the

_{AuthenticationEntryPoint}

187

Configuring Spring Security

infrastructure beansmanually 188 A_high level overviewof

_{Spring Security}

bean dependencies 189

Reconfiguring the web_application 189

Configuring

a minimal Spring Securityenvironment 190

Configuringaminimal servlet filter set 191

Configuringaminimal supporting objectset 195

Advanced _{Spring Security} bean-based

_{configuration}

196

Adjusting

factors related to session

_lifecycle

196

Manual

_{configuration}

of other common services 197

Declaring remaining missingfilters 198

LogoutFilter 198

RememberMeAuthenticationFilter 199

ExceptionTranslationFilter 202

Bean-based

_{configuration}

ofmethod

_security

203

Wrapping

up

explicit configuration

204

Which _type of

_{configuration}

should I choose? 204 Authenticationevent _handling 205

Configuring

an authentication event listener 207

Declaring requiredbean_dependencies 207

Buildingacustomapplicationevent listener 207

Out of theboxApplicationListeners 208

Multitudes of

_application

events 209

Building

a custom implementation ofan SpEL expression handler 210

Summary 211

Chapter

7: Access Control Lists 213

Using

Access Control Lists for business

_{object security}

213

Access Control Lists in

_Spring

_Security 215 Basic

_{configuration}

of_Spring

_Security

ACL

_support

217

Defining a_{simple target} scenario 217

AddingACLtablesto the HSQL database 218

Configuring

the Access Decision

_Manager

220

Configuring supporting

ACL beans 221

Creating

a

_simple

ACL _entry 226

Advanced ACL_topics 227

How _permissionswork 228

Custom ACL

_permission

declaration 231

ACL-Enabling

yourJSPs with the _Spring

_Security

JSP

_{tag library}

234

Spring Expression

Language

support

forACLs 235

Mutable ACLs and authorization 237 Configuringa Springtransaction manager 238

InteractingwiththeJdbcMutableAclService 239

Ehcache ACL

_caching

241 Configuring Ehcache ACL_caching 241 How_SpringACLusesEhcache 242

Considerations fora _typicalACL _deployment 243 About ACL

_scalability

and_performance

_modelling

243

Do not discount custom_development costs 245

Should Iuse

Spring Security

ACL? 247

Summary 247

Chapter

8:

_Opening

_up to

_OpenID

₂₄₉

The

_promising

world of_OpenID 249

Table_ofContents

Enabling OpenID

authentication with

_Spring

Security 252

Writing

an

_{OpenID login}

form 252

Configuring OpenID

supportin

_{Spring Security}

253

Adding

OpenIDusers 254

The _OpenIDuser _{registration problem} 255

How

_OpenID

identifiers are resolved 255

Implementing user

_registration

with OpenID 258

Addingthe_{OpenID registration option} 258

Differentiatingbetweenaloginandregistration request 259

Configuringacustom authentication failure handler 260

Addingthe OpenIDregistration functionalitytothe controller 260

Attribute

_Exchange

264

EnablingAX in_{Spring Security OpenID} 265

Real-worldAX_supportand limitations 267

Google

OpenID support 267

Is

_OpenID

secure? 268

Summary 269

Chapter9: LDAP

Directory

Services 271

Understanding

LDAP 272

LDAP 272

Common LDAP attribute names 273

Running anembedded LDAP server 275

Configuring

basic LDAP _integration 275

Configuring

an LDAPserverreference 275

Enabling

the LDAP AuthenticationProvider 276

Troubleshooting

embedded LDAP 276

Understanding how

_Spring

LDAP authentication works 277

Authenticating usercredentials 278

Determining

userrolemembership 279

Mapping

additional attributes of UserDetails 282

Advanced LDAP

_{configuration}

283

SampleJBCP LDAP users 283

Password

_comparison

versus Bind authentication 284

Configuringbasic_{password comparison} 285 LDAP_{password encoding} and_storage 285 The drawbacks ofaPasswordComparisonAuthenticator 286

