[Spring] Configuring Basic Security
Our Users
REST API security(2)
| User ID | Password | Roles |
|---|---|---|
| john | test123 | EMPLOYEE |
| mary | test123 | EMPLOYEE, MANAGER |
| susan | test123 | EMPLOYEE, MANAGER, ADMIN |
Development Process
- Create Spring Security Configuration(@Configuration)
- Add users, passwords and roles
Step 1: Create Spring Security Configuration
File:DemoSecurityConfig.java
import org.springframework.context.annotation.Configuration;
@Configuration
public class DemoSecurityConfig {
// add our security configurations here ...
}
Spring Security Password Storage
- In Spring, passwords are stored using a specific format
{id}encodedPassword
| ID | Description |
|---|---|
| noop | Plain text passwords |
| bcrypt | BCrypt password hashing |
| … | … |
Password Example
Step 2: Add users, passwords and roles
- File: DemoSecurityConfig.java
- Since we defined our users here…
- Spring Boot will NOT use the user/pass from the application.properties file
Restric Access Based on Roles
Example
| HTTP Method | Endpoint | CRUD Action | Role |
|---|---|---|---|
| GET | /api/employees | Read all | EMPLOYEE |
| GET | /api/employees/{employeeId} | Read single | EMPLOYEE |
| POST | /api/employees | Create | MANAGER |
| PUT | /api/employees | Update | MANAGER |
| DELETE | /api/employees/{employeeId} | Delete employee | ADMIN |
Restricting Access to Roles
- General Syntax
Authorize Requests for EMPLOYEE role
Authorize Requests for MANAGER role
Authorize Requests for ADMIN role
Pull it Together
Cross-Site Request Forgery(CSRF)
- Spring Security can protect against CSRF attacks
- Embed additional authentication data/token into all HTML forms
- On subsequent requests, web app will verify token bofore processing
- Primary use case is traditional web applications (HTML forms etc..)
When to use CSRF Protection?
- The Spring Security team recommends
- Use CSRF protection for any normal browser web requests
- Traditional web apps with HTML forms to add/modify data
- If you are building a REST API for non-browser clients
- you may want to disable CSRF protection
- In general, not required for stateless REST APIs
- That use POST,PUT,DELETE and/or PATCH
Pull it Together
- Role : ADMIN
- Test user : susan / test123
- pass: Get all employees
- pass: Get single employee
- pass: Add employee
- pass: Update employee
- pass: Delete employee
댓글남기기