[Spring] Configuring Basic Security

Our Users

REST API security(2)

User ID	Password	Roles
john	test123	EMPLOYEE
mary	test123	EMPLOYEE, MANAGER
susan	test123	EMPLOYEE, MANAGER, ADMIN

Development Process

1. Create Spring Security Configuration(@Configuration)
2. Add users, passwords and roles

Step 1: Create Spring Security Configuration

File:DemoSecurityConfig.java
import org.springframework.context.annotation.Configuration;

@Configuration
public class DemoSecurityConfig {

	// add our security configurations here ...
}

Spring Security Password Storage

• In Spring, passwords are stored using a specific format

  {id}encodedPassword

ID	Description
noop	Plain text passwords
bcrypt	BCrypt password hashing
…	…

Password Example

Step 2: Add users, passwords and roles

• File: DemoSecurityConfig.java

• Since we defined our users here…
• Spring Boot will NOT use the user/pass from the application.properties file

Restric Access Based on Roles

Example

HTTP Method	Endpoint	CRUD Action	Role
GET	/api/employees	Read all	EMPLOYEE
GET	/api/employees/{employeeId}	Read single	EMPLOYEE
POST	/api/employees	Create	MANAGER
PUT	/api/employees	Update	MANAGER
DELETE	/api/employees/{employeeId}	Delete employee	ADMIN

Restricting Access to Roles

• General Syntax

Authorize Requests for EMPLOYEE role

Authorize Requests for MANAGER role

Authorize Requests for ADMIN role

Pull it Together

Cross-Site Request Forgery(CSRF)

• Spring Security can protect against CSRF attacks
• Embed additional authentication data/token into all HTML forms
• On subsequent requests, web app will verify token bofore processing
• Primary use case is traditional web applications (HTML forms etc..)

When to use CSRF Protection?

• The Spring Security team recommends
  • Use CSRF protection for any normal browser web requests
  • Traditional web apps with HTML forms to add/modify data
• If you are building a REST API for non-browser clients
  • you may want to disable CSRF protection
• In general, not required for stateless REST APIs
  • That use POST,PUT,DELETE and/or PATCH

Pull it Together

• Role : ADMIN
• Test user : susan / test123
• pass: Get all employees
• pass: Get single employee
• pass: Add employee
• pass: Update employee
• pass: Delete employee