Spring Security(Third Edition)
Mick Knutson Robert Winch Peter Mularien更新时间:2021-07-02 23:10:56
最新章节:Supplementary materials封面
版权信息
Credits
About the Authors
About the Reviewers
www.Packtpub.com
Why subscribe?
Customer Feedback
Preface
What this book covers
What you need for this book
Who this book is for
Conventions
Reader feedback
Customer support
Downloading the example code
Errata
Piracy
Questions
Anatomy of an Unsafe Application
Security audit
About the sample application
The JBCP calendar application architecture
Application technology
Reviewing the audit results
Authentication
Authorization
Database credential security
Sensitive information
Transport-level protection
Using Spring Security 4.2 to address security concerns
Why Spring Security?
Summary
Getting Started with Spring Security
Hello Spring Security
Importing the sample application
Updating your dependencies
Using Spring 4.3 and Spring Security 4.2
Implementing a Spring Security XML configuration file
Updating your web.xml file
The ContextLoaderListener class
ContextLoaderListener versus DispatcherServlet
The springSecurityFilterChain filter
The DelegatingFilterProxy class
The FilterChainProxy class
Running a secured application
Common problems
A little bit of polish
Customizing login
Configuring logout
The page isn't redirecting properly
Basic role-based authorization
Expression-based authorization
Conditionally displaying authentication information
Customizing behavior after login
Summary
Custom Authentication
JBCP calendar architecture
The CalendarUser object
The Event object
The CalendarService interface
The UserContext interface
The SpringSecurityUserContext interface
Logging in new users using SecurityContextHolder
Managing users in Spring Security
Logging in a new user to an application
Updating SignupController
Creating a custom UserDetailsService object
The CalendarUserDetailsService class
Configuring UserDetailsService
Removing references to UserDetailsManager
The CalendarUserDetails object
The SpringSecurityUserContext simplifications
Displaying custom user attributes
Creating a custom AuthenticationProvider object
CalendarUserAuthenticationProvider
Configuring the CalendarUserAuthenticationProvider object
Authenticating with different parameters
The DomainUsernamePasswordAuthenticationToken class
Updating CalendarUserAuthenticationProvider
Adding domain to the login page
The DomainUsernamePasswordAuthenticationFilter class
Updating our configuration
Which authentication method to use?
Summary
JDBC-Based Authentication
Required dependencies
Using the H2 database
Provided JDBC scripts
Configuring the H2 embedded database
Configuring a JDBC UserDetailsManager implementation
The default user schema of Spring Security
Defining users
Defining user authorities
The UserDetailsManager interface
Group-based access control
Configuring group-based access control
Configuring JdbcUserDetailsManager to use groups
Utilizing GBAC JDBC scripts
The group-based schema
Group authority mappings
Support for a custom schema
Determining the correct JDBC SQL queries
Updating the SQL scripts that are loaded
The CalendarUser authority SQL
Inserting custom authorities
Configuring JdbcUserDetailsManager to use custom SQL queries
Configuring secure passwords
The PasswordEncoder method
Configuring password encoding
Configuring the PasswordEncoder method
Making Spring Security aware of the PasswordEncoder method
Hashing the stored passwords
Hashing the passwords of new users
Not quite secure
Using salt in Spring Security
Updating the Spring Security configuration
Migrating existing passwords
Updating DefaultCalendarUserService
Trying out the salted passwords
Summary
Authentication with Spring Data
Spring Data JPA
Updating our dependencies
Updating the JBCP calendar to use Spring Data JPA
Reconfiguring the database configuration
Initializing the database
Refactoring from SQL to ORM
Mapping domain objects using JPA
Spring Data repositories
Data access objects
Application services
The UserDetailsService object
Refactoring from an RDBMS to a document database
Document database implementation with MongoDB
Updating our dependencies
Reconfiguring the database configuration in MongoDB
Initializing the MongoDB database
Mapping domain objects with MongoDB
Spring Data repositories of MongoDB
Data access objects in MongoDB
Summary
LDAP Directory Services
Understanding LDAP
LDAP
Common LDAP attribute names
Updating our dependencies
Configuring an LDAP server reference
Enabling the LDAP AuthenticationProviderNext interface
