# Spring Security
* [Spring Security Project Home](https://spring.io/projects/spring-security)
* [Code](https://github.com/spring-projects/spring-security/)
* code: `D:\workspace\rtfsc\spring-security`

Books:
* Spilca, Laurentiu. **Spring Security in Action**. 2024. Manning.
  * Tools:Spring Initializr, STS(Spring Tool Suite), Java 11.

actions: 
* example-springcloud/auth/security
* HTTPie: Archived > Spring Security in Action

# Dependencies

- org.springframework.boot:spring-boot-starter-security:3.4.0

# Protocols

## HTTP Basic authentication

HTTP Basic authentication, [RFC 7617](https://tools.ietf.org/html/rfc7617), [base64](https://www.base64encode.org) encoded

```shell
echo -n user:93a01cf0-794b-4b98-86ef-54860f36f7f3 | base64
curl -H "Authorization: Basic dXNlcjo5M2EwMWNmMC03OTRiLTRiOTgtODZlZi01NDg2MGYzNmY3ZjM=" localhost:8080/hello
```

## HTTPS

In [1]:
!openssl version

OpenSSL 3.4.1 11 Feb 2025 (Library: OpenSSL 3.4.1 11 Feb 2025)


generate self-signed certifcate: private key (key.pem), public certificate (cert.pem)
```shell
# password: 123456
$ openssl req -newkey rsa:2048 -x509 -keyout key.pem -out cert.pem -days 365
...+......+.......+...............+.....+.......+......+......+...+...+.....+....+.....+...............+...+...+...+....+...+..+......+.......+.....+...+.......+..+++++++++++++++++++++++++++++++++++++++*.....+......+...+..+.......+..+.+++++++++++++++++++++++++++++++++++++++*.....+..+...............+.+.........+.....++++++
.+...+.....+.........+....+......+.....+....+......+...+...+........+.........+.+.....+.+.....+.+++++++++++++++++++++++++++++++++++++++*.......+........+++++++++++++++++++++++++++++++++++++++*.......+.....+.........+..........+...+...+...............+..............+......+...+....+.....+...+...+.+...........+...+....+..++++++
Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:

-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Shanghai
Locality Name (eg, city) []:Shanghai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Org
Organizational Unit Name (eg, section) []:Software
Common Name (e.g. server FQDN or YOUR name) []:example.com
Email Address []:admin@example.com
```

certificate format: Public Key Cryptography Standards #12 (PKCS12)

```shell
# export password: 123456
$ openssl pkcs12 -export -in cert.pem -inkey key.pem -out certificate.p12 -name "certificate"
Enter pass phrase for key.pem:

Enter Export Password:

Verifying - Enter Export Password:

$ ls
cert.pem  certificate.p12  key.pem
```

```properties
# application.properties
server.ssl.key-store-type=PKCS12
server.ssl.key-store=classpath:certificate.p12
server.ssl.key-store-password=123456
```

In [9]:
!curl https://localhost:10000/hello

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (60) schannel: SEC_E_UNTRUSTED_ROOT (0x80090325) - 证书链是由不受信任的颁发机构颁发的。
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.


In [10]:
# skip verify the certificate
!curl -s -k https://localhost:10000/hello

hello


# Components

Figure 2.2 The main components acting in the authentication process for Spring Security and the
relationships among these. This architecture represents the backbone of implementing authentication
with Spring Security. We’ll refer to it often throughout the book when discussing different
implementations for authentication and authorization. - P.39

1. The request is intercepted by the **authentication filter**.
2. Authentication responsibility is delegated to the **authentication manager**.
3. The authentication manager uses the **authentication provider**, which implements the authentication logic.
4. The authentication provider finds the user with a **user details service** and validates the password using a **password encoder**.
5. The result of the authentication is returned to the **filter**
6. Details about the *authenticated entity* are stored in the **security context**.

```java
AuthenticationFilter
AuthenticationManager
AuthenticationProvider
UserDetailsService
PasswordEncoder
Authentication
SecurityContext
```

