SPRING SECURITY

    <parent>

        <groupId>org.springframework.boot</groupId>

        <artifactId>spring-boot-starter-parent</artifactId>

        <version>1.4.3.RELEASE</version>

    </parent>

      <!-- Add typical dependencies for a web application -->

        <!-- Adds Tomcat and Spring MVC, along others, jackson-databind included transitively -->

        <dependency>

            <groupId>org.springframework.boot</groupId>

            <artifactId>spring-boot-starter-web</artifactId>

        </dependency>

import org.springframework.beans.factory.annotation.Autowired;

import org.springframework.http.HttpHeaders;

import org.springframework.http.HttpStatus;

import org.springframework.http.ResponseEntity;

import org.springframework.web.bind.annotation.PathVariable;

import org.springframework.web.bind.annotation.RequestBody;

import org.springframework.web.bind.annotation.RequestMapping;

import org.springframework.web.bind.annotation.RequestMethod;

import org.springframework.web.bind.annotation.RestController;

Spring Boot OAuth2 Part 1 - Getting The Authorization Code

https://www.javainuse.com/spring/spring-security-interview-questions
https://www.javainuse.com/spring/spring-boot-oauth-introduction
https://www.javainuse.com/spring/spring-boot-oauth-authorization-code
https://www.javainuse.com/spring/spring-boot-oauth-access-token


Spring security FLOW:

https://dzone.com/articles/spring-security-authentication

https://www.dineshonjava.com/spring-security-java-based-configuration-with-example/

Multiple Authentication Providers in Spring Security

2. The Authentication Provider

https://www.logicbig.com/tutorials/spring-framework/spring-security/custom-authentication-provider.html

https://www.baeldung.com/spring-security-authentication-provider

Spring 4 Security Features

Spring 3.x Security Framework provides the following Features:

1. Authentication and Authorization.
2. Supports BASIC,Digest and Form-Based Authentication.
3. Supports LDAP Authentication.
4. Supports OpenID Authentication.
5. Supports SSO (Single Sign-On) Implementation.
6. Supports Cross-Site Request Forgery (CSRF) Implementation.
7. Supports “Remember-Me” Feature through HTTP Cookies.
8. Supports Implementation of ACLs
9. Supports “Channel Security” that means automatically switching between HTTP and HTTPS.
10. Supports I18N (Internationalisation).
11. Supports JAAS (Java Authentication and Authorization Service).
12. Supports Flow Authorization using Spring WebFlow Framework.
13. Supports WS-Security using Spring Web Services.
14. Supports Both XML Configuration and Annotations. Very Less or minimal XML Configuration.

Spring 4.x Security Framework supports the following New Features:

1. Supports WebSocket Security.
2. Supports Spring Data Integration.
3. CSRF Token Argument Resolver.

We will develop some simple examples to demonstrate these features in my coming posts.

WHAT IS SPRING SECURiTY ?

1. MULTI FACTOR AUTHENTICATION
2. LOGIN 
3. AUTHERIZATION 
4. FILTERS
5. SECURITY SECRETS

 Spring security starts 

DelegatefilterProxy which 

1. Manages filters
2. is declared in web.xml

--> In Spring Boot, the most of the configurations will be auto configured and we do not have to worry about it. Therefore DelegatingFilterProxy will also be auto declared and configured. if you look at SecurityFilterAutoConfiguration class, you will find the following method which will register the filter named springSecurityFilterChain

Spring makes use of the DelegatingFilterProxy for implementing security mechanisms. It is a Proxy for standard Servlet Filter, delegating to a Spring-managed bean that implements the Filter interface. Its the starting point in the springSecurityFilterChain which instantiates the Spring Security filters according to the Spring configuration
Some of the features of Spring Security are

• Comprehensive and extensible support for both Authentication and Authorization
• Protection against attacks like session fixation, clickjacking, cross site request forgery, etc
• Servlet API integration Optional integration with Spring Web MVC

Security FilterChain interface  has two methods

•  matches() : check if the request applies to this filter chain

• getFilters() : returns all filters avaliable

SecurityContext Interface  has two methods

• getAuthentication()
• setAuthetication(Authetication authetication)

AutheticationManager  has a method

Authentication authenticate(Authentication authentication) throws AutheticationException

supports()

https://www.logicbig.com/tutorials/spring-framework/spring-security/custom-authentication-provider.html

Authetication Interface   extends prinicpal  has a method

• isAuthenticated()
• Object getPrinicpal()
• Object getCredentials()
• getAuthorities()

UserDetailsService()

loadUserByusername()

What's the difference between @Secured and @PreAuthorize in spring security 3?

https://stackoverflow.com/questions/3785706/whats-the-difference-between-secured-and-preauthorize-in-spring-security-3?rq=1

Spring Security Custom Authentication - AuthenticationProvider vs UserDetailsService

https://stackoverflow.com/questions/31630818/spring-security-custom-authentication-authenticationprovider-vs-userdetailsser?rq=1

Override
protected void configure(HttpSecurity http) throws Exception {
    http.csrf().disable()
            .authorizeRequests()
            .antMatchers("/").permitAll()
            .antMatchers("/register/*").permitAll()
            .antMatchers(HttpMethod.POST, "/login/manager").permitAll()
            .antMatchers("/hello").hasAuthority("AUTH_WRITE")
            .antMatchers("/world").hasRole("ADMIN")
            .anyRequest().authenticated()
            .and()
            .addFilterBefore(new JWTLoginFilter("/manager/login", authenticationManager()),
                    UsernamePasswordAuthenticationFilter.class)
            .addFilterBefore(new JWTAuthenticationFilter(),
                    UsernamePasswordAuthenticationFilter.class);

}

How to get the AuthenticationManager when using the AuthenticationManagerBuilder to add custom provider?

https://stackoverflow.com/questions/49410977/how-to-get-the-authenticationmanager-when-using-the-authenticationmanagerbuilder?rq=1


ssssssss

TYPES OF SECURITY

Declarative Security - Declarative security specifies an application's security requirements by using either deployment descriptors or annotations.

e.g

Programmatic Security - Programmatic security implements an application's security within the application code.

KEY CHARACTERSTICS 

1.Following are the key characteristics of application security.

Authentication - Authentication is the means by which a user or client proves to a server that it is authorized to access a specific resource and vice-versa.

Authorization - Authorization is the means by which a server determines if a user has permissions to access a specific resource or data.

Data Integrity - Data integrity means that the data that is exchanged by a client and server is not modified by an unauthorized third party.

Confidentiality or Data privacy - This ensures that information is send to only those users or clients that are authorized to access the data.

Non-repudiation - This means that you can prove that a transaction or action has occurred. So a user who has performed a certain action, cannot deny doing so.

SECURITY MECHANISM

Application-Layer Security - In Java EE applications, the application-layer security is provided by the component containers.

Transport-Layer Security - Transport-Layer security is provided by the transport mechanism used to transmit data between the client and server. Java EE application relies on the secure HTTPS protocol using Secure Sockets Layer (SSL).

Message-Layer Security - Message-Layer security secures the SOAP messages that are exchanged between client and server using XML web services 

Realms, Users, Groups and Roles

Realms [a field or domain of activity or interest.]- Realms are security domains or protection spaces setup for web or application servers. Each realm has its own authentication scheme and contains a collection of Users and Groups.

Users - Users are individual or application entities defined in an identity store that access the application resources.

Group - Groups are abstract entities defined in Java EE that contains a set of users having common traits.

           Roles - Roles are are abstract entities defined in Java EE that has permissions to access a set of    secured resources in an application. Users or Groups are mapped to Roles. 

AUTHENTICATION MECHANISM

1.  BASIC AUTHTICATION

2.  FORM BASED AUTHETICATION

3.  DIGEST AUTHTITCATION

4.CLIENT-CERT

5. KERBEROS

6.OUTH 2