Troubleshooting embedded LDAP
Understanding how Spring LDAP authentication works
Authenticating user credentials
Demonstrating authentication with Apache Directory Studio
Binding anonymously to LDAP
Searching for the user
Binding as a user to LDAP
Determining user role membership
Determining roles with Apache Directory Studio
Mapping additional attributes of UserDetails
Advanced LDAP configuration
Sample JBCP LDAP users
Password comparison versus bind authentication
Configuring basic password comparison
LDAP password encoding and storage
The drawbacks of a password comparison authenticator
Configuring the UserDetailsContextMapper object
Implicit configuration of UserDetailsContextMapper
Viewing additional user details
Using an alternate password attribute
Using LDAP as UserDetailsService
Configuring LdapUserDetailsService
Updating AccountController to use LdapUserDetailsService
Integrating Spring Security with an external LDAP server
Explicit LDAP bean configuration
Configuring an external LDAP server reference
Configuring the LdapAuthenticationProvider interface
Delegating role discovery to UserDetailsService
Integrating with Microsoft Active Directory via LDAP
Built-in AD support in Spring Security 4.2
Summary
Remember-Me Services
What is remember-me?
Dependencies
The token-based remember-me feature
Configuring the token-based remember-me feature
How the token-based remember-me feature works
MD5
Remember-me signature
Token-based remember-me configuration directives
Is remember-me secure?
Authorization rules for remember-me
Persistent remember-me
Using the persistent-based remember-me feature
Adding SQL to create the remember-me schema
Initializing the data source with the remember-me schema
Configuring the persistent-based remember-me feature
How does the persistent-based remember-me feature work?
JPA-based PersistentTokenRepository
Custom RememberMeServices
Cleaning up the expired remember-me sessions
The remember-me architecture
Remember-me and the user life cycle
Restricting the remember-me feature to an IP address
Custom cookie and HTTP parameter names
Summary
Client Certificate Authentication with TLS
How does client certificate authentication work?
Setting up the client certificate authentication infrastructure
Understanding the purpose of a public key infrastructure
Creating a client certificate key pair
Configuring the Tomcat trust store
Configuring Tomcat in Spring Boot
Importing the certificate key pair into a browser
Using Firefox
Using Chrome
Using Internet Explorer
Wrapping up testing
Troubleshooting client certificate authentication
Configuring client certificate authentication in Spring Security
Configuring client certificate authentication using the security namespace
How does Spring Security use certificate information?
How Spring Security certificate authentication works
Handling unauthenticated requests with AuthenticationEntryPoint
Supporting dual-mode authentication
Configuring client certificate authentication using Spring beans
Additional capabilities of bean-based configuration
Considerations when implementing client certificate authentication
Summary
Opening up to OAuth 2
The promising world of OAuth 2
Signing up for an OAuth 2 application
Enabling OAuth authentication with Spring Security
Additional required dependencies
Configuring OAuth 2 support in Spring Security
Local UserConnectionRepository
Creating local database entries for provider details
The custom UserConnectionRepository interface
The ConnectionSignup flow
Executing the OAuth 2 provider connection workflow
Adding OAuth 2 users
OAuth 2 controller sign-in flow
Automatic user authentication
Additional OAuth 2 providers
The OAuth 2 user registration problem
Registering non-standard OAuth 2 providers
Is OAuth 2 secure?
Summary
Single Sign-On with the Central Authentication Service
Introducing the Central Authentication Service
High-level CAS authentication flow
Spring Security and CAS
Required dependencies
Installing and configuring CAS
Configuring basic CAS integration
Creating the CAS ServiceProperties object
Adding the CasAuthenticationEntryPoint object
Enabling CAS ticket verification
Proving authenticity with the CasAuthenticationProvider object
Single logout
Configuring single logout
Clustered environments
Proxy ticket authentication for stateless services
Configuring proxy ticket authentication
Using proxy tickets
Authenticating proxy tickets
Customizing the CAS server
CAS WAR overlay
How does the CAS internal authentication work?
