- Make your web applications impenetrable.
- Implement authentication and authorization of users.
- Integrate Spring Security 3 with common external security providers.
- Packed full with concrete, simple, and concise examples.
It’s a good idea to change the default value of the spring_security_login page URL.
Tip: Not only would the resulting URL be more user- or search-engine friendly, it’ll disguise the fact that you’re using Spring Security as your security implementation. Obscuring Spring Security in this way could make it harder for malicious hackers to find holes in your site in the unlikely event that a security hole is discovered in Spring Security. Although security through obscurity does not reduce your application’s vulnerability, it does make it harder for standardized hacking tools to determine what types of vulnerabilities you may be susceptible to.
Evaluating authorization rules
Tip: For any given URL request, Spring Security evaluates authorization rules in top to bottom order. The first rule matching the URL pattern will be applied. Typically, this means that your authorization rules will be ordered starting from most-specific to least-specific order. It’s important to remember this when developing complicated rule sets, as developers can often get confused over which authorization rule takes effect. Just remember the top to bottom order, and you can easily find the correct rule in any scenario!
Using the JSTL URL tag to handle relative URLs
Tip: : Use the JSTL core library’s url tag to ensure that URLs you provide in your JSP pages resolve correctly in the context of your deployed web application. The url tag will resolve URLs provided as relative URLs (starting with a /) to the root of the web application. You may have seen other techniques to do this using JSP expression code (<%=request.getContextPath() %>), but the JSTL url tag allows you to avoid inline code!
Modifying username or password and the remember me Feature
Tip: You have anticipated that if the user changes their username or password, any remember me tokens set will no longer be valid. Make sure that you provide appropriate messaging to users if you allow them to change these bits of their account.
Configuration of remember me session cookies
Tip: If token-validity-seconds is set to -1, the login cookie will be set to a session cookie, which does not persist after the user closes their browser. The token will be valid (assuming the user doesn’t close their browser) for a non-configurable length of 2 weeks. Don’t confuse this with the cookie that stores your user’s session ID—they’re two different things with similar names!
Checking Full Authentication without Expressions
Tip: If your application does not use SpEL expressions for access declarations, you can still check if the user is fully authenticated by using the IS_ AUTHENTICATED_FULLY access rule (For example, .access=”IS_AUTHENTICATED_FULLY”). Be aware, however, that standard role access declarations aren’t as expressive as SpEL ones, so you will have trouble handling complex boolean expressions.
Debugging remember me cookies
Tip: There are two difficulties when attempting to debug issues with remember me cookies. The first is getting the cookie value at all! Spring Security doesn’t offer any log level that will log the cookie value that was set. We’d suggest a browser-based tool such as Chris Pederick’s Web Developer plug-in (http://chrispederick.com/work/web-developer/) for Mozilla Firefox. Browser-based development tools typically allow selective examination (and even editing) of cookie values. The second (admittedly minor) difficulty is decoding the cookie value. You can feed the cookie value into an online or offline Base64 decoder (remember to add a trailing = sign to make it a valid Base64-encoded string!)
Making effective use of an in-memory UserDetailsService
Tip: A very common scenario for the use of an in-memory UserDetailsService and hard-coded user lists is the authoring of unit tests for secured components. Unit test authors often code or configure the minimal context to test the functionality of the component under test. Using an in-memory UserDetailsService with a well-defined set of users and GrantedAuthority values provides the test author with an easily controlled test environment.
Storing sensitive information
Tip: Many guidelines that apply to storage of passwords apply equally to other types of sensitive information, including social security numbers and credit card information (although, depending on the application, some of these may require the ability to decrypt). It’s quite common for databases storing this type of information to represent it in multiple ways, for example, a customer’s full 16-digit credit card number would be stored in a highly encrypted form, but the last four digits might be stored in cleartext (for reference, think of any internet commerce site that displays XXXX XXXX XXXX 1234 to help you identify your stored credit cards).
Annotations at the class level
Tip: Be aware that the method-level security annotations can also be applied at the class level as well! Method-level annotations, if supplied, will always override annotations specified at the class level. This can be helpful if your business needs dictate specification of security policies for an entire class at a time. Take care to use this functionality in conjunction with good comments and coding standards, so that developers are very clear about the security characteristics of a class and its methods.
Authenticating the user against LDAP
Tip: Do not make the very common mistake of configuring an <authentication-provider> with a user-details-service-ref referring to an LdapUserDetailsService, if you are intending to authenticate the user against LDAP itself!
Externalize URLs and environment-dependent settings
Tip: Coding URLs into Spring configuration files is a bad idea. Typically, storage and consistent reference to URLs is pulled out into a separate properties file, with placeholders consistent with the Spring PropertyPlaceholderConfigurer. This allows for reconfiguration of environment-specific settings via externalizable properties files without touching the Spring configuration files, and is generally considered good practice.
In this article we took a look at some of the tips and tricks for Spring Security.
- Spring Security 3 [Book]
- Migration to Spring Security 3 [Article]
- Opening up to OpenID with Spring Security [Article]
- Spring Security: Configuring Secure Passwords [Article]