# Configuration

```java
@EnableWebSecurity
SecurityFilterChain
HttpSecurity
```


filters:
```java
    // filters: org.springframework.security.web.DefaultSecurityFilterChain.getFilters
    // example:
    //0 = {DisableEncodeUrlFilter@10617}
    //1 = {WebAsyncManagerIntegrationFilter@10618}
    //2 = {SecurityContextHolderFilter@10619}
    //3 = {HeaderWriterFilter@10620}
    //4 = {CsrfFilter@10621}
    //5 = {LogoutFilter@10622}
    //6 = {BasicAuthenticationFilter@10623}
    //7 = {RequestCacheAwareFilter@10624}
    //8 = {SecurityContextHolderAwareRequestFilter@10625}
    //9 = {AnonymousAuthenticationFilter@10626}
    //10 = {ExceptionTranslationFilter@10627}
    //11 = {AuthorizationFilter@10628}
```

In [16]:
!curl -v http://localhost:10000/hello

* Host localhost:10000 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying [::1]:10000...
* Connected to localhost (::1) port 10000
* using HTTP/1.x
> GET /hello HTTP/1.1

> Host: localhost:10000

> User-Agent: curl/8.10.1

> Accept: */*

> 

* Request completely sent off
< HTTP/1.1 401 

< Set-Cookie: JSESSIONID=2965A6B478B0A71A50045E29C51FB00F; Path=/; HttpOnly

< WWW-Authenticate: Basic realm="Realm"

< X-Content-Type-Options: nosniff

< X-XSS-Protection: 0

< Cache-Control: no-cache, no-store, max-age=0, must-revalidate

< Pragma: no-cache

< Expires: 0

< X-Frame-Options: DENY

< Content-Length: 0

< Date: Thu, 06 Mar 2025 02:33:02 GMT

< 


  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Connection #0 to host lo

In [21]:
!curl -s -u john:123456 http://localhost:10000/hello

hello


# Authentication

## Authentication Provider

```java
AuthenticationProvider

// java.security.Principal: https://docs.oracle.com/javase/8/docs/api/java/security/Principal.html
Authentication
	UsernamePasswordAuthenticationToken

AuthenticationException
BadCredentialsException

SecurityContext
SecurityContextHolder
	// system property: spring.security.strategy
	MODE_THREADLOCAL // java.lang.ThreadLocal
	MODE_INHERITABLETHREADLOCAL
	MODE_GLOBAL

DelegatingSecurityContextRunnable // java.lang.Runnable
DelegatingSecurityContextCallable<T> // java.util.concurrent.Callable<T>

DelegatingSecurityContextExecutorService // java.util.concurrent.ExecutorService
DelegatingSecurityContextExecutor
DelegatingSecurityContextScheduledExecutorService
```

HTTP Basic and form-based login authentication

```java
HttpSecurity
	httpBasic()
		Customizer<HttpBasicConfigurer<HttpSecurity>
			realmName(...)
			authenticationEntryPoint(AuthenticationEntryPoint)
	formLogin() // '/logout'
		FormLoginConfigurer<HttpSecurity>
			defaultSuccessUrl(...)
			successHandler(AuthenticationSuccessHandler)
			failureHandler(AuthenticationFailureHandler)
```

## Users

```java
UserDetails
org.springframework.security.core.userdetails.User


GrantedAuthority
	SimpleGrantedAuthority

UserDetailsService

UserDetailsManager
	InMemoryUserDetailsManager
	JdbcUserDetailsManager
	LdapUserDetailsManager // LDAP Data Interchange Format (LDIF) file
```

```sql
-- schema.sql
-- MySQL
CREATE TABLE IF NOT EXISTS `spring`.`users` (
	`id` INT NOT NULL AUTO_INCREMENT,
	`username` VARCHAR(45) NOT NULL,
	`password` VARCHAR(45) NOT NULL,
	`enabled` INT NOT NULL,
	PRIMARY KEY (`id`));

CREATE TABLE IF NOT EXISTS `spring`.`authorities` (
	`id` INT NOT NULL AUTO_INCREMENT,
	`username` VARCHAR(45) NOT NULL,
	`authority` VARCHAR(45) NOT NULL,
	PRIMARY KEY (`id`));

-- data.sql
INSERT IGNORE INTO `spring`.`authorities` VALUES (NULL, 'john', 'write');
INSERT IGNORE INTO `spring`.`users` VALUES (NULL, 'john', '12345', '1');
```

