devkuma – Spring Security

Spring Security | What Is Spring Security?

kc@example.com (kc kim) — Wed, 04 Oct 2017 22:41:52 +0900

Spring Security is a Spring project that adds security features to web applications.

It provides protection against various well-known attacks, including CSRF and session fixation attacks.

Spring Security | What Is Spring Security? | Authentication and Authorization

kc@example.com (kc kim) — Wed, 04 Oct 2017 22:41:52 +0900

What Is Authentication?

Authentication is the process of verifying the identity claimed by a person. It confirms that a client is the user they claim to be.

Types of authentication include:

Credential-based authentication
- Most authentication methods used on the web are credential-based.
- Permission is granted after an authentication process, usually by checking whether an entered username and password match the stored credentials.
- In Spring Security, the identifier is generally called the principal and the password is called the credential.
Two-factor authentication
- This means authenticating through two methods.
- For example, online transactions in financial and banking web applications often require both a login and a security certificate.
- Adding one more authentication factor may seem simple, but it requires extensive programming changes.
Physical authentication
- Although this is outside the web domain, it is one of the most effective security measures.
- Examples include fingerprint recognition when turning on a computer or inserting a physical key.

What Is Authorization?

Authorization is the process of allowing access to a desired location or information.
It verifies that the action requested by a client is permitted for that client.

Authorization can be divided into two major types:

Granted authority
- After a user is properly authenticated, authorities should be granted.
- If persistent authorities are granted through registration or another process, they must be stored somewhere.
- If a user can log in but cannot access the main page, there is an authorization problem.
Resource interception
- User authorities alone do not provide proper security. Security must prevent users without permission from accessing resources in the first place.
- Intercepting external requests so that only users with suitable authorities can access a resource is a core principle of web security and authorization.

Difference Between Authentication and Authorization

Authentication and authorization can sometimes be difficult to distinguish.
It is easier to understand if you think of authorization as granting specific permissions to an authenticated user after authentication.
For example, an ACL (Access Control List) can restrict accessible areas after authentication based on the user’s access level.

Adding Authentication to a WebMVC MCP Server with Spring and Kotlin

kc@example.com (kc kim) — Sun, 09 Nov 2025 10:06:00 +0900

Getting Started

The previous example created a WebMVC MCP Server. This page adds authentication.

Spring AI supports OAuth2 and API key authentication through Spring Security.

As of 2025-11-10, MCP Security was still under development and not considered stable.

This example applies API key authentication.

Adding Authentication

Copy the previous WebMVC project and rename it.

% mv spring-ai-mcp-server-webmvc spring-ai-mcp-server-auth

Change the root project name.

rootProject.name = "spring-ai-mcp-server-auth"

Add Spring Security and MCP Server Security.

dependencies {
  implementation("org.springframework.ai:spring-ai-starter-mcp-server")
  implementation("org.springframework.ai:spring-ai-starter-mcp-server-webmvc")
  implementation("org.springframework.boot:spring-boot-starter-security")
  implementation("org.springaicommunity:mcp-server-security:0.0.3")
}

Change the log file and enable Spring Security TRACE logging.

spring:
  main:
    banner-mode: off
  ai:
    mcp:
      server:
        name: my-weather-server
        version: 0.0.1
        protocol: STATELESS

logging:
  file:
    name: ./log/spring-ai-starter-mcp-server-auth.log
  level:
    org.springframework.security: TRACE

Creating MCP Server Security Configuration

@Configuration
@EnableWebSecurity
class SecurityConfig {
    @Bean
    fun securityFilterChain(http: HttpSecurity): SecurityFilterChain =
        http.authorizeHttpRequests { it.anyRequest().authenticated() }
            .with(mcpServerApiKey()) { apiKey ->
                apiKey.apiKeyRepository(apiKeyRepository())
            }.build()

    private fun apiKeyRepository(): ApiKeyEntityRepository<ApiKeyEntityImpl> {
        val apiKey = ApiKeyEntityImpl.builder()
            .name("test api key")
            .id("api01")
            .secret("mycustomapikey")
            .build()
        return InMemoryApiKeyEntityRepository(listOf(apiKey))
    }
}

The example stores ID api01 and secret mycustomapikey in memory. Use a database or external API in production.

