flutter>> learn-and-apply-spring-security>> 返回
项目作者: karthikeyan-ng

项目描述 :
This repository contains various Spring Boot + Security related concepts and techniques.
高级语言: Java
项目地址: git://github.com/karthikeyan-ng/learn-and-apply-spring-security.git


LearnSpringSecurity

This repository contains various Spring Boot + Security related concepts and techniques.

  1. basic-spring-security - you will learn

    1. How to add spring security dependency?
    2. How to use Spring default password?
    3. How to override the default username and password?

  2. basic-spring-security - you will learn

    1. How to use InMemoryUserDetailsManager to store your username and password in order to anthenticate the given user.

  3. basic-spring-security - you will learn

    1. How to use MySQL database to validate username and password (plain text) using NoOpPasswordEncoder.
    2. How to use MySQL database to validate username and password (bcrypt encoder) using BCryptPasswordEncoder
    3. How to use DaoAuthenticationProvider and UserDetailsService

  4. basic-spring-security - you will learn

    1. How to customize Spring security to use your own Login Form implementation to validate the given username and password instead spring provided default implementation.

  5. basic-spring-security - you will learn

    1. How to use Spring Boot + Security + OAuth2 token to validate the user account using Google API SSO.

Spring Boot Security

Authentication

  1. - HTTP Authentication
  2. - Forms Authentication
  3. - Certificate
  4. - Tokens (JWT)

Authorization
Privileges / Authorities
Roles

  • In Spring Security, granted authorities and roles are a form of expressing a privilege/permission for an authenticated user

  • We express them using plain names

    • Granted Authorities - Roles
      (Small action based) (Larger scope)
      READ_PROFILE ROLE_ADMIN
      EDIT_PROFILE ROLE_USER
      DELETE_PROFILE ROLE_SALES
      ACCESS_PUBLIC_API ROLE_MANAGEMENT

HTTP Basic Authentication

  1. In the context of HTTP, basic authentication is the process for browser to request a username and password when making a request in order to authentify the user
  3. Client/
  4. Browser  ----------- Get /home --------------------------> Server
  6.          401 Unauthorized
  7.          WWW-Authenticate: Basic realm="localhost"
  8.          <------------------------------------------------ ==> this step it will show a popup dialog to enter username and password
  10.          Authorization: Basic sgsgasgasgaswtrw25252141=
  11.          ----------- Get /home -------------------------->
  13.          <------------200 OK-------------------------------
  14.             return some resource from server
  17. Encoding of username and password
  19.     username: karthi
  20.     password: testing
  22.     - Name and Password are combined (Ex: karthi:testing)
  23.     - Browser will encode this to Base64 format (Ex: Ssgsgsoj252522sgsS)
  24.     - Transmit in HTTP header (Ex: Authorization:Basic Ssgsgsoj252522sgsS)
  26. Stuff you need to know about Basic Authentication
  27.     - It is very simple. It doesn't require cookie, session identifiers, or login page
  28.     - Transmitted credentials are not encrypted. They are encoded with Base64 in transit, but not encrypted or hashed in any way.
  29.     - Basic Authentication is typically used in conjunction with HTTPS to provide confidentiallity.
  30.         - In this case, user can't grab the given username and password. Becuase, it uses HTTPS layer.
  31.     - HTTP does not provide a method for a web server to instruct the client to "log out"
  32.     - This authentication mechanism is not handled by your app, but the browser
  34.     - Simpler definition:
  35.         - HTTP Basic is the simplest form of authentication. In conjunction with SSL, it is considered the bare minimum for protecting non-sensitive resources.
  37.         - Otherwise, go with a more secure solution.