## Password

```java
PasswordEncoder
	NoOpPasswordEncoder
	StandardPasswordEncoder
	Pbkdf2PasswordEncoder
	BCryptPasswordEncoder
	SCryptPasswordEncoder

DelegatingPasswordEncoder
PasswordEncoderFactories
```

the Spring Security Crypto module (SSCM)
- key generator: generate keys for hashing and encryption algorithms
- encryptor: encrypt and decrypt data

```java
BytesKeyGenerator
StringKeyGenerator
KeyGenerators

BytesEncryptor
TextEncryptor
Encryptors
```

# Authorization

## Endpoint Level

use security aspect

- restriting access
```java
HttpSecurity.authorizeHttpRequests(c -> ...)
```

- applying restriction
```java
HttpSecurity.authorizeHttpRequests(c -> 
  // 请求匹配
  c.requestMatchers(...)....)

c.requestMatchers("/hello")
c.requestMatchers(HttpMethod.GET, "/a")
c.requestMatchers("/a/b/**")
c.requestMatchers("/product/{code:^[0-9]*$}")
c.requestMatchers("/email/{email:.*(?:.+@.+\\.com)}")
c.regexMatchers(".*/(us|uk|ca)+/(en|fr).*") // 正则表达式匹配
```

## CSRF

```java
HttpSecurity.csrf(...)


CsrfFilter
CsrfTokenRepository // default: HTTP session
CsrfTokenRequestHandler
```

## CORS

HTTP headers:
- Origin
- Access-Control-Request-Method
- Access-Control-Request-Headers

- Access-Control-Allow-Origin
- Access-Control-Allow-Methods
- Access-Control-Allow-Headers

```java
@CrossOrigin

HttpSecurity.cors(...)
CorsConfigurationSource // 
CorsConfiguration
```

## Method Level

call authorization:
- pre-authorization: 根据已实现的权限规则, 确定是否可以调用方法
- post-authorization: 确定在方法执行后是否可以访问方法的返回值

```java
@EnableMethodSecurity
```

define authorization rules:
- pre/post authorization: `@PreAuthorize`, `@PostAuthorize`
  - SpEL表达式: Spring Expression Language
- `@RolesAllowed`: JSR 250
- `@Secured`

example
```java
@PreAuthorize("hasAuthority('write')") // hasAnyAuthority, hasRole, hasAnyRole
@PreAuthorize("#name == authentication.principal.username")
public List<String> getSecretNames(String name) { ... }
```

```java
public class Employee {
  private String name;
  private List<String> books;
  private List<String> roles;
  // Omitted constructor, getters, and setters
}
@PostAuthorize("returnObject.roles.contains('reader')")
public Employee getBookDetails(String name) { ... }
```


permission:
```java
// by object and permission
// by object ID, object type and permission
PermissionEvaluator
MethodSecurityExpressionHandler


public class Document {
  private String owner;
  // Omitted constructor, getters, and setters
}
@PostAuthorize("hasPermission(returnObject, 'ROLE_admin')")
public Document getDocument(String code) { ... }

@PreAuthorize("hasPermission(#code, 'document', 'ROLE_admin')")
public Document getDocument(String code) { ... }
```

```java
@RolesAllowed("ADMIN")
@Secured("ROLE_ADMIN")
```

filtering:
- pre-filtering: 确定方法可通过参数接收的内容, 即在调用方法前过滤参数 `@PreFilter`
- post-filtering: 确定调用者在方法执行后可以接收的内容, 即在方法调用后过滤返回值 `@PostFilter`

```java
public class Product {
  private String name;
  private String owner;
  // Omitted constructor, getters, and setters
}

@PreFilter("filterObject.owner == authentication.name")
public List<Product> sellProducts(List<Product> products) { ... }

@PostFilter("filterObject.owner == authentication.name")
public List<Product> findProducts() { ... }
```

