Spring Certification: Security

What are authentication and authorization? Which must come first?

• Authentication is the process of deciding if the user making a request, is accepted to use the application resources
• Validation of credentials
• Validation of the content of Authentication Header in request
• Validation of the JSESSION cookie

• Authorization is the process of deciding if an authenticated user can have access to a specific application resource
• Happens in web request level or method level

• Authentication comes first.

Is security a cross cutting concern? How is it implemented internally?

• Yes

• In web request and method level:

• Web request level
• Register a springSecurityFilterChain (using AbstractSecurityWebApplicationInitializer base class or xml)
• DelegatingFilterProxy will ensure this filter will be used before any else
• and delegates to AccessDecisionManager, which delegates to a list of configured AccessDecisionVoters
• Access to particular resource is granted or denied

• Method level: Implemented with AOP proxies that check user permission for resource

What is the delegating filter proxy?

• Servlet filter that allows passing control to Filter classes that have access to the Spring application context.
• Specifically, requests are propagated from DelegatingFilterProxy to a registered FilterChainProxy which contains our security logic
• Spring security is configured by declaring a filter DelegatingFilterProxy in web.xml 

What is the security filter chain?

• DelegatingFilterProxy delegates to springSecurityFilterChain which is a FilterChainProxy
• Contains security process-handling logic
• Contains Filters in a chain, registered as Spring beans
• Responsibilities: authentication, authorization, logout, maintain Security context

• Examples of filters:
• SecurityContextPersistenceFilter (restores Authentication from JSESSIONID) 
• UsernamePasswordAuthenticationFilter (performs authentication)
• ExceptionTranslationFilter (catch security exceptions from FilterSecurityInterceptor)
• FilterSecurityInterceptor (may throw authentication and authorization exceptions) 

What is a security context?

• The SecurityContext is used to store the details of the currently authenticated user (principle).
• The SecurityContextHolder helper class provides access to SecurityContext
• Thus, user details can be retrieved.
• By default, a ThreadLocal object is utilized to store the SecurityContext, so the security context is available to methods in the same execution thread.

What does the ** pattern in an antMatcher or mvcMatcher do?

• Indicates any path (after the path before **) is valid for matching, example:
• /rest/books/**

Why is the usage of mvcMatcher recommended over antMatcher?

• Generally mvcMatcher is more secure than an antMatcher. (Spring MVC’s HandlerMappingIntrospector)
• Also, MvcMatcher can also restrict the URLs by HTTP method

• Semantics:
• antMatchers("/books") matches only the exact URL
• mvcMatchers("/books") matches /books, and  /books/, /books.html, /books.xyz    

Does Spring Security support password encoding?

• Yes, provides password encoding using the PasswordEncoder interface. Note we can only encode the plain text to password, and not the opposite.

Why do you need method security? What type of object is typically secured at the method level (think of its purpose not its Java type).

• Method security is needed to apply security logic to lower level methods. It also provides an extra layer of security, along with web request level
• Method security is applied with Spring AOP proxies

• Spring Security provides below types of annotations:

• Spring Security’s @Secured
• JSR-250’s @RolesAllowed
• @PreAuthorize /@PostAuthorize
• @PreFilter / @PostFilter

What do @PreAuthorized and @RolesAllowed do? What is the difference between them?

• @PreAuthorized: Restricts access to a method before invocation based on the result of evaluating spEL expression, like: 

• @PreAuthorize("hasRole(’ADMIN’) or hasRole(’ADMIN2’)")
     public void createBookEntry(Book book){}

• @RolesAllowed:Same as above, but does only permit a role reference, not an expression

• @RolesAllowed("ROLE_ADMIN")
     public User findBookById(Long id) {}

How are these annotations implemented?

• @PreAuthorized: 
• Part of Spring Security framework
• Spring recognizes these annotated method using Spring AOP proxies
• To enable above, set @EnableGlobalMethodSecurity(prePostEnabled = true)
• @RolesAllowed: 
• Originates in the JSR-250 Java security standard
• Library must be in classpath
• To enable above, set @EnableGlobalMethodSecurity(jsr250Enabled=true)

In which security annotation, are you allowed to use SpEL?

• @PreAuthorized
• @PostAuthorized
• @PreFilter
• @PostFilter