In the previous chapter, you learned about ORM and understood the various properties of Hibernate. We also learned how to use HQL and HCQL to query persistent objects.
In this chapter, we will first try to understand what Spring Security is. Then, we will look into the dependencies needed for Spring Security. We will take a look at authentication and authorization in Spring Security. Next, we will do a quick review of the Servlet filter in web application and also understand how Spring Security is dependent on this filter mechanism. We will discuss how to secure web applications using filters along with the Spring interceptor and filter concepts in Spring Security. Then, we will see the two important aspects of Spring Security, that is, the authentication manager and authentication provider. We will also see different ways of logging into web applications, such as HTTP basic authentication, form-based login services, anonymous login, and also the Remember Me support in Spring Security. We will also discuss authenticating and authorization against databases. Then, we will implement method-level security.
The list of topics covered in this chapter is as follows:
Security for a web application is nothing but protecting resources and allowing only specific users to access it. Spring Security shouldn't be assumed as a firewall, a proxy server, intrusion detection, JVM security, or anything similar. Spring Security is basically made for the Java EE Enterprise software application and is primarily targeted towards Spring-framework-based web applications.
The Spring Security framework initially started as Acegi Security Framework, which was later adopted by Spring as its subproject Spring Security. The Spring Security framework is a de facto standard to secure Spring-based applications. The Spring Security framework provides security services for enterprise Java software applications by handling authentication and authorization. Spring Security handles authentication and authorization at both the web request level and the method invocation level. Spring Security is a highly customizable and powerful authentication and access control framework.
The two major operations provided by Spring Security are authentication and authorization.
In web-based applications, this is often done through URL-based security and is implemented using filters that play a primary role in securing the Spring web application.
Sometimes, URL-based security is not enough for web applications as URLs can be manipulated and have relative pass. Let's take an example of HrPayrollSystem
, where the HR and manager are involved, and there is an employees list page. On this employees list page, there is a Delete button for each employee. The Delete button contains a hyperlink for a delete
method call in the controller class. This button appears for HR but it is hidden for managers. Even though the manager doesn't see the Delete button, the delete
method can be called by altering the URL in the browser. This results in the delete operation by the manager, which shouldn't have happened.
So, Spring Security also provides method-level security. The authorized user will only able to invoke those methods which he is granted for.