Download Java-Frameworks-Spring

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
Document related concepts
no text concepts found
Transcript 
Spring Security
Registration, Login, Thymeleaf
SoftUni Team
Technical Trainers
Software University
http://softuni.bg
Table of Contents
1. Spring Security
1.
Configuration
2.
Registration
3.
Login
4.
Remember Me
5.
CSFR
2. Thymeleaf Security
2
Have a Question?
sli.do
#JavaWeb
3
What is Spring Security
4
Spring Security
 framework that focuses on providing both authentication and
authorization
Authentication
Authorization
5
Spring Security Mechanism
Access Decision
Manager
Authentication
Manager
Intercept
Request
Web Client
GET
username
password
Intercept
Request
Valid
Credentials
Validate
username
password
Valid
Authorization
Secured
Resources
Validate
Roles
Database
6
Spring Security Maven
pom.xml
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
7
Spring Security Configuration (1)
 Extend WebSecurityConfigurerAdapter
SecurityConfiguration.java
@Configuration
Enable Security
@EnableWebSecurity
public class SecurityConfiguration extends
WebSecurityConfigurerAdapter {
//Configuration goes here
}
8
Spring Security Configuration (2)
 Override configure(HttpSecurity http)
SecurityConfiguration.java
@Override
protected void configure(HttpSecurity http) throws Exception {
http
Authorize Requests
.authorizeRequests()
Permit Routes
.antMatchers("/", "/register").permitAll()
.anyRequest().authenticated()
Require Authentication
}
9
Registration - User
 We need to implement UserDetails interface
User.java
@Entity
public class User implements UserDetails {
private String username;
private String password;
private boolean isAccountNonExpired;
private boolean isAccountNonLocked;
private boolean isCredentialsNonExpired;
private boolean isEnabled;
private Set<Role> authorities;
}
10
Registration - Roles
 We need to implement GrantedAuthority interface
Role.java
public class Role implements GrantedAuthority {
private String authority;
Role Interface
}
11
Registration - UserService
 We need to implement UserDetailsService interface
UserServiceImpl.java
@Service
public class UserServiceImpl implements UserDetailsService {
@Autowired
private BCryptPasswordEncoder bCryptPasswordEncoder;
Encrypt Password
@Override
public void register(RegisterModel registerModel) {
bCryptPasswordEncoder.encode(password));
}
}
12
Registration - Configuration
 We need to disable CSRF protection temporally
SecurityConfiguration.java
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.and()
.csrf().disable();
}
Disable CSRF
13
Login Mechanism
Web Client
GET localhost:8080
Session Cookie
GET localhost:8080
Create
Session
Validate
Session
Session Cookie
14
Login - Configuration
SecurityConfiguration.java
.and()
.formLogin().loginPage("/login").permitAll()
.usernameParameter("username")
.passwordParameter("password")
login.html
<input type="text" name="username"/>
<input type="text" name="password"/>
15
Login - UserService
UserServiceImpl.java
@Service
public class UserServiceImpl implements UserDetailsService {
@Autowired
User Service
private BCryptPasswordEncoder bCryptPasswordEncoder;
Interface
@Override
public UserDetails loadUserByUsername(String username) throws
UsernameNotFoundException {
}
}
16
Login - Controller
LoginController.java
@Controller
public class LoginController {
@GetMapping("/login")
public String getLoginPage(@RequestParam(required = false) String
error, Model model) {
Error Handling
if(error != null){
model.addAttribute("error", "Error");
}
return "login";
}
}
17
Logout
SecurityConfiguration.java
.and()
.logout().logoutSuccessUrl("/login?logout").permitAll()
Logout. No
Controller is
required
18
Remember Me
SecurityConfiguration.java
.and()
.rememberMe()
.rememberMeParameter("remember")
.key("remember Me Encryption Key")
.rememberMeCookieName("rememberMeCookieName")
.tokenValiditySeconds(10000)
login.html
<input name="remember" type="checkbox" />
19
Principal
 This is the currently logged user
UserController.java
@GetMapping("/user")
public String getUser(Principal principal){
System.out.println(principal.getName());
return "user";
}
Print Logged-In
username
20
Pre/Post Authorize
 Grant Access to specific methods
SecurityConfiguration.java
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfiguration extends
WebSecurityConfigurerAdapter {
Enables
}
PreAuthorize
UserService.java
public interface UserService extends UserDetailsService {
@PreAuthorize("hasRole('ADMIN')")
Requires Admin
void delete();
Role to execute
}
21
No Access Handling
SecurityConfiguration.java
.and()
.exceptionHandling().accessDeniedPage("/unauthorized")
AcessController.java
@GetMapping("/unauthorized")
@ResponseBody
public String unauthorized(){
return "no access";
}
22
CSRF
23
Spring CSFR Protection
AcessController.java
.csrf()
.csrfTokenRepository(csrfTokenRepository())
private CsrfTokenRepository csrfTokenRepository() {
HttpSessionCsrfTokenRepository repository = new
HttpSessionCsrfTokenRepository();
repository.setSessionAttributeName("_csrf");
return repository;
}
form.html
<input type="hidden" th:name="${_csrf.parameterName}"
th:value="${_csrf.token}" />
24
What is Thymeleaf Security
25
Thymeleaf Security
 Functionality to display data based on authentication rules
pom.xml
<dependency>
<groupId>org.thymeleaf.extras</groupId>
<artifactId>thymeleaf-extras-springsecurity4</artifactId>
</dependency>
26
Principal
pom.xml
<!DOCTYPE html>
<html lang="en"
xmlns:th="http://www.thymeleaf.org"
xmlns:sec="http://www.thymeleaf.org/extras/spring-security">
<body>
<div sec:authentication="name">
The value of the "name" property of the authentication object
should appear here.
</div>
Show the
</body>
username
</html>
27
Roles
pom.xml
<!DOCTYPE html>
<html lang="en"
xmlns:th="http://www.thymeleaf.org"
xmlns:sec="http://www.thymeleaf.org/extras/spring-security">
<body>
<div sec:authorize="hasRole('ADMIN')">
This content is only shown to administrators.
</div>
</body>
Show if you are
</html>
admin
28
Summary
 Spring Security – framework that focuses
on providing both authentication
and authorization
 Thymeleaf Security– functionality to display
data based on authentication rules
29
Web Development Basics – Course Overview
?
https://softuni.bg/courses/
License
 This course (slides, examples, demos, videos, homework, etc.)
is licensed under the "Creative Commons AttributionNonCommercial-ShareAlike 4.0 International" license
31
Free Trainings @ Software University
 Software University Foundation – softuni.org
 Software University – High-Quality Education,
Profession and Job for Software Developers

softuni.bg
 Software University @ Facebook

facebook.com/SoftwareUniversity
 Software University @ YouTube

youtube.com/SoftwareUniversity
 Software University Forums – forum.softuni.bg
Related documents