filtering in Spring Data repositorys
- use `@PreFilter`, `@PostFilter`
- direclty apply filtering within queries

```java
@PostFilter("filterObject.owner == authentication.name")
List<Product> findProductByNameContains(String text);

SecurityEvaluationContextExtension
@Query("""SELECT p FROM Product p WHERE
          p.name LIKE %:text% AND
          p.owner=?#{authentication.name}
          """)
List<Product> findProductByNameContains(String text);
```

# Example

system:
- client: mobile, web frontend; mocking with cURL
- authentication server: username/password, OTP SMS
	- port: 8080
	- `/user/add`
	- `/user/auth`
	- `/opt/check`
- business logic server
	- port: 9090
JWT(JSON Web Token)

# OAuth 2
- [Spring Security OAuth2.ipynb](./Spring%20Security%20OAuth2.ipynb)

# Reactive Apps

# Testing

# Book: Spring Security in Action, 1st edition

vulnerabilities:
- Broken authentication
- Session fixation
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF)
- Injections
- Sensitive data exposure
- Lack of method access control
- Using dependencies with known vulnerabilities

Security applied in architectures:
- one-piece web app
- frontend-backend seperation: HTTP Basic authentication
- OAuth 2: authorization
- backend-backend communication: API key, cryptographic signature, IP validation



| #   | Title                                                        | Progress | Description |
| :-- | :----------------------------------------------------------- | :------- | :---------- |
| 1   | [[#5.1 Security today]]                                      | 100%     | 2024-03-29  |
| 2   | [[#5.2 Hello Spring Security]]                               | 100%     | 2024-03-29  |
| 3   | [[#5.3 Managing users]]                                      | 100%     | 2024-03-29  |
| 4   | [[#5.4 Dealing with passwords]]                              | 100%     | 2024-03-29  |
| 5   | [[#5.5 Implementing authentication]]                         | 100%     | 2024-03-29  |
| 6   | [[#5.6 Hands-on A small secured web application]]            | 100%     | 2024-03-29  |
| 7   | [[#5.7 Configuring authorization Restricting access]]        | 100%     | 2024-03-29  |
| 8   | [[#5.8 Configuring authorization Applying restrictions]]     | 100%     | 2024-03-29  |
| 9   | [[#5.9 Implementing filters]]                                | 100%     | 2024-03-29  |
| 10  | [[#5.10 Applying CSRF protection and CORS]]                  | 100%     | 2024-03-29  |
| 11  | [[#5.11 Hands-on A separation of responsibilities]]          | 100%     | 2024-03-29  |
| 12  | [[#5.12 How does OAuth 2 work?]]                             | 100%     | 2024-03-29  |
| 13  | [[#5.13 OAuth 2 Implementing the authorization server]]      | 100%     | 2024-03-29  |
| 14  | [[#5.14 OAuth 2 Implementing the resource server]]           | 100%     | 2024-03-29  |
| 15  | [[#5.15 OAuth 2 Using JWT and cryptographic signatures]]     | 100%     | 2024-03-29  |
| 16  | [[#5.16 Global method security Pre- and postauthorizations]] | 100%     | 2024-03-29  |
| 17  | [[#5.17 Global method security Pre- and postfiltering]]      | 100%     | 2024-03-29  |
| 18  | [[#5.18 Hands-on An OAuth 2 application]]                    | 100%     | 2024-03-29  |
| 19  | [[#5.19 Spring Security for reactive apps]]                  | 100%     | 2024-03-29  |
| 20  | [[#5.20 Spring Security testing]]                            | 100%     | 2024-03-29  |


