Spring Security: Step by Step - encryption

I started on Spring a few months back and the Security topic seems the most complex to me. With Acegi moving into Spring I could not find a single tutorial that tells step by step way to add security to a Spring app. Please help me. My requirements are as follows:
I have several roles in application, they are not hierarchical roles (meaning Role A not necessarily have all roles of Role B etc).
I want to integrate it to use my own User table where I would store Username, encrypted password (one way encryption) and I want to use either Hibernate or any Spring inbuilt component (read the class name JdbcDaoImpl somewhere, have no clue how to use it though) to access the DB data.
I probably don't want method level security because I want to use Spring taglibs to selectively show/hide menu items, however there should be way to prohibit unauthorized user to access a page directly through URL.
I don't want ready made code, (this tutorial for example confused me to hell, since it doesn't even have Spring security name-space declaration in security.xml), I would appreciate rather a step-by-step guide on how to achieve the above in a Spring2.5/Hibernate3 application using Spring security.
Thanks for your time.

Well without knowing what you've already read here are the articles I used to first start. Note that a lot of the Acegi Security articles are still relevant, Spring Security uses almost all the concepts from Acegi - the only thing they really added was simplifying [some] configurations - like the auto-config for security situations that exactly fit their use case.
Securing Java applications with Acegi
Acegi Security Fundamentals
Pathway from Acegi to Spring Security 2.0

Related

Magnolia CMS and Keycloak (SSO) integration

How to integrate Magnolia CMS with Keycloak?
I need to have a Single Sign On with Keycloak, but haven't found a way (so far I was examining the configuration documentation and wiki pages for Magnolia).
I'm very new to Magnolia so this actually might be a noob question.
As a side note: Might not be best starter task if you are very new. Consider getting training where authentication and it's configuration is explained at length.
As for the task at hand, you would want to write your own authentication module and place it in the chain of JAAS modules Magnolia/Tomcat will evaluate when authenticating users.
There is similar module written looong time ago for NTLM based authentication that you can take as a blueprint (assuming you are enterprise customer and have access to enterprise code) for what you want to achieve. Otherwise, there's only stuff that is on documentation that might help.
- NTLM Module
- General security documentation
Might be frustrating starting experience tho.

Older/simpler security in ASP.NET than Identity/OWIN

Haven't done security in ASP.NET before. Need to secure an MVC site - simple username/password access for admin access to the site's logs and admin areas, not for general users.
Looked into Identity/OWIN, and it is, as of this writing, half-baked. There are multiple ways to do things, the docs are few or non-existent, and blogs dicuss deprecated or alpha versions. The samples don't correspond to anything in the docs or blogs. In short, it's a mess.
Security is hard, so I want to use something that was written by an expert, works and is tried-and-tested. Must be from Microsoft, not some third-party stuff.
So what security API came before Identity/OWIN, which works well and hasn't been compromised? They've released many, so I don't know which to use?
Forms Authentication with custom Membership and Role Providers were used for years and still can be used. The SimpleMembership is something that tries to simplify the original provider model but sacrifices too much, in my opinion plus it us still not that simple.
There are thousands of tutorials on Forms Authentication and you should be able to start immediately. The Membership/Role Provider model is also extremely well documented.
In terms of correspondence
Membership/Role Providers correspond to the Identity api
Forms Authentication corresponds to the owin security api
The predecessor to Identity/OWIN was SimpleMembership.
However, according to my question "What is MVC4 security all about?", SimpleMembership is an oxymoron.

How does Hot Towel deal with authentication & personalization?

I really like the concepts behind Hot Towel, and have viewed the course on Pluralsight a few times now to really get a good idea of what's going on.
One aspect of Hot Towel really eludes me - how can it be used for an application that demands different user roles? The topics of authentication and personalization aren't dealt with in the course, and don't seem to have any easy way to accomplish this with modifying the framework itself.
I had the same question when I first watched the Pluralsight courses and started working on my application which needs to perform Authentication and Authorization.
It seems the problem is not specific to Hot Towel Template but in general a problem when using Web API. A quick look at the ASP.NET overview for Web API provided much information (http://www.asp.net/web-api/overview/security/authentication-and-authorization-in-aspnet-web-api). If you plug in your custom RoleProvider and ProfileProvider, that should allow you to re-use the Authorize() attribute.
Note that when working with REST & Web API, the API has to be stateless and hence no Session is present. I found articles providing workarounds for getting the Session[] variable active but decided against using it. You can use an object cache to achieve the same results.
If the Authorize() attribute doesn't cut it for you, you can write your own Authorization Filter. This SO question can provide more information (though it focuses on preventing Cross Site Request Forgery, the basic structure and how to use the filter is same when doing custom AuthZ).
Since Javascript code can be altered by the attacker on the browser end, relying on any protections provided in the application's JS is not sufficient and providing the protection on the Web API layer is mandatory. The authentication and authorization boils down to protecting the Web API and there are tons of information available for protecting external facing web services that can be adapted for your scenario.

Spring MVC multi user application

I am developing a web application using Spring MVC. Since I am kind of done with the the basic functionality, I was going to add user management. By this I mean that I have to extend the logic of the application to support several users. However being new to Spring MVC I am lost... How and where to add session management? How to change my controllers? Could anyone please suggest a good resourse? Tutorials which I find on the Internet mainly deal with page access by using Spring Security. I need more than that. Thanks in advance!
This tutorial http://www.mkyong.com/spring-security/spring-security-form-login-using-database/ gives a good step by step direction on how to use spring security with a database based on user roles. I am not sure exactly what more you want that needs to be directly addressed in your question. The good thing with spring security is that you don't need to change your controllers. It uses a simple xml configuration and is independent of the platform you use.

Security of SimpleMemberShip

I have a question. I am looking at the newly implemented Simple Membership Provider and it suits my needs out of the box. I am however a little concerned about this provider as I am looking at creating a custom web application for myself and would like to know the security pros and cons of using it and if there is any best practices to go about building a secure web application. Is simple membership secure ? I am a noob when it comes to security.
I recommend not writing your own authentication and session management routines. Security is difficult and any flaws in your design or code could lead to exposure or breaches.
We have used Simple Membership in several web portals that handle PHI (protected health information). Our clients routinely audit our development methods and none so far have considered this a risk. Had we developed our own, they would raise a red flag.
You probably can get further by creating a library class of helper functions to add the features you feel are missing from existing providers, or subclass an existing provider (I don't think they are sealed/final).
In any case, your first step would be to draw up a list of features you want, check to see if an existing provider already does that (for example if you want an XML file provider, one exists on CodePlex), and if none do, either extend or write your own. If you write your own, you would want to make sure that there is another layer of security, like being on an intranet, or local access only or some other layer of defense.

Resources