Search icon Close icon
Search icon
Subscription
0
Cart icon
Close icon
You have no products in your basket yet
Arrow left icon
All Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Newsletters
Free Learning
Arrow right icon
Spring Security - Third Edition

You're reading from  Spring Security - Third Edition

Product type Book
Published in Nov 2017
Publisher Packt
ISBN-13 9781787129511
Pages 542 pages
Edition 3rd Edition
Languages
Concepts
Authors (3):
Mick Knutson Mick Knutson
Profile icon Mick Knutson
LinkedIn
With nearly two decades of experience working in the IT industry in various roles as Enterprise technology consultant, Java Architect, project leader, Engineer, Designer and Developer, Mr. Knutson has gained a wide variety of experience in disciplines including JavaEE, Web Services, Mobile Computing and Enterprise Integration Solutions. Over the course of his career, Mr. Knutson has enjoyed long lasting partnerships with many of the most recognizable names in the Health Care, Financial, Banking, Insurance, Manufacturing, Telecommunications, Utilities, Product Distribution, Industrial and Electronics industries employing industry standard full software life cycle methodologies including the Rational Unified Process (RUP), Agile, SCRUM, and Extreme Programming (XP). Mr. Knutson has also undertaken speaking engagements, training seminars, white paper and book publishing engagements world-wide. As an active Blogger and tweeter, Mr. Knutson has also been inducted in the prestigious DZone.com Most Valuable Blogger (MVB) group and can be followed at http://www.dzone.com/page/mvbs, http://www.dzone.com/users/mickknutson and twitter at http://twitter.com/mickknutson.
See other products by Mick Knutson
Peter Mularien Peter Mularien
Profile icon Peter Mularien
LinkedIn
Peter Mularien is an experienced software architect and engineer, and the author of the book Spring Security 3, Packt Publishing. Peter currently works for a large financial services company and has over 12 years consulting and product experience in Java, Spring, Oracle, and many other enterprise technologies. He is also the reviewer of this book.
See other products by Peter Mularien
ROBERT WILLIAM WINCH ROBERT WILLIAM WINCH
Profile icon ROBERT WILLIAM WINCH
LinkedIn
See other products by ROBERT WILLIAM WINCH
View More author details

Table of Contents (19) Chapters

Preface 1. Anatomy of an Unsafe Application 2. Getting Started with Spring Security 3. Custom Authentication 4. JDBC-Based Authentication 5. Authentication with Spring Data 6. LDAP Directory Services 7. Remember-Me Services 8. Client Certificate Authentication with TLS 9. Opening up to OAuth 2 10. Single Sign-On with the Central Authentication Service 11. Fine-Grained Access Control 12. Access Control Lists 13. Custom Authorization 14. Session Management 15. Additional Spring Security Features 16. Migration to Spring Security 4.2 17. Microservice Security with OAuth 2 and JSON Web Tokens 18. Additional Reference Material

Session Management

This chapter discusses Spring Security's session management functionality. It starts off with an example of how Spring Security defends against session fixation. We will then discuss how concurrency control can be leveraged to restrict access to software licensed on a per-user basis. We will also see how session management can be leveraged for administrative functions. Last, we will explore how HttpSession is used in Spring Security and how we can control its creation.

The following is a list of topics that will be covered in this chapter:

  • Session management/session fixation
  • Concurrency control
  • Managing logged in users
  • How HttpSession is used in Spring Security and how to control creation
  • How to use the DebugFilter class to discover where HttpSession was created

Configuring session fixation protection

As we are using the security namespace style of configuration, session fixation protection is already configured on our behalf. If we wanted to explicitly configure it to mirror the default settings, we would do the following:

    http.sessionManagement()
    .sessionFixation().migrateSession();

Session fixation protection is a feature of the framework that you most likely won't even notice unless you try to act as a malicious user. We'll show you how to simulate a session-stealing attack; before we do, it's important to understand what session fixation does and the type of attack it prevents.

Understanding session fixation attacks

Session fixation is a type of attack whereby...

Restricting the number of concurrent sessions per user

In the software industry, software is often sold on a per-user basis. This means that, as software developers, we have an interest in ensuring that only a single session per user exists, to combat the sharing of accounts. Spring Security's concurrent session control ensures that a single user cannot have more than a fixed number of active sessions simultaneously (typically one). Ensuring that this maximum limit is enforced involves several components working in tandem to accurately track changes in user session activity.