- [[#5.1 Security today]]
	- book: Prabath Siriwardena, Nuwan Dias. **Microservices Security in Action**. Manning: 2019. 
	- book: Craig Walls. **Spring in Action, 6th Edition**. Manning: 2020. [[Spring in Action, 5th Edition, 2019.pdf]]
	- book: David Wong. **Real-World Cryptography**. Manning: 2020. [[Real-World Cryptography, 2021.pdf]]

- [[#5.2 Hello Spring Security]]
- `org.springframework.boot:spring-boot-starter-parent`: `2.3.0.RELEASE`

- [[#5.5 Implementing *authentication*]]
	- RFC 2617 [HTTP Authentication: Basic and Digest Access Authentication](https://datatracker.ietf.org/doc/html/rfc2617) 

- [[#5.6 **Hands-on** A small secured web application]]
- version the SQL scripts: [Flyway](https://flywaydb.org/), [Liquibase](https://www.liquibase.com/community)
- [Thymeleaf](https://www.thymeleaf.org/): a modern server-side Java template engine for both web and standalone environments.

- [[#5.11 **Hands-on** A separation of responsibilities]]
	- book: **API Security in Action** by Neil Madden (Manning, 2020)
	- book: **Microservices Security in Action** by Prabath Siriwardena and Nuwan Dias (Manning, 2020)
	- [Java JSON Web Token (JJWT)](https://github.com/jwtk/jjwt) `io.jsonwebtoken`: `jjwt-api`, `jjwt-impl`, `jjwt-jackson`, `0.11.1`
	- book: **Spring in Action, 6th ed**., by Craig Walls
	- book: **Real-World Cryptography** by David Wong (Manning, 2020)

- [[#5.13 OAuth 2 Implementing the authorization server]]
	- `org.springframework.cloud:spring-cloud-dependencies`: `Hoxton.SR1` 

- [[#5.14 OAuth 2 Implementing the resource server]]
	- `org.springframework.security:spring-security-oauth2-resource-server`: `5.2.1.RELEASE`
	- `com.nimbusds:oauth2-oidc-sdk`: `8.4`

- [[#5.18 **Hands-on** An OAuth 2 application]]
	- Keycloak
	- book: Ken Finnigan. **Enterprise Java Microservices**. Manning: 2018. [[Enterprise Java Microservices, 2018.pdf]]

- [[#5.20 Spring Security *testing*]]
	- book: Cătălin Tudose et al. **JUnit in Action, 3rd ed**. Manning: 2020.
	- book: Vladimir Khorikov. **Unit Testing Principles, Practices, and Patterns**. Manning: 2020.
	- book: Alex Soto Bueno et al. **Testing Java Microservices**. Manning: 2018. [[Testing Java Microservices, 2018.pdf]]


- Appendix
	- book: Craig Walls. **Spring Boot in Action**. Manning: 2015.


# More

- alternative: [Apache Shiro](https://shiro.apache.org/)
> Apache Shiro™ is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. With Shiro’s easy-to-understand API, you can quickly and easily secure any application – from the smallest mobile applications to the largest web and enterprise applications.

- [The Open Worldwide Application Security Project (OWASP)](https://owasp.org/about/)
	- [projects](https://owasp.org/projects/)
	- [Attacks](https://owasp.org/www-community/attacks/)
	- [OWASP Top Ten](https://owasp.org/www-project-top-ten/) - 2021
		- A01 Broken Access Control
		- A02 Cryptographic Failures
		- A03 Injection
		- A04 Insecure Design
		- A05 Security Misconfiguration
		- A06 Vulnerable and Outdated Components
		- A07 Identification and Authentication Failures
		- A08 Software and Data Integrity Failures
		- A09 Security Logging and Monitoring Failures
		- A10 Server Side Request Forgery (SSRF)
	- [OWASP Web Security Testing Guide](https://owasp.org/www-project-web-security-testing-guide/)

- [Common Weakness Enumeration (CWE™)](https://cwe.mitre.org/data/index.html)
- [Common Vulnerabilities and Exposures(CVE®)](https://www.cve.org/)
	- [CVE List Downloads](https://www.cve.org/Downloads)