Form Based Authentication

  1. It is the process of authenticating a user by presenting a custom HTML page that will collect credentials and by directing the authentication responsibility to the web application that collects the form data.
  4. Login:
  6. Client ---------------- GET /home ---------------------------> Server
  8.        <-----If not authenticated REDIRECT to login page -----    
  9.          Login form will be displayed
  12.        ------------- POST form data (username + password) ---->    [Session][Created]
  14.        <----- If OK create SESSION ID and return auth cookie --
  17.        -------------- GET /employees/reports/all -------------->
  19.        <---- 200 OK --------------------------------------------
  23. Logout:
  25. Client ---------------- GET /logout ---------------------------> Server
  27.        <------- SESSION is invalidated & Redirected to /login -- [Session][removed]
  30. Stuff you need to know about Forms Authentication
  31.     - The application is responsible for dealing with form data and performing the actual authorization phase.
  33.     - Infrastructure handled by Spring Secutrity.
  35.     - It is the most widespread form of authentication, well sutied for self-contained apps.
  37.     - The user credentials are conveyed in the clear to the web application, so use SSL to keep them safe in transit.
  39.     - This technique is inherently phishable, so use SSL and certificates from trusted organizations.
  41.     - Not suited for public REST endpoints given to third party apps or customers. Only self-contained.
  43. Simpler definition:
  44.     Forms Authentication is the most used method for authorizing users and works like a charm for self-contained apps that do not expose public API's to other parties.

Token Based Authentication using JWT (JSON Web Token)

  1. JSON Web Token (JWT) is a compact and safe way to transmit data between two parties. The information can be trusted because it is digitally signed.
  3. Login:
  5. |------------------                                                            |-------------------|
  6. |                  |--- User sign in (Credentials, Facebook, Google, etc) -->|    Auth Server        |
  7. |                  |                                                            |                    |
  8. | Client (Outside)|<--- Authenticated. Token {JWT} created and returned ----|___________________|
  9. | your app domain)|
  10. |                  |                                                            |-------------------|
  11. |                  |--->GET /report/all HEADER Authorization: Bearer {JWT}-->|    Application        |
  12. |                  |                                                            |        (REST)        |
  13. |                  |<------------- 200 OK -----------------------------------|                    |
  14. |                  |                                                            |                    |
  15. |                  |--->POST /product HEADER Authorization: Bearer {JWT} --->|                    |
  16. |                  |                                                            |                    |
  17. |                  |<------------- 200 OK -----------------------------------|___________________|
  18. -------------------
  21. JWT Structure:
  22.     JSON Web Token consist of three parts separated by dots(.)
  23.         1. Header
  24.         2. Payload (Data)
  25.         3. Signature
  27.     Example: hhhh.ppppppp.ssssssss
  29.     Refer: https://jwt.io
  31. When should you use them?
  33.     Mobile  ----------- {JWT} ------ www.myapp.com
  34.                                         Auth Server +
  35.                                         REST API
  36.     WEB    ------------ {JWT} ---------
  38.     3rd Party1 ----- {JWT} ---------
  40.     3rd Party2 ----- {JWT} ---------

SSL & HTTPS

  1. HTTP is a combination of HTTP plus SSL security layer on top of it. HTTPS is just HTTP that delivers data securely between endpoints.
  3. HTTP is not Secure
  4. ------------------
  6. Client/Browser  <-------- http://mymailserver.com --------> MailServer
  7.                             john.does
  8.                             password
  10. In this above HTTP transaction, some malicious user can try to intercept/hack the given username and password.
  12. HTTPS is secure
  13. ---------------
  15. Client/Browser  <-------- https://mymailserver.com --------> MailServer
  16.                             john.does
  17.                             password
  19. In this method, the malicious user can't see the given information. It will be secure.
  21. How HTTPS works?
  22. ---------------- 
  23.     This is where SSL Certificate come in to play.
  25.     Security in HTTPS communication is ensured by using SSL certificates
  27.     Self-Signed (Created by you) - Good for development
  29.     Signed by Trusted Authority (Comodo, Symantec, DigiCert, etc.) - For Production
  31.     Flow
  32.     ----
  34.     Broswer/
  35.     Client Machine ----------- HTTPS request ---------------------> Server
  37.                    <--- Server sends certificate with public key--
  40.                         SSL Verification. If OK browser sends
  41.                         back session key
  42.                     ----------------------------------------------->
  44.     <------------------------------------------------------------------->
  45.         Secure communication by encrypting all data with session key
  47. SSL is mandatory for any web application, regardless of the chosen security config.
Spring Security OAuth2_1649511853764.pptx
10-spring-security_1649511849197.doc
6-spring-security-registration-rememberme-emailverification - Copy_1649511850962.doc
7-Custom-Auth-Server_1649511851637.doc
8-logging-in-with-google_1649511853542.doc