Configuring CAS to connect to our embedded LDAP server
Getting the UserDetails object from a CAS assertion
Returning LDAP attributes in the CAS response
Mapping LDAP attributes to CAS attributes
Authorizing CAS services to access custom attributes
Acquiring a UserDetails from CAS
The GrantedAuthorityFromAssertionAttributesUser object
Alternative ticket authentication using SAML 1.1
How is attribute retrieval useful?
Additional CAS capabilities
Summary
Fine-Grained Access Control
Gradle dependencies
Integrating Spring Expression Language (SpEL)
The WebSecurityExpressionRoot class
Using the request attribute
Using the hasIpAddress method
The MethodSecurityExpressionRoot class
Page-level authorization
Conditional rendering with the Thymeleaf Spring Security tag library
Conditional rendering based on URL access rules
Conditional rendering using SpEL
Using controller logic to conditionally render content
The WebInvocationPrivilegeEvaluator class
What is the best way to configure in-page authorization?
Method-level security
Why we secure in layers?
Securing the business tier
Adding the @PreAuthorize method annotation
Instructing Spring Security to use method annotations
Validating method security
Interface-based proxies
JSR-250 compliant standardized rules
Method security using Spring's @Secured annotation
Method security rules incorporating method parameters
Method security rules incorporating returned values
Securing method data using role-based filtering
Prefiltering collections with @PreFilter
Comparing method authorization types
Practical considerations for annotation-based security
Summary
Access Control Lists
The conceptual module of ACL
Access control lists in Spring Security
Basic configuration of Spring Security ACL support
Gradle dependencies
Defining a simple target scenario
Adding ACL tables to the H2 database
Configuring SecurityExpressionHandler
The AclPermissionCacheOptimizer object
Optimizing AclPermission Cache
The JdbcMutableAclService object
The BasicLookupStrategy class
Querying with the lowest common denominator
EhCacheBasedAclCache
The ConsoleAuditLogger class
The AclAuthorizationStrategyImpl interface
Creating a simple ACL entry
Advanced ACL topics
How permissions work
The custom ACL permission declaration
Enabling ACL permission evaluation
Mutable ACLs and authorization
Adding ACLs to newly created events
Considerations for a typical ACL deployment
ACL scalability and performance modeling
Do not discount custom development costs
Should I use Spring Security ACL?
Summary
Custom Authorization
Authorizing the requests
Configuration of access decision aggregation
Configuring a UnanimousBased access decision manager
Expression-based request authorization
Customizing request authorization
Dynamically defining access control to URLs
Configuring the RequestConfigMappingService
Custom SecurityMetadataSource implementation
Registering a custom SecurityMetadataSource
Removing our antMatchers() method
Creating a custom expression
Configuring a custom SecurityExpressionRoot
Configuring a custom SecurityExpressionHandler
Configuring and using CustomWebSecurityExpressionHandler
Alternative to a CustomWebSecurityExpressionHandler
How does method security work?
Creating a custom PermissionEvaluator
CalendarPermissionEvaluator
Configuring CalendarPermissionEvaluator
Securing our CalendarService
Benefits of a custom PermissionEvaluator
Summary
Session Management
Configuring session fixation protection
Understanding session fixation attacks
Preventing session fixation attacks with Spring Security
Simulating a session fixation attack
Comparing the session-fixation-protection options
Restricting the number of concurrent sessions per user
Configuring concurrent session control
Understanding concurrent session control
Testing concurrent session control
Configuring expired session redirect
Common problems with concurrency control
Preventing authentication instead of forcing logout
Other benefits of concurrent session control
Displaying active sessions for a user
How Spring Security uses the HttpSession method?
