SOAP over HTTPS with client certificate authentication

The tutorial, SOAP over HTTPS with client certificate authentication, will show you how we can use client certificate to handshake with server along with basic authentication for consuming the service. We have also seen how to authenticate by sending authentication information over http headers in SOAP web service but here we will use client certificate (jks file) as a security mechanism. Even you can use header authentication along with client certificate to make more secure.

I will show here both server side code or service and client side code so that server expects client to establish communication through certificate authentication. Here to consume the service you will be given client certificate (extention might be .crt or .der or .p12 or anything else), password for this certificate and username/password for basic authentication (in case if you need also header authentication).

Continue reading “SOAP over HTTPS with client certificate authentication”

@PreAuthorize annotation – hasPermission example in Spring Security

In this tutorial I will show you the most useful annotation is @PreAuthorize which decides whether a method can actually be invoked or not based on user’s role and permission. hasRole() method returns true if the current principal has the specified role and hasPermission() method returns true if the current user’s rola has the specific permission such as READ, WRITE, UPDATE or DELETE. By default if the supplied role does not start with ROLE_ will be added. This can be customized by modifying the defaultRolePrefix on DefaultWebSecurityExpressionHandler.

You can check my previous tutorial on hasRole @PreAuthorize annotation – hasRole example in Spring Security

Continue reading “@PreAuthorize annotation – hasPermission example in Spring Security”

@PreAuthorize annotation – hasRole example in Spring Security

In this tutorial I will show you the most useful annotation is @PreAuthorize which decides whether a method can actually be invoked or not based on user’s role. hasRole() method returns true if the current principal has the specified role. By default if the supplied role does not start with ROLE_ will be added. This can be customized by modifying the defaultRolePrefix on DefaultWebSecurityExpressionHandler.

You can check my tutorial on hasPermission @PreAuthorize annotation – hasPermission example in Spring Security

Continue reading “@PreAuthorize annotation – hasRole example in Spring Security”

Spring Security Pre-authentication Example

There are situations where you want to use Spring Security for authorization, but the user has already been reliably authenticated by some external system prior to accessing the application. In such situations where Spring Security Pre-authentication comes into picture we refer to these situations as “pre-authenticated” scenarios. Examples include X.509, Siteminder and authentication by the J2EE container in which the application is running. When using spring security pre-authentication, Spring Security has to

Identify the user making the request

Obtain the authorities for the user

The details will depend on the external authentication mechanism. A user might be identified by their certificate information in the case of X.509, or by an HTTP request header in the case of Siteminder. If relying on container authentication, the user will be identified by calling the getUserPrincipal() method on the incoming HTTP request. In some cases, the external mechanism may supply role/authority information for the user but in others the authorities must be obtained from a separate source, such as a UserDetailsService.
Continue reading “Spring Security Pre-authentication Example”

How Siteminder works

Scenario

This siteminder tutorial will show you how siteminder works. There may be situations where users access a web service hosted on a Apache Web server are authenticated by some authentication mechanism, let’s say LDAP. If the same users want to access web services on an IIS Web server, they have to be authenticated by another mechanism, lets say Windows domain controller. Since there is no way to pass authentication verification between these two systems, users must log in twice.

Continue reading “How Siteminder works”

Spring Security Remember Me – Persistent Token Approach

This tutorial will show you how to remember your credentials for a specific time period for auto-login without providing any login credentials into the login form.

Remember-me or persistent-login authentication refers to web sites being able to remember the identity of a principal between sessions. This is typically accomplished by sending a cookie to the browser, with the cookie being detected during future sessions and causing automated login to take place. Spring Security provides the necessary hooks for these operations to take place, and has two concrete remember-me implementations. One uses hashing to preserve the security of cookie-based tokens and the other uses a database or other persistent storage mechanism to store the generated tokens.

In my previous tutorial I have shown  but this example uses database storage to store generated tokens for Remember Me login implementation.

Continue reading “Spring Security Remember Me – Persistent Token Approach”

Spring Security Form Based Login – Remember Me

This tutorial will show you how to remember your credentials for a specific time period for auto-login without providing any login credentials into the login form.

Remember-me or persistent-login authentication refers to web sites being able to remember the identity of a principal between sessions. This is typically accomplished by sending a cookie to the browser, with the cookie being detected during future sessions and causing automated login to take place. Spring Security provides the necessary hooks for these operations to take place, and has two concrete remember-me implementations. One uses hashing to preserve the security of cookie-based tokens and the other uses a database or other persistent storage mechanism to store the generated tokens.

Continue reading “Spring Security Form Based Login – Remember Me”

Spring Security – JDBC Authentication using UserDetailsService

In my previous tutorials, I have shown in-memory authentications Spring Security Form based Authentication – XML ConfigurationSpring Security Form based Authentication – AnnotationsSpring Security – JDBC Authentication but in this tutorial I will show you how to authenticate user using Spring JDBC UserDetailsService and Spring MVC web application to secure pages. I will create spring mvc based web application and I will configure Spring Security to protect a page from outside access.

Spring Security allows to you to integrate security features with JEE web application easily, it takes care about all incoming HTTP requests via servlet filter, and implements “user defined” security checking.

In this tutorial, I will show you how to integrate Spring Security 4.2.1 with Spring MVC4 web application to secure URL access. Continue reading “Spring Security – JDBC Authentication using UserDetailsService”

Spring Security – JDBC Authentication

In my previous tutorials, I have shown in-memory authentications Spring Security Form based Authentication – XML ConfigurationSpring Security Form based Authentication – Annotations but in this tutorial I will show you how to authenticate user using Spring JDBC and Spring MVC web application to secure pages. I will create spring mvc based web application and I will configure Spring Security to protect a page from outside access.

Spring Security allows to you to integrate security features with JEE web application easily, it takes care about all incoming HTTP requests via servlet filter, and implements “user defined” security checking.

In this tutorial, I will show you how to integrate Spring Security 4.2.1 with Spring MVC4 web application to secure URL access. Continue reading “Spring Security – JDBC Authentication”

Spring Security Form based Authentication – Annotations

In my previous tutorial, I have shown Spring Security Form based Authentication – XML Configuration but in this tutorial I will show you annotations way to configure Spring Security with Spring MVC web application to secure pages. I will create spring mvc based web application and I will configure Spring Security to protect a page from outside access.

Spring Security allows to you to integrate security features with JEE web application easily, it takes care about all incoming HTTP requests via servlet filter, and implements “user defined” security checking.

In this tutorial, I will show you how to integrate Spring Security 4.2.1 with Spring MVC4 web application to secure URL access. Continue reading “Spring Security Form based Authentication – Annotations”