You're reading from Spring Security - Third Edition

Product typeBook

Published inNov 2017

Reading LevelIntermediate

PublisherPackt

ISBN-139781787129511

Edition3rd Edition

Languages

Java

Tools

Spring

Concepts

Cybersecurity

Authors (3):

Mick Knutson

Peter Mularien

ROBERT WILLIAM WINCH

View More author details

JDBC-Based Authentication

In the previous chapter, we saw how we can extend Spring Security to utilize our CalendarDao interface and our existing domain model to authenticate users. In this chapter, we will see how we can use Spring Security's built-in JDBC support. To keep things simple, this chapter's sample code is based on our Spring Security setup from Chapter 2, Getting Started with Spring Security. In this chapter, we will cover the following topics:

Using Spring Security's built-in JDBC-based authentication support
Utilizing Spring Security's group-based authorization to make administering users easier
Learning how to use Spring Security's UserDetailsManager interface
Configuring Spring Security to utilize the existing CalendarUser schema to authenticate users
Learning how we can secure passwords using Spring Security's new cryptography module...

Required dependencies

Our application has already defined all the necessary dependencies required for this chapter. However, if you are using Spring Security's JDBC support, you are likely going to want the following dependencies listed in your build.gradle file. It is important to highlight that the JDBC driver that you will use will depend on which database you are using. Consult your database vendor's documentation for details on which driver is needed for your database.

Remember that all the Spring versions need to match, and all Spring Security versions need to match (this includes transitive dependency versions). If you are having difficulty getting this to work in your own application, you may want to define the dependency management section in build.gradle to enforce this, as shown in Chapter 2, Getting Started with Spring Security. As previously mentioned, you...

Using the H2 database

The first portion of this exercise involves setting up an instance of the Java-based H2 relational database, populated with the Spring Security default schema. We'll configure H2 to run in memory using Spring's EmbeddedDatabase configuration feature—a significantly simpler method of configuration than
setting up the database by hand. You can find additional information on the H2 website at http://www.h2database.com/.

Keep in mind that in our sample application, we'll primarily use H2 due to its ease of setup. Spring Security will work with any database that supports ANSI SQL out of the box. We encourage you to tweak the configuration and use the database of your preference if you're following along with the examples. As we didn't want this portion of the book to focus on the complexities of database setup, we chose convenience...

The default user schema of Spring Security

Let's take a look at each of the SQL files used to initialize the database. The first script we added contains the default Spring Security schema definition for users and their authorities. The following script has been adapted from Spring Security's Reference, which is listed in the Appendix, Additional Reference Material to have explicitly named constraints, to make troubleshooting easier:

    //src/main/resources/database/h2/security-schema.sql

    create table users(
       username varchar(256) not null primary key,
       password varchar(256) not null,
       enabled boolean not null
    );
    create table authorities (
       username varchar(256) not null,
       authority varchar(256) not null,
       constraint fk_authorities_users
           foreign key(username) references users(username)
    );
    create unique index ix_auth_username...

The UserDetailsManager interface

We have already leveraged the InMemoryUserDetailsManager class in Spring Security in Chapter 3, Custom Authentication, to look up the current CalendarUser application in our SpringSecurityUserContext implementation of UserContext. This allowed us to determine which CalendarUser should be used when looking up the events for the My Events page. Chapter 3, Custom Authentication, also demonstrated how to update the DefaultCalendarService.java file to utilize InMemoryUserDetailsManager, to ensure that we created a new Spring Security user when we created CalendarUser. This chapter reuses exactly the same code. The only difference is that the UserDetailsManager implementation is backed by the JdbcUserDetailsManager class of Spring Security, which uses a database instead of an in-memory datastore.

What other features does UserDetailsManager provide out...

Support for a custom schema

It's common for new users of Spring Security to begin their experience by adapting the JDBC user, group, or role mapping to an existing schema. Even though a legacy database doesn't conform to the expected Spring Security schema, we can still configure JdbcDaoImpl to map to it.

We will now update Spring Security's JDBC support to use our existing CalendarUser database along with a new calendar_authorities table.

We can easily change the configuration of JdbcUserDetailsManager to utilize this schema and override Spring Security's expected table definitions and columns, which we're using for the JBCP calendar application.

Determining the correct JDBC SQL queries

The JdbcUserDetailsManager...

Configuring secure passwords

You might recall from the security audit in Chapter 1, Anatomy of an Unsafe Application, that the security of passwords stored in cleartext was a top priority of the auditors. In fact, in any secured system, password security is a critical aspect of trust and authoritativeness of an authenticated principal. Designers of a fully secured system must ensure that passwords are stored in a way in which malicious users would have an impractically difficult time compromising them.

The following general rules should be applied to passwords stored in a database:

Passwords must not be stored in cleartext (plaintext)
Passwords supplied by the user must be compared to the recorded passwords in the database
A user's password should not be supplied to the user upon demand (even if the user forgets it)

For the purposes of most applications, the best fit for...

The PasswordEncoder method

Password hashing in Spring Security is encapsulated and defined by implementations of the o.s.s.authentication.encoding.PasswordEncoder interface. The simple configuration of a password encoder is possible through the passwordEncoder() method within the AuthenticationManagerBuilder element, as follows:

    auth
       .jdbcAuthentication()
       .dataSource(dataSource)
       .usersByUsernameQuery(CUSTOM_USERS_BY_USERNAME_QUERY)
       .authoritiesByUsernameQuery(CUSTOM_AUTHORITIES_BY_USERNAME_QUERY)
       .passwordEncoder(passwordEncoder());

You'll be happy to learn that Spring Security ships with a number of implementations of passwordEncoder, which are applicable for different needs and security requirements.

The following table provides a list of the out-of-the-box implementation classes and their benefits. Note that all implementations reside...

Using salt in Spring Security

Spring Security 3.1 provides a new cryptography module that is included in the spring-security-core module and is available separately in spring-security-crypto. The crypto module contains its own o.s.s.crypto.password.PasswordEncoder interface. In fact, using this interface is the preferred method for encoding passwords, because it will salt passwords using a random salt. At the time of this writing, there are the following three implementations of o.s.s.crypto.password.PasswordEncoder:

Class	Description
`o.s.s.crypto.bcrypt.BCryptPasswordEncoder`	This class uses the `bcrypt` hashing function. It supports `salt` and the ability to slow down to perform over time as technology improves. This helps protect against brute-force search attacks.
`o.s.s.crypto.password.NoOpPasswordEncoder`	This class does no encoding (it returns the password in...

Trying out the salted passwords

Start up the application and try creating another user with the password user1. Use the H2 console to compare the new user's password, and observe that they are different.

Your code should now look like this: calendar04.05-calendar.

Spring Security now generates a random salt and combines this with the password before hashing our password. It then adds the random salt to the beginning of the password in plaintext, so that passwords can be checked. The stored password can be summarized as follows:

    salt = randomsalt()
    hash = hash(salt+originalPassword)
    storedPassword = salt + hash

This is the pseudocode for hashing a newly created password.

To authenticate a user, salt and hash can be extracted from the stored password, since both salt and hash are fixed lengths. Then, the extracted hash can be compared against a new hash, computed...

Summary

In this chapter, we learned how to use Spring Security's built-in JDBC support. Specifically, we have learned that Spring Security provides a default schema for new applications. We also explored how to implement GBAC and how it can make managing users easier.
We also learned how to integrate Spring Security's JDBC support with an existing database and also how to secure our passwords by hashing them and using a randomly-generated salt.

In the next chapter, we will explore the Spring Data project and how to configure Spring Security to use object-relational mapping (ORM) to connect to an RDBMS, as well as a document database.

The rest of the chapter is locked

You have been reading a chapter from

Spring Security - Third Edition

Published in: Nov 2017Publisher: PacktISBN-13: 9781787129511

A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.

undefined

Unlock this book and the full library FREE for 7 days

Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of

Start free trial

Renews at $15.99/month. Cancel anytime

Authors (3)

Mick Knutson

With nearly two decades of experience working in the IT industry in various roles as Enterprise technology consultant, Java Architect, project leader, Engineer, Designer and Developer, Mr. Knutson has gained a wide variety of experience in disciplines including JavaEE, Web Services, Mobile Computing and Enterprise Integration Solutions. Over the course of his career, Mr. Knutson has enjoyed long lasting partnerships with many of the most recognizable names in the Health Care, Financial, Banking, Insurance, Manufacturing, Telecommunications, Utilities, Product Distribution, Industrial and Electronics industries employing industry standard full software life cycle methodologies including the Rational Unified Process (RUP), Agile, SCRUM, and Extreme Programming (XP). Mr. Knutson has also undertaken speaking engagements, training seminars, white paper and book publishing engagements world-wide. As an active Blogger and tweeter, Mr. Knutson has also been inducted in the prestigious DZone.com Most Valuable Blogger (MVB) group and can be followed at http://www.dzone.com/page/mvbs, http://www.dzone.com/users/mickknutson and twitter at http://twitter.com/mickknutson.
Read more about Mick Knutson

Peter Mularien

Peter Mularien is an experienced software architect and engineer, and the author of the book Spring Security 3, Packt Publishing. Peter currently works for a large financial services company and has over 12 years consulting and product experience in Java, Spring, Oracle, and many other enterprise technologies. He is also the reviewer of this book.
Read more about Peter Mularien

ROBERT WILLIAM WINCH

Other recommended products

Related to this chapter

Hands-On Spring Security 5 for Reactive Applications

Security is one of the most vital concerns for any organization. The complexity of an application is compounded when you need to integrate security with existing code, new technology, and other frameworks. This book will show you how to effectively write Java code that is robust and easy to maintain.

BookJul 2018268 pages

OAuth 2.0 Cookbook

OAuth 2.0 is a standard protocol for authorization and focuses on client development simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and so on. This book also provides useful recipes for solving real-life problems using Spring Security and creating Android applications.

BookOct 2017420 pages

Spring Boot 2.0 Projects

Spring is one of the best tools to develop web, enterprise, and cloud ready software in the market. The goal of Spring Boot is to provide a set of tools for building Spring applications that run production-grade based applications. This book will teach you features of Spring Boot 2.0 by building interesting real-world projects.

BookJul 2018336 pages

Spring 5.0 Cookbook

The upcoming version of the Spring Framework has a lot to offer, above and beyond the platform upgrade to Java 9, and this book will show you all you need to know to overcome the common to advanced problems you might face while developing in Spring 5.0.

BookSep 2017670 pages

Spring 5.0 Projects

Spring makes it simple to create RESTful applications, interact with social services, communicate with modern databases, secure your system, and make your code modular and easy to test. This book will show you how to build various projects in Spring 5.0, using its various features as well as third party tools.

BookFeb 2019442 pages

Mastering Spring 5

Spring 5.1 is the latest new release of the widely used Spring framework and consists a myriad of exciting new features that has changed the way the framework is used. Mastering Spring 5 shows you this evolution - from solving the problems of developing testable applications to building distributed applications on the cloud.

BookJul 2019598 pages

Learning Spring 5.0

Spring is the most widely used framework for Java programming and with its latest update to 5.0, the framework is undergoing massive changes. Built to work with both Java 8 and Java 9, This book will teach you to simplify the way you write code, while still being able to create robust, enterprise applications using Spring 5.0.

BookJun 2017422 pages

Spring Boot 2 Fundamentals

Through the Spring Boot Fundamentals book, you will learn how the Spring Framework works and how it helps you to get the job done. You will be able to build a new application from scratch for desktops and mobiles. Your application will persist data in a relational database and provide users a rich user experience using HTML or a RESTful API for JavaScript.

BookNov 2018288 pages

Mastering Spring 5.0

Spring 5.0 is due to arrive with a myriad of new and exciting features that will change the way we’ve used the framework so far. This book will show you this evolution—from solving the problems of testable applications to building distributed applications on the Cloud.

BookJun 2017496 pages

Keycloak - Identity and Access Management for Modern Applications

This book is your guide to learning how to install, configure, and manage Keycloak optimally for securing your applications. With the help of easy-to-follow examples, you will gain a complete understanding of Keycloak's various features and how to enable authentication and authorization in applications using it.

BookJun 2021362 pages

Learning Spring Boot 2.0

Spring Boot provides a variety of features that address today’s business needs with a powerful database and state of the art MVC framework. This practical guide will help you get up and running with all the latest features of Spring Boot.

BookNov 2017370 pages

Hands-On High Performance with Spring 5

Spring 5.0 brings major advancements in the rich APIs provided by the Spring framework and thus creates a need for developers to master its tools and techniques to achieve high-performing applications. This book will help you improve the speed of your code and optimize the performance of your apps.

BookJun 2018408 pages

Personalised recommendations for you

Based on your interests and search pattern

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Attacks will help you understand how to identify attack surfaces and detect vulnerabilities. This book takes a hands-on approach to implementation and associated methodologies and equips you with the knowledge and skills needed to effectively combat web attacks.

BookAug 2023338 pages

Automotive Cybersecurity Engineering Handbook

This Automotive Cybersecurity Engineering Handbook untangles the complexities of building secure automotive products and helps you to comply with cybersecurity standards. It provides practical tools, tips, and techniques coupled with real-world examples to enable you to create cyber-resilient automotive products with ease.

BookOct 2023392 pages

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

This book will help you to design, develop, and operate security controls on Google Cloud as well as discover best practices for relevant security domains, including identity and access management, network, and data.

BookAug 2023496 pages

Cloud Penetration Testing for Red Teamers

The advent of cloud networks and the AWS, Azure, and GCP platforms has revolutionized how companies of all sizes in all industries do business online. This book will help you meet the emerging demand for pentesting as it guides you through the tools, techniques, and security measures used by pentesters and red teamers in the 2020s and beyond.

BookNov 2023298 pages

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is an enterprise IT risk management professional’s dream. With its in-depth approach and various self-assessment exercises, this book arms you with knowledge of every single aspect of the certification, and is a fantastic career companion after you’re certified.

BookSep 2023316 pages5

Burp Suite Cookbook

Burp Suite is an immensely powerful and popular tool for web application security testing. This book provides a collection of recipes that address vulnerabilities in web applications and APIs. It offers guidance on how to configure Burp Suite, make the most of its tools, and explore into its extensions.

BookOct 2023450 pages

Building and Automating Penetration Testing Labs in the Cloud

This hands-on guide will help you design and build a variety of penetration testing labs that mimic modern cloud environments running on AWS, Azure, and GCP. In addition to these, you will explore a number of practical strategies on how to manage the complexity, cost, and security risks involved when setting up vulnerable cloud lab environments.

BookOct 2023562 pages

Ethical Hacking Workshop

As cyber-attacks grow and APT groups advance their skillset, you need to be able to protect your enterprise against cyber-attacks. In order to limit your attack surface, you need to ensure that you leverage the same skills and tools that an adversary may use to hack your environment and discover the security gaps. This book will teach you how to think like a hacker, use state-of-the-art hacking tools, and protect yourself and your organizaiton.

BookOct 2023220 pages

Windows Forensics Analyst Field Guide

This book contains step-by-step processes to guide you in any investigation related to Windows OS. You’ll find out how to acquire evidence using multiple tools as well as examine and analyze the collected artifacts, while discovering multiple techniques used in real-world forensic incidents.

BookOct 2023318 pages

Implementing DevSecOps Practices

This book is a comprehensive, hands-on guide for individuals new to DevSecOps who want to implement DevSecOps practices successfully and efficiently. With its help, you’ll be able to shift security toward the left, enabling you to merge security into coding in no time.

BookDec 2023258 pages