Configuringthe

_{UserDetailsContextMapper}

287

Implicit configurationofaUserDetailsContextMapper 287

Viewingadditionaluserdetails 287

Using

LDAP as a UserDetailsService 290 Notes about remembermewithan LDAP UserDetailsService 291

ConfigurationforanIn-Memoryremembermeservice 291

Integrating

with an external LDAP server 292

Explicit

LDAP bean

_{configuration}

292

Configuring

an external LDAPserverreference 293

Configuring an

LdapAuthenticationProvider

293

Integrating

with Microsoft Active _Directory via LDAP 294

Delegating

role _discoverytoa UserDetailsService 297

Summary

298

Chapter

10:

_{Single Sign}

On with Central Authentication Service 299

Introducing Central AuthenticationService 299

High

levelCAS authentication flow 300

Spring

Security and CAS 301

CAS installation and

_{configuration}

302

Configuring

basic CAS

_integration

303

Adding the

_{CasAuthenticationEntryPoint}

304

Enabling CAS ticket verification 305

Proving authenticity

with the CasAuthenticationProvider 307 Advanced CAS

_{configuration}

309

Retrievalofattributesfrom CAS assertion 309 How CAS internal authentication works 310

ConfiguringCAStoconnect toourembedded LDAPserver 311

GettingUserDetails froma CASassertion 314

Examiningthe CAS assertion 315

MappingLDAP attributes to CAS attributes 316

Finally,returningthe attributes in the CAS assertion 318 AlternativeTicketauthentication usingSAM L1.1 319 How isAttribute Retrieval useful? 320

Additional CAS

_capabilities

321

Summary

322

Chapter

11: Client Certificate Authentication 323

How ClientCertificate authentication works 324

Setting

upa Client Certificate authenticationinfrastructure 326

Understanding

the purpose ofa _{public key}infrastructure 326

Creating

a client certificate

key

pair 327

Configuring

the Tomcat trust store 328

Importing

the certificate

_key

_pairinto a browser 330

UsingFirefox 330

TableofContents

Wrapping

up

testing

331

Troubleshooting ClientCertificateauthentication 332

Configuring

ClientCertificate authentication in

_{Spring Security}

333

Configuring

Client Certificate authentication _using

the _{security namespace} 333

How

_{Spring Security}

usescertificate information 334

HowSpring Securitycertificate authentication works 335

Other loose ends 337

Supporting

Dual-Mode authentication 338

Configuring

Client Certificateauthentication_using

_Spring

Beans 340 Additional

_capabilities

of bean-based

_{configuration}

341 Considerationswhen

_implementing

Client Certificate authentication 342

Summary

343

Chapter

12:

_{Spring Security}

Extensions 345

Spring

Security

Extensions 345

A

_primer

on Kerberos and SPNEGO authentication 346

Kerberos authentication in

_{Spring Security}

349

Overall Kerberos

_{Spring Security}

authentication flow 349

Getting prepared

350

Assumptionsforourexamples 351

Creating akeytabfile 352

Configuring

Kerberos-related

_Spring

beans 353

Wiring

SPNEGO beansto the

_security

_namespace 355

Addingthe_Application Server machine to a Kerberos realm 357

Special

considerations for Firefox users 358

Troubleshooting

358

Verifying connectivitywith standard tools 359

EnablingJava GSS-API_debugging 359

Other_{troubleshooting steps} 360

Configuring

LDAP UserDetailsServicewithKerberos 361

Using

form _login with Kerberos 362

Summary

364

Chapter

13:

_Migration

to

_Spring

Security 3 365

Migrating

from

_{Spring Security}

2 365

Enhancements in _{Spring Security} 3 366

Changes

to

_{configuration}

in Spring Security 3 367

Rearranged AuthenticationManager

configuration 367

New_{configuration syntax}for session

_{management options}

368

of

ChangestoCustomAfterlnvocationProvider 370

Minor

_{configuration changes}

371

Changes to

_packages

and classes 371

Summary 373

Appendix: Additional Reference Material 375

Getting

startedwith JBCP Pets_sample code 375

Available

_application

events 376

Spring

Security

virtual URLs 379

Method_security

_explicit

bean

_{configuration}

379

Logical

filternames _migration reference 382