Implementing a Test Client

Add the API key header to the existing client.

val request = HttpRequest.newBuilder()
    .header("Content-Type", "application/json")
    .header("X-API-key", "api01.mycustomapikey")

val transport = HttpClientStreamableHttpTransport.builder("http://localhost:8080")
    .requestBuilder(request)
    .build()

val client = McpClient.sync(transport).build()
client.initialize()
client.ping()
println("Available Tools = ${client.listTools()}")
println("get_weather Response = ${client.callTool(CallToolRequest("get_weather", mapOf("city" to "seoul")))}")
client.closeGracefully()

Running the client lists the available tools and returns a response from get_weather.

References

Spring Security | What Is Spring Security? | Hello World

kc@example.com (kc kim) — Wed, 04 Oct 2017 22:41:52 +0900

First, let’s create a simple example.

Create the file structure as shown below, and then create each file. You can use any tool that can create files.

File structure

.
├── build.gradle
└── src
    └── main
        └── webapp
            ├── WEB-INF
            │   ├── applicationContext.xml
            │   └── web.xml
            └── index.jsp

Dependencies in the Build Script

Create the build script file.

build.gradle

apply plugin: 'war'

sourceCompatibility = '1.8'
targetCompatibility = '1.8'
compileJava.options.encoding = 'UTF-8'

repositories {
    mavenCentral()
}

dependencies {
    providedCompile 'javax.servlet:javax.servlet-api:3.1.0'
    compile 'javax.servlet:jstl:1.2'
    compile 'org.springframework.security:spring-security-web:4.2.1.RELEASE'
    compile 'org.springframework.security:spring-security-config:4.2.1.RELEASE'
}

war.baseName = 'spring-security-sample'

In this minimal setup, spring-security-web and spring-security-config are added as dependencies.

    compile 'org.springframework.security:spring-security-web:4.2.1.RELEASE'
    compile 'org.springframework.security:spring-security-config:4.2.1.RELEASE'

spring-security-web

This module contains filters and web application related code. It is required when you need web authentication features and URL-based access control. The main package is org.springframework.security.web.

spring-security-config

This module contains code for parsing the namespace used when writing XML definitions and code for Java configuration. It is required when using XML-based configuration or Java configuration. The main package is org.springframework.security.config. Classes included here are not used directly in applications.

Initializing the Spring Container

Create the traditional Java web configuration file.

src/main/webapp/WEB-INF/web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee 
         http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
         version="3.1">
    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>

    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>
</web-app>

Initialize the Spring container as follows.

    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>

By registering ContextLoaderListener as a listener, the Spring container, or ApplicationContext, is initialized.

If you do not explicitly specify which ApplicationContext class to use, XmlWebApplicationContext is used by default.

The following is defined in org/springframework/web/context/ContextLoader.properties inside spring-web-x.x.x.RELEASE.jar, and ContextLoaderListener is loaded when the servlet container is initialized.

# Default WebApplicationContext implementation class for ContextLoader.
# Used as fallback when no explicit context implementation has been specified as context-param.
# Not meant to be customized by application developers.

org.springframework.web.context.WebApplicationContext=org.springframework.web.context.support.XmlWebApplicationContext

By default, XmlWebApplicationContext reads WEB-INF/applicationContext.xml as the configuration file.

Applying Spring Security to the Application

Define DelegatingFilterProxy as a servlet filter in web.xml. At this time, define the <filter-name> as springSecurityFilterChain. When there is access to a URL defined in <filter-mapping>, Spring Security is applied.

DelegatingFilterProxy uses the name set in its own <filter-name> to obtain a bean that implements javax.servlet.Filter from the Spring container. It is a servlet filter that simply delegates processing to that bean.

Here, springSecurityFilterChain is specified in <filter-name>. This name matches the bean name of FilterChainProxy, which is automatically registered in the container when the <http> tag is used in applicationContext.xml later.

In other words, DelegatingFilterProxy acts as an intermediary between the servlet filter and Spring Security, or FilterChainProxy.

Spring Security Configuration

src/main/webapp/WEB-INF/applicationContext.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:sec="http://www.springframework.org/schema/security"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="
         http://www.springframework.org/schema/beans
         http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
         http://www.springframework.org/schema/security
         http://www.springframework.org/schema/security/spring-security.xsd">

    <sec:http>
        <sec:intercept-url pattern="/login" access="permitAll" />
        <sec:intercept-url pattern="/**" access="isAuthenticated()" />
        <sec:form-login />
        <sec:logout />
    </sec:http>

    <sec:authentication-manager>
        <sec:authentication-provider>
            <sec:user-service>
                <sec:user name="devkuma" password="1234" authorities="ROLE_USER" />
            </sec:user-service>
        </sec:authentication-provider>
    </sec:authentication-manager>
</beans>

applicationContext.xml is a standard Spring configuration file for Spring bean definitions. It is not a special configuration file only for Spring Security.