Let's configure the feature, review how it works, and then test it out!

Configuring concurrent session control

Now that we have understood the...

Configuring expired session redirect

Fortunately, there is a simple method for directing users to a friendly page (typically the login page) when they are flagged by concurrent session control—simply specify the expired-url attribute and set it to a valid page in your application. Update your security.xml file as follows:

    //src/main/java/com/packtpub/springsecurity/configuration/SecurityConfig.java

    http.sessionManagement()
    .maximumSessions(1)
     .expiredUrl("/login/form?expired")
    ;

In the case of our application, this will redirect the user to the standard login form. We will then use the query parameter to display a friendly message indicating that we determined that they had multiple active sessions, and should log in again. Update your login.html page to use this parameter to display our message:

    //src/main/resources/templates/login.html

 ...

Common problems with concurrency control

There are a few common reasons that logging in with the same user does not trigger a logout event. The first occurs when using custom UserDetails (as we did in Chapter 3, Custom Authentication) while the equals and hashCode methods are not properly implemented. This occurs because the default SessionRegistry implementation uses an in-memory map to store UserDetails. In order to resolve this, you must ensure that you have properly implemented the hashCode and equals methods.

The second problem occurs when restarting the application container while the user sessions are persisted to a disk. When the container has started back up, the users who were already logged in with a valid session are logged in. However, the in-memory map of SessionRegistry that is used to determine if the user is already logged in will be empty. This means that Spring...

Other benefits of concurrent session control

Another benefit of concurrent session control is that SessionRegistry exists to track active (and, optionally, expired) sessions. This means that we can get runtime information about what user activity exists in our system (for authenticated users, at least) by performing the following steps:

  1. You can even do this if you don't want to enable concurrent session control. Simply set maximumSessions to -1, and session tracking will remain enabled, even though no maximum will be enforced. Instead, we will use the explicit bean configuration provided in the SessionConfig.java file of this chapter, as follows:
        //src/main/java/com/packtpub/springsecurity/configuration/
        SessionConfig.java

        @Bean
        public SessionRegistry sessionRegistry(){
         return new SessionRegistryImpl();
        }
  1. We have already added...

Displaying active sessions for a user

You've probably seen how many websites allow a user to view and forcibly log out sessions for their account. We can easily use this forcible logout functionality to do the same. We have already provided UserSessionController, which obtains the active sessions for the currently logged in user. You can see the implementation as follows:

    //src/main/java/com/packtpub/springsecurity/web/controllers/
    UserSessionController.java

    @Controller
    public class UserSessionController {
     private final SessionRegistry sessionRegistry;
    @Autowired
     public UserSessionController(SessionRegistry sessionRegistry) {
      this.sessionRegistry = sessionRegistry;
    }
      @GetMapping("/user/sessions/")
    public String sessions(Authentication authentication, ModelMap model) {
    List<SessionInformation> sessions = sessionRegistry...

Summary

After reading this chapter, you should be familiar with how Spring Security manages sessions and protects against session fixation attacks. We also know how to use Spring Security's concurrency control to prevent the same user from being authenticated multiple times.

We also explored the utilization of concurrency control to allow a user to terminate sessions associated with their account. Also, we saw how to configure Spring Security's creation of sessions. We also covered how to use Spring Security's DebugFilter filter to troubleshoot issues related to Spring.

We also learned about security, including determining when a HttpSession method was created and what caused it to be created.

This concludes our discussion about Spring Security's session management. In the next chapter, we will discuss some specifics about integrating Spring Security with other...

lock icon The rest of the chapter is locked
arrow left Previous Chapter
Chapter 1 of 19
Next Chapter arrow right
You have been reading a chapter from
Spring Security - Third Edition
Published in: Nov 2017 Publisher: Packt ISBN-13: 9781787129511
© 2017 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at $15.99/month. Cancel anytime}

Authors (3)

