Hello !! What are you looking for ? Is that about “How to make secure applications?”. Then let’s dive into this post to have an overview on Spring security followed by Session Management and its implementation in Spring Boot.
Why Spring Security?
Generally it’s a framework that provides authentication, authorisation and provides protection against all kinds of cyber attacks such as Session Fixation , Request forgery etc. Spring security is the go to guy for secured Spring based applications.
How to implement Spring Security ?
Basic elements of Spring Security — Authentication , Authorisation and Filter Chains such as UsernamePasswordAuthenticationFilter (performs Authentication) and FilterSecurityInterceptor ( can throw exceptions when access is denied) etc.
We don’t call Api’s of Spring security , we have to add dependency of Spring security in pom.xml like below.
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>If we are working in Spring MVC Applications , we need to configure filter in web.xml and some more configurations in security-config xml to authenticate user. But implementing security in Spring Boot is quite a simple task.
Firstly we have to create Security config class where it extends WebSecurityConfigurerAdapter and override those methods in class like below.
/**
* @author Bhavyasri
*
*/@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("1234") .password("1234").roles("ADMIN");
}@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/**").permitAll() .anyRequest().authenticated()
}
}
Session Management
Session Management is very crucial part for Spring security because if session is not managed properly it leads to mishandling of data. So, to overcome these kind of issues we need to handle Session Fixation and concurrent sessions.
a) Session Fixation Protection Strategy
Now, I will tell a scenario of Session Fixation in most understandable way….
- Romeo has opened an e-commerce site and session Id got created for his login.
- Romeo has copied and shared site URL to Julie.
- Julie opens URL in her browser.
- In the same session, Julie enters her credentials and gets authentified within the session referenced by the session Id sent by Romeo.
- Romeo can also operate with Julie’s credentials. Romeo can be an attacker and Julie can be a victim to loose her data.
To fix these kind of attacks Spring security provides “session-fixation-protection” attribute, So that new session can be created every time or it can migrate to new session based up on value provided to attribute like below.
XML based Configuration :
<session-management invalid-session-url=”/login” session-fixation-protection=”newSession”>
</session-management>Java Based Configuration :
/**
* @author Bhavyasri
*
*/@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {@Override
protected void configure(HttpSecurity http) throws Exception {
http.sessionManagement().sessionFixation().newSession();
}
}
b) Concurrent session
It means one user has more than one session at one time. By default, Spring security provides we can open more than one session for one user.
Our requirements may vary from application to application . We may have the requirement that if a user logins then at the same time no other session is allowed. To restrict multiple session we can provide like below.
XML based Configuration :
<session-management invalid-session-url=”/login”>
<concurrency-control max-sessions="1"/>
</session-management>Java Based Configuration
/**
* @author Bhavyasri
*
*/@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {@Override
protected void configure(HttpSecurity http) throws Exception {
http.sessionManagement().maximumSessions(1);
}
}
