5 Core Concepts of Spring Security
- Authentication and Authorization
– Authentication – Who are you – Answer by showing ID(Facebook, LinkedIn for ID which uniquely identifies you)
– Authorization – What you want – State what you wantKnowledge Based Authentication – Providing details you know about you to prove its you. Downside is details can be stolen.
Possession Based Authentication – Key Cards for accessing Building Doors, Phone OTP. Authenticates by checking the user posses something which
realuser should posses.Multi Factor Authentication – Enter password and enter OTP(KBA + PBA)
- Authorization – Checks whether the person is allowed to do something. For Authorization, Authentication is needed at first place.
- Principal
– Person identified through process of Authentication
– Person who has logged in. Currently logged in user (or) account.
– App remembers the principal in context as currently loggedin user. - Granted Authority
– Authority includes whether the user is allowed to Read, Write, Update and Delete at permission level - Role
– Group of Authorities assigned together forms a role
Formbased Authentication
pom.xml
. . <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency> . .
Basic Auth
- Client Sends a request without username and password and gets 401 Unauthorized as Response
- Now Client Sends a request with username and password with Base64 Encoding
- Server validates whether user exists in DB
- Server replies with 200 Ok if user authentication is successful
- Basic ENCODED-BASE64-USERIDPASSWORD is the one sent in header to server from client
- In postman basic auth can be done by adding Authorization and base64 encoded user and password to header
Header : Authorization Value : Basic base64('YourOrgName:YourAPIKEY');
-
Base64 encoded text can be got from JS Console in browser as below
"username:password!" // Here I used basic Auth string format // Encode the plain string to base64 btoa("username:password!"); // output: "dXNlcm5hbWU6cGFzc3dvcmQh" // Decode the base64 to plain string atob("dXNlcm5hbWU6cGFzc3dvcmQh"); // output: "username:password!"
- Using Authorization Tab in post man does the same thing of adding base64 encoded UserName and Password to Header prepending Basic
The Difference between FormAuth and BasicAuth is in BasicAuth UserName and Password would be sent everytime when making a request to the server in the header as base64 encoded character.
Form-based authentication
Form-based authentication is not formalized by any RFC.They don’t use the formal HTTP authentication techniques.They use the standard HTML form fields to pass the username and password values to the server.The server validates the credentials and then creates a “session” that is tied to a unique key that is passed between the client and server on each http put and get request.When the user clicks “log off” or the server logs the user off (for example after certain idle time), the server will invalidate the session key, which makes any subsequent communication between the client and server require re-validation
Basic Auth
Basic Auth with Authorization in Headers as seen in DevTool
Creating the below class in Spring Boot project would enable the Basic auth(httpAuth) instead of default formbased auth which we get after adding spring security starter dependency to pom.xml
ApplicationSecurityConfig.java
Using Custom Username and Password for Inmemory Authentication
@Configuration @EnableWebSecurity public class ApplicationSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity httpSecurity) throws Exception{ httpSecurity.authorizeRequests() .anyRequest() .authenticated() .and() .httpBasic(); } }