Left arrow icon
Profile icon Mick Knutson
LinkedIn
With nearly two decades of experience working in the IT industry in various roles as Enterprise technology consultant, Java Architect, project leader, Engineer, Designer and Developer, Mr. Knutson has gained a wide variety of experience in disciplines including JavaEE, Web Services, Mobile Computing and Enterprise Integration Solutions. Over the course of his career, Mr. Knutson has enjoyed long lasting partnerships with many of the most recognizable names in the Health Care, Financial, Banking, Insurance, Manufacturing, Telecommunications, Utilities, Product Distribution, Industrial and Electronics industries employing industry standard full software life cycle methodologies including the Rational Unified Process (RUP), Agile, SCRUM, and Extreme Programming (XP). Mr. Knutson has also undertaken speaking engagements, training seminars, white paper and book publishing engagements world-wide. As an active Blogger and tweeter, Mr. Knutson has also been inducted in the prestigious DZone.com Most Valuable Blogger (MVB) group and can be followed at http://www.dzone.com/page/mvbs, http://www.dzone.com/users/mickknutson and twitter at http://twitter.com/mickknutson.
Read more
See other products by Mick Knutson
Profile icon Peter Mularien
LinkedIn
Peter Mularien is an experienced software architect and engineer, and the author of the book Spring Security 3, Packt Publishing. Peter currently works for a large financial services company and has over 12 years consulting and product experience in Java, Spring, Oracle, and many other enterprise technologies. He is also the reviewer of this book.
See other products by Peter Mularien
Profile icon ROBERT WILLIAM WINCH
LinkedIn
See other products by ROBERT WILLIAM WINCH
Right arrow icon

Other recommended products

Related to this chapter
Left arrow icon
Hands-On Spring Security 5 for Reactive Applications
Hands-On Spring Security 5 for Reactive Applications
Security is one of the most vital concerns for any organization. The complexity of an application is compounded when you need to integrate security with existing code, new technology, and other frameworks. This book will show you how to effectively write Java code that is robust and easy to maintain.
Jul 2018 8 hours 56 minutes
OAuth 2.0 Cookbook
OAuth 2.0 Cookbook
OAuth 2.0 is a standard protocol for authorization and focuses on client development simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and so on. This book also provides useful recipes for solving real-life problems using Spring Security and creating Android applications.
Oct 2017 14 hours 0 minutes
Spring Boot 2.0 Projects
Spring Boot 2.0 Projects
Spring is one of the best tools to develop web, enterprise, and cloud ready software in the market. The goal of Spring Boot is to provide a set of tools for building Spring applications that run production-grade based applications. This book will teach you features of Spring Boot 2.0 by building interesting real-world projects.
Jul 2018 11 hours 12 minutes
Spring 5.0 Cookbook
Spring 5.0 Cookbook
The upcoming version of the Spring Framework has a lot to offer, above and beyond the platform upgrade to Java 9, and this book will show you all you need to know to overcome the common to advanced problems you might face while developing in Spring 5.0.
Sep 2017 22 hours 20 minutes
Spring 5.0 Projects
Spring 5.0 Projects
Spring makes it simple to create RESTful applications, interact with social services, communicate with modern databases, secure your system, and make your code modular and easy to test. This book will show you how to build various projects in Spring 5.0, using its various features as well as third party tools.
Feb 2019 14 hours 44 minutes
Mastering Spring 5
Mastering Spring 5
Spring 5.1 is the latest new release of the widely used Spring framework and consists a myriad of exciting new features that has changed the way the framework is used. Mastering Spring 5 shows you this evolution - from solving the problems of developing testable applications to building distributed applications on the cloud.
Jul 2019 19 hours 56 minutes
Learning Spring 5.0
Learning Spring 5.0
Spring is the most widely used framework for Java programming and with its latest update to 5.0, the framework is undergoing massive changes. Built to work with both Java 8 and Java 9, This book will teach you to simplify the way you write code, while still being able to create robust, enterprise applications using Spring 5.0.
Jun 2017 14 hours 4 minutes
Spring Boot 2 Fundamentals
Spring Boot 2 Fundamentals
Through the Spring Boot Fundamentals book, you will learn how the Spring Framework works and how it helps you to get the job done. You will be able to build a new application from scratch for desktops and mobiles. Your application will persist data in a relational database and provide users a rich user experience using HTML or a RESTful API for JavaScript.
Nov 2018 9 hours 36 minutes
Mastering Spring 5.0
Mastering Spring 5.0
Spring 5.0 is due to arrive with a myriad of new and exciting features that will change the way we’ve used the framework so far. This book will show you this evolution—from solving the problems of testable applications to building distributed applications on the Cloud.
Jun 2017 16 hours 32 minutes
Keycloak - Identity and Access Management for Modern Applications
Keycloak - Identity and Access Management for Modern Applications
This book is your guide to learning how to install, configure, and manage Keycloak optimally for securing your applications. With the help of easy-to-follow examples, you will gain a complete understanding of Keycloak's various features and how to enable authentication and authorization in applications using it.
Jun 2021 12 hours 4 minutes
Learning Spring Boot 2.0
Learning Spring Boot 2.0
Spring Boot provides a variety of features that address today’s business needs with a powerful database and state of the art MVC framework. This practical guide will help you get up and running with all the latest features of Spring Boot.
Nov 2017 12 hours 20 minutes
Hands-On High Performance with Spring 5
Hands-On High Performance with Spring 5
Spring 5.0 brings major advancements in the rich APIs provided by the Spring framework and thus creates a need for developers to master its tools and techniques to achieve high-performing applications. This book will help you improve the speed of your code and optimize the performance of your apps.
Jun 2018 13 hours 36 minutes
Right arrow icon

Personalised recommendations for you

Based on your interests and search pattern
Left arrow icon
Attacking and Exploiting Modern Web Applications
Attacking and Exploiting Modern Web Applications
Attacking and Exploiting Modern Web Attacks will help you understand how to identify attack surfaces and detect vulnerabilities. This book takes a hands-on approach to implementation and associated methodologies and equips you with the knowledge and skills needed to effectively combat web attacks.
Aug 2023 11 hours 16 minutes
Automotive Cybersecurity Engineering Handbook
Automotive Cybersecurity Engineering Handbook
This Automotive Cybersecurity Engineering Handbook untangles the complexities of building secure automotive products and helps you to comply with cybersecurity standards. It provides practical tools, tips, and techniques coupled with real-world examples to enable you to create cyber-resilient automotive products with ease.
Oct 2023 13 hours 4 minutes
Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide
Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide
This book will help you to design, develop, and operate security controls on Google Cloud as well as discover best practices for relevant security domains, including identity and access management, network, and data.
Aug 2023 16 hours 32 minutes
Cloud Penetration Testing for Red Teamers
Cloud Penetration Testing for Red Teamers
The advent of cloud networks and the AWS, Azure, and GCP platforms has revolutionized how companies of all sizes in all industries do business online. This book will help you meet the emerging demand for pentesting as it guides you through the tools, techniques, and security measures used by pentesters and red teamers in the 2020s and beyond.
Nov 2023 9 hours 56 minutes
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide
ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is an enterprise IT risk management professional’s dream. With its in-depth approach and various self-assessment exercises, this book arms you with knowledge of every single aspect of the certification, and is a fantastic career companion after you’re certified.
Sep 2023 10 hours 32 minutes
Burp Suite Cookbook
Burp Suite Cookbook
Burp Suite is an immensely powerful and popular tool for web application security testing. This book provides a collection of recipes that address vulnerabilities in web applications and APIs. It offers guidance on how to configure Burp Suite, make the most of its tools, and explore into its extensions.
Oct 2023 15 hours 0 minutes
Building and Automating Penetration Testing Labs in the Cloud
Building and Automating Penetration Testing Labs in the Cloud
This hands-on guide will help you design and build a variety of penetration testing labs that mimic modern cloud environments running on AWS, Azure, and GCP. In addition to these, you will explore a number of practical strategies on how to manage the complexity, cost, and security risks involved when setting up vulnerable cloud lab environments.
Oct 2023 18 hours 44 minutes
Ethical Hacking Workshop
Ethical Hacking Workshop
As cyber-attacks grow and APT groups advance their skillset, you need to be able to protect your enterprise against cyber-attacks. In order to limit your attack surface, you need to ensure that you leverage the same skills and tools that an adversary may use to hack your environment and discover the security gaps. This book will teach you how to think like a hacker, use state-of-the-art hacking tools, and protect yourself and your organizaiton.
Oct 2023 7 hours 20 minutes
Windows Forensics Analyst Field Guide
Windows Forensics Analyst Field Guide
This book contains step-by-step processes to guide you in any investigation related to Windows OS. You’ll find out how to acquire evidence using multiple tools as well as examine and analyze the collected artifacts, while discovering multiple techniques used in real-world forensic incidents.
Oct 2023 10 hours 36 minutes
Implementing DevSecOps Practices
Implementing DevSecOps Practices
This book is a comprehensive, hands-on guide for individuals new to DevSecOps who want to implement DevSecOps practices successfully and efficiently. With its help, you’ll be able to shift security toward the left, enabling you to merge security into coding in no time.
Dec 2023 8 hours 36 minutes
Right arrow icon