The HttpSessionSecurityContextRepository interface
Configuring how Spring Security uses HttpSession
Debugging with Spring Security's DebugFilter
Summary
Additional Spring Security Features
Security vulnerabilities
Cross-Site Scripting
Cross-Site Request Forgery
Synchronizer tokens
Synchronizer token support in Spring Security
When to use CSRF protection
CSRF protection and JSON
CSRF and stateless browser applications
Using Spring Security CSRF protection
Using proper HTTP verbs
Configuring CSRF protection
Default CSRF support
Including the CSRF token in the <Form> submissions
Including the CSRF token using the Spring Security JSP tag library
Default CSRF token support
Ajax and JSON requests
The csrfMetaTags tag
jQuery usage
Using the cujoJS's rest.js module
CSRF caveats
Timeouts
Logging in
Logging out
Security HTTP response headers
Default security headers
Cache-Control
Content-Type Options
HTTP Strict Transport Security
X-Frame-Options
Custom Headers
Static headers
The HeadersWriter instance
The DelegatingRequestMatcherHeaderWriter class
Summary
Migration to Spring Security 4.2
Introduction
Sample migration
Enhancements in Spring Security 4.2
Web improvements:
Spring Security Configuration improvements:
Miscellaneous changes in Spring Security 4.x
Changes to configuration in Spring Security 4
Deprecations
The spring-security-core deprecations
org.springframework.security.access.SecurityConfig
UserDetailsServiceWrapper
UserDetailsWrapper
AbstractAccessDecisionManager
AuthenticationException
AnonymousAuthenticationProvider
AuthenticationDetailsSourceImpl
ProviderManager
RememberMeAuthenticationProvider
GrantedAuthorityImpl
InMemoryDaoImpl
The spring-security-web deprecations
FilterChainProxy
ExceptionTranslationFilter
AbstractAuthenticationProcessingFilter
AnonymousAuthenticationFilter
LoginUrlAuthenticationEntryPoint
PreAuthenticatedGrantedAuthoritiesUserDetailsService
AbstractRememberMeServices
PersistentTokenBasedRememberMeServices
RememberMeAuthenticationFilter
TokenBasedRememberMeServices
ConcurrentSessionControlStrategy
SessionFixationProtectionStrategy
BasicAuthenticationFilter
SecurityContextPersistenceFilter
RequestCacheAwareFilter
ConcurrentSessionFilter
SessionManagementFilter
RequestMatcher
WebSecurityExpressionHandler
@AuthenticationPrincipal
Migrating default filter URLs
JAAS
Summary
Microservice Security with OAuth 2 and JSON Web Tokens
What are microservices?
Monoliths
Microservices
Service-oriented architectures
Microservice security
Service communication
Tight coupling
Technical complexity
The OAuth 2 specification
Access tokens
Access token
Refresh token
Grant types
Authorization code
Implicit
Password credentials
Client credentials
JSON Web Tokens
Token structure
Encoded JWT
Header
Payload
Signature
OAuth 2 support in Spring Security
Resource owner
Resource server
Authorization server
RSA JWT access token converter keypair
OAuth 2 resource configuration properties
OAuth 2 client configuration properties
JWT access token converter
The UserDetailsService object
Running the OAuth 2 server application
Server requests
Token requests
Microservices client
Configuring the OAuth 2 client
Summary
Additional Reference Material
Getting started with the JBCP calendar sample code
Gradle Build Tool
Gradle IDE plugins
IntelliJ IDEA
Spring Tool Suite or Eclipse
Creating a new workspace
A sample code structure
Importing the samples
Running the samples
Starting the samples within IDEA
Gradle tasks
Starting the samples within STS
Using HTTPS within STS
HTTPS setup in Tomcat
Generating a server certificate
Configuring Tomcat connector to use SSL
Basic Tomcat SSL termination guide
Supplementary materials
更新时间:2021-07-02 23:10:56