Because http://www.springframework.org/schema/security is loaded through xmlns, Spring Security tags become available. For reference, using these Spring Security specific tags is called using a namespace. With these tags, Spring Security can be configured in this file.

The configuration above can be summarized as follows.

Anyone can access /login by using permitAll.
Access to all other paths, /**, must be authenticated by using isAuthenticated().
The login method is form login.
Logout is available. A user is defined with the name devkuma, password 1234, and the role ROLE_USER.

Next, each tag is described in a little more detail.

<http>

When the <http> tag is defined, several beans are automatically registered in the container. Among them, the following two types are important.

FilterChainProxy
SecurityFilterChain

FilterChainProxy is registered in the container with the bean name springSecurityFilterChain. This class becomes the entry point for Spring Security processing.

SecurityFilterChain itself is a simple interface, and DefaultSecurityFilterChain is registered in the container as its implementation class. As the name suggests, SecurityFilterChain chains javax.servlet.Filter instances that provide security features and holds several filters internally. Spring Security provides security features through filters.

As you can tell from the word Proxy in the name, FilterChainProxy does not perform the processing itself. It delegates the actual processing to the filters held by SecurityFilterChain.

<intercept-url>

This tag defines the conditions required for access, or access control, for URL patterns.

The pattern attribute can be written in Ant path format.

The access attribute specifies the conditions required to access the URL specified by the pattern attribute. permitAll means all access is allowed and authentication is not required. isAuthenticated() means access is allowed if the user is authenticated, or logged in.

The access attribute is written with Spring Expression Language, or SpEL, Spring’s own expression language.

This tag defines that form authentication is required.

By default, authentication errors redirect to /login. In the default case, accessing /login displays a simple login page provided by Spring Security.

This default login page is generated by DefaultLoginPageGeneratingFilter inside spring-security-web-x.x.x.RELEASE.jar.

<logout>

Adding this tag makes logout available.

By default, logout is performed when a POST request is sent to /logout.

<authentication-manager>

This tag defines AuthenticationManager as a bean. AuthenticationManager is required for classes that perform authentication processing.

AuthenticationManager itself is an interface, and ProviderManager is used as its implementation class. ProviderManager does not perform specific authentication processing itself. It delegates authentication processing to an AuthenticationProvider that is created later.

<authentication-manager>

This tag defines AuthenticationManager as a bean. AuthenticationManager is required for classes that perform authentication processing.

<authentication-provider>

This tag defines AuthenticationProvider as a bean. This interface provides concrete authentication processing depending on the authentication type.

For example, the class that provides LDAP authentication processing is LdapAuthenticationProvider.

When this tag is declared, DaoAuthenticationProvider is registered in the container. This class obtains user information from UserDetailsService and performs authentication processing.

<user-service>

This tag registers UserDetailsService as a bean. This interface provides the ability to retrieve detailed user information, or UserDetails.

When this tag is declared, InMemoryUserDetailsManager is registered in the container. As its name suggests, this class can store user information in memory. It is usually implemented for checking behavior.

<user>

This tag defines a UserDetails instance. This interface defines getter methods and similar methods for accessing detailed user information.

When this tag is declared, an instance of the User class is created.

The name, password, and authorities attributes can be used to specify the name that identifies the user, the password, and the authorities.

Display Screen

src/main/webapp/index.jsp

<%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<%@page contentType="text/html" pageEncoding="UTF-8"%>
<!DOCTYPE html>
<html>
    <head>
        <meta charset="utf-8" />
        <title>Hello Spring Security!!</title>
    </head>
    <body>
        <h1>Hello Spring Security!!</h1>

        <c:url var="logoutUrl" value="/logout" />
        <form action="${logoutUrl}" method="post">
            <input type="submit" value="logout" />
            <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
        </form>
    </body>
</html>

CSRF (Cross-site request forgery)

By default, CSRF protection is set to true. Therefore, when sending a request, you must pass a token for CSRF protection.

The token value and parameter name are stored in request scope under the name _csrf.

CSRF protection will be explained in more detail later.

Check the Behavior

Create a WAR file, spring-security-sample.war, with the gradle war command and deploy it to Tomcat. For deployment, you only need to place the WAR file in {Tomcat installation path}/webapps.

After placing the file, access http://localhost:8080/spring-security-sample in a browser.

When the login screen appears, enter devkuma and 1234 for User and Password, respectively, and click the Login button.

The contents of index.jsp are displayed. Then click the logout button.

Logout is completed, and you return to the login page.

If login fails, an error message is displayed in red as shown above.

Spring Security | What Is Spring Security? | Java Configuration

kc@example.com (kc kim) — Wed, 04 Oct 2017 22:41:52 +0900

Spring Security 3.2 supports Java Configuration introduced in Spring 3.1. It provides namespace-equivalent settings without XML and improves compile-time checks and refactoring.

Replacing Hello World with Java Configuration

Configure web.xml to use AnnotationConfigWebApplicationContext instead of XmlWebApplicationContext.

<context-param>
    <param-name>contextClass</param-name>
    <param-value>org.springframework.web.context.support.AnnotationConfigWebApplicationContext</param-value>
</context-param>
<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>sample.spring.security.MySpringSecurityConfig</param-value>
</context-param>

Implementing the Container

@EnableWebSecurity
public class MySpringSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers("/login").permitAll()
                .anyRequest().authenticated()
                .and()
                .formLogin();
    }

    @Autowired
    public void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
                .withUser("devkuma").password("1234").roles("USER");
    }
}

Enabling Spring Security

Annotate the class loaded by AnnotationConfigWebApplicationContext with @EnableWebSecurity. The annotation imports WebSecurityConfiguration and enables global authentication.

Configuring Spring Security

Extend WebSecurityConfigurerAdapter and override methods such as configure(HttpSecurity). HttpSecurity corresponds to the XML <http> namespace element.

authorizeRequests() begins URL authorization settings.
and() returns HttpSecurity and continues the method chain.
formLogin() enables form authentication.

The example is equivalent to:

<sec:http>
    <sec:intercept-url pattern="/login" access="permitAll" />
    <sec:intercept-url pattern="/**" access="isAuthenticated()" />
    <sec:form-login />
    <sec:logout />
</sec:http>

Configuring User Information

AuthenticationManagerBuilder helps define an AuthenticationManager and supports method chaining for UserDetailsService. You can also define a Bean directly.

@Bean
public UserDetailsService userDetailsService() {
    InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
    manager.createUser(User.withUsername("hoge").password("HOGE").roles("USER").build());
    return manager;
}

Spring Security | What Is Spring Security? | Without web.xml

kc@example.com (kc kim) — Wed, 04 Oct 2017 22:41:52 +0900

If the application server supports Servlet 3.0 or later, you can use Spring Security without web.xml.

.
├── build.gradle
└── src
    └── main
        ├── java
        │   └── sample
        │       └── spring
        │           └── security
        │               ├── MySpringSecurityConfig.java
        │               └── MySpringSecurityInitializer.java
        └── webapp
            └── index.jsp

src/main/java/sample/spring/security/MySpringSecurityInitializer.java

package sample.spring.security;

import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;

public class MySpringSecurityInitializer extends AbstractSecurityWebApplicationInitializer {
    public MySpringSecurityInitializer() {
        super(MySpringSecurityConfig.class);
    }
}

MySpringSecurityConfig.java and index.jsp are unchanged and omitted.

Remove web.xml and add MySpringSecurityInitializer. It extends AbstractSecurityWebApplicationInitializer and passes the Java configuration class to the parent constructor. This makes the previous web.xml settings unnecessary.

Structure

This feature uses APIs added in Servlet 3.0.

ServletContainerInitializer

AbstractSecurityWebApplicationInitializer implements WebApplicationInitializer. Its Javadoc explains that implementations are detected automatically by SpringServletContainerInitializer, which Servlet 3.0 containers bootstrap automatically.

WebApplicationInitializer.java

/**
 * ...
 *
 * <p>Implementations of this SPI will be detected automatically by {@link
 * SpringServletContainerInitializer}, which itself is bootstrapped automatically
 * by any Servlet 3.0 container. See {@linkplain SpringServletContainerInitializer its
 * Javadoc} for details on this bootstrapping mechanism.
 * ...
 */
public interface WebApplicationInitializer {

SpringServletContainerInitializer implements ServletContainerInitializer and is annotated with @HandlesTypes.

@HandlesTypes(WebApplicationInitializer.class)
public class SpringServletContainerInitializer implements ServletContainerInitializer {
   ...

When the servlet container starts, it invokes onStartup(Set<Class<?>>, ServletContext). The container discovers classes related to the type specified by @HandlesTypes and passes them as the first argument. SpringServletContainerInitializer therefore receives implementations of WebApplicationInitializer, creates instances, and invokes onStartup(ServletContext).

AbstractSecurityWebApplicationInitializer

AbstractSecurityWebApplicationInitializer.onStartup(