{"id":3927,"date":"2020-09-28T16:01:22","date_gmt":"2020-09-28T16:01:22","guid":{"rendered":"https:\/\/codethataint.com\/blog\/?p=3927"},"modified":"2020-09-29T15:47:43","modified_gmt":"2020-09-29T15:47:43","slug":"spring-security-basics","status":"publish","type":"post","link":"https:\/\/codethataint.com\/blog\/spring-security-basics\/","title":{"rendered":"Spring Security Basics"},"content":{"rendered":"

5 Core Concepts of Spring Security<\/strong><\/p>\n

    \n
  1. Authentication and Authorization<\/strong>
    \n – Authentication – Who are you – Answer by showing ID(Facebook, LinkedIn for ID which uniquely identifies you)
    \n – Authorization – What you want – State what you want <\/p>\n

    \tKnowledge Based Authentication – Providing details you know about you to prove its you. Downside is details can be stolen.
    \n\tPossession Based Authentication – Key Cards for accessing Building Doors, Phone OTP. Authenticates by checking the user posses something which
    \n\t\t\t\t\t\t\t\t\t realuser should posses. <\/p>\n

    \tMulti Factor Authentication – Enter password and enter OTP(KBA + PBA) <\/li>\n

  2. Authorization <\/strong>– Checks whether the person is allowed to do something. For Authorization, Authentication is needed at first place.<\/li>\n
  3. Principal <\/strong>
    \n – Person identified through process of Authentication
    \n – Person who has logged in. Currently logged in user (or) account.
    \n – App remembers the principal in context as currently loggedin user.<\/li>\n
  4. Granted Authority<\/strong>
    \n – Authority includes whether the user is allowed to Read, Write, Update and Delete at permission level\t<\/li>\n
  5. Role <\/strong>
    \n – Group of Authorities assigned together forms a role<\/li>\n<\/ol>\n

    Formbased Authentication<\/strong>
    \npom.xml<\/strong><\/p>\n

    \r\n.\r\n.\r\n<dependency>\r\n  <groupId>org.springframework.boot<\/groupId>\r\n  <artifactId>spring-boot-starter-security<\/artifactId>\r\n<\/dependency>\r\n.\r\n.\r\n<\/pre>\n
    Basic Auth<\/strong>
    \n\"null\"<\/p>\n
      \n
    1. Client Sends a request without username and password and gets 401 Unauthorized as Response<\/li>\n
    2. Now Client Sends a request with username and password with Base64 Encoding<\/li>\n
    3. Server validates whether user exists in DB<\/li>\n
    4. Server replies with 200 Ok if user authentication is successful<\/li>\n
    5. Basic ENCODED-BASE64-USERIDPASSWORD is the one sent in header to server from client<\/li>\n
    6. In postman basic auth can be done by adding Authorization and base64 encoded user and password to header\n
      \r\nHeader : Authorization\r\nValue : Basic base64('YourOrgName:YourAPIKEY');\r\n<\/pre>\n<\/li>\n
    7. \nBase64 encoded text can be got from JS Console in browser as below<\/p>\n
      \r\n\"username:password!\" \/\/ Here I used basic Auth string format\r\n\r\n\/\/ Encode the plain string to base64\r\nbtoa(\"username:password!\"); \/\/ output: \"dXNlcm5hbWU6cGFzc3dvcmQh\"\r\n\r\n\r\n\/\/ Decode the base64 to plain string\r\natob(\"dXNlcm5hbWU6cGFzc3dvcmQh\"); \/\/ output: \"username:password!\"\r\n<\/pre>\n<\/li>\n
    8. Using Authorization Tab in post man does the same thing of adding base64 encoded UserName and Password to Header prepending Basic<\/li>\n<\/ol>\n
      The Difference between FormAuth and BasicAuth is in BasicAuth UserName and Password would be sent everytime when making a request to the server in the header as base64 encoded character.<\/strong><\/p>\n
      Form-based authentication <\/strong>
      \nForm-based authentication is not formalized by any RFC.They don\u2019t use the formal HTTP authentication techniques.They use the standard HTML form fields to pass the username and password values to the server.The server validates the credentials and then creates a \u201csession\u201d that is tied to a unique key that is passed between the client and server on each http put and get request.When the user clicks \u201clog off\u201d or the server logs the user off (for example after certain idle time), the server will invalidate the session key, which makes any subsequent communication between the client and server require re-validation<\/p>\n
      \"null\"<\/p>\n
      Basic Auth<\/strong>
      \n\"null\"<\/p>\n
      Basic Auth with Authorization in Headers as seen in DevTool<\/strong>
      \n\"null\"<\/p>\n
      Creating the below class in Spring Boot project would enable the Basic auth(httpAuth) instead of default formbased auth which we get after adding spring security starter dependency to pom.xml<\/p>\n
      ApplicationSecurityConfig.java<\/strong>
      \nUsing Custom Username and Password for Inmemory Authentication<\/em><\/p>\n
      \r\n@Configuration\r\n@EnableWebSecurity\r\npublic class ApplicationSecurityConfig extends WebSecurityConfigurerAdapter {\r\n    @Override\r\n    protected void configure(HttpSecurity httpSecurity) throws Exception{\r\n        httpSecurity.authorizeRequests()\r\n                    .anyRequest()\r\n                    .authenticated()\r\n                    .and()\r\n                    .httpBasic();\r\n    }\r\n}\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"
      5 Core Concepts of Spring Security Authentication and Authorization – Authentication – Who are you – Answer by showing ID(Facebook, LinkedIn for ID which uniquely identifies you) – Authorization – What you want – State what you want Knowledge Based Authentication – Providing details you know about you to prove its you. Downside is details… Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[325],"tags":[],"class_list":["post-3927","post","type-post","status-publish","format-standard","hentry","category-spring-security"],"_links":{"self":[{"href":"https:\/\/codethataint.com\/blog\/wp-json\/wp\/v2\/posts\/3927","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/codethataint.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/codethataint.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/codethataint.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/codethataint.com\/blog\/wp-json\/wp\/v2\/comments?post=3927"}],"version-history":[{"count":5,"href":"https:\/\/codethataint.com\/blog\/wp-json\/wp\/v2\/posts\/3927\/revisions"}],"predecessor-version":[{"id":3951,"href":"https:\/\/codethataint.com\/blog\/wp-json\/wp\/v2\/posts\/3927\/revisions\/3951"}],"wp:attachment":[{"href":"https:\/\/codethataint.com\/blog\/wp-json\/wp\/v2\/media?parent=3927"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/codethataint.com\/blog\/wp-json\/wp\/v2\/categories?post=3927"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/codethataint.com\/blog\/wp-json\/wp\/v2\/tags?post=3927"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}