Configuring Spring Security

Web Technologies
1

Configuring Spring Security

To ensure the security of our application, we need to configure Spring Security correctly. In this section, we will discuss the different ways to configure Spring Security.

Configuring Spring Security as a Bean

Spring Security must be configured in a realized WebSecurityConfigurer bean, or (simplistically) extend WebSecurityConfigurerAdapter. This allows us to customize the security settings for our application.

package spitter.config;

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity;

@Configuration
@EnableWebMvcSecurity
// Enable Spring MVC security
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    // ...
}

Configuring Web-Enabled Security Features

Web-enabled security features are the easiest to configure in Spring MVC. To do this, we need to create a configuration class that extends WebSecurityConfigurerAdapter.

package spitter.config;

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity;

@Configuration
@EnableWebMvcSecurity
// Enable Spring MVC security
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    // ...
}

Using the @EnableWebMvcSecurity Annotation

The @EnableWebMvcSecurity annotation is also equipped with a Spring MVC parameter parser (argument resolver). The benefits of doing so include:

  • The processor can obtain a method of authenticating a user Principal (or username) parameter with the @AuthenticationPrincipal annotation.
  • It is also equipped with a bean, which will automatically add a hidden CSRF (cross-site request forgery, CSRF) token input field when bound to a tag library used to define the form Spring form.

Overloading the WebSecurityConfigurerAdapter Configure() Method

The WebSecurityConfigurerAdapter class has a configure() method that can be overloaded to chain the configuration of Spring Security filters. This method can be overloaded in three ways:

  • configure(WebSecurity): This method is used to configure the security settings for the application.
  • configure(HttpSecurity): This method is used to configure the interceptor protection for requests.
  • configure(AuthenticationManagerBuilder): This method is used to configure the user-detail service.

Configuring the User Store

To meet the needs of our application, we still need to add a bit of configuration to Spring Security. Specifically, we need to:

  • Configure the user store.
  • Specify which requests require authentication and which do not.
  • Provide a custom login page, replacing the original default login page.

Configuring the User Store

To configure the user store, we need to create a UserDetailsService interface implementation that provides a custom user detail service.

public interface UserDetailsService {
    UserDetails loadUserByUsername(String username) throws UsernameNotFoundException;
}

Using the inMemoryAuthentication() Method

To use the inMemoryAuthentication() method, we need to enable user memory to store the users.

package spitter.config;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity;

@Configuration
@EnableWebMvcSecurity
// Enable Spring MVC security
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
                .withUser("user")
                .password("password")
                .roles("USER")
                .and()
                .withUser("admin")
                .password("password")
                .roles("USER", "ADMIN");
    }
}

Using the jdbcAuthentication() Method

To use the jdbcAuthentication() method, we need to configure the data source for the user store.

package spitter.config;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity;

@Configuration
@EnableWebMvcSecurity
// Enable Spring MVC security
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Autowired
    private DataSource dataSource;

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.jdbcAuthentication()
                .dataSource(dataSource);
    }
}

Using the configure(HttpSecurity) Method

To use the configure(HttpSecurity) method, we need to specify which requests require authentication and which do not.

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
            .antMatchers("/spitters/me")
            .authenticated()
            .antMatchers(HttpMethod.POST, "/spittles")
            .authenticated()
            .anyRequest()
            .permitAll();
}

By following these steps, we can configure Spring Security correctly and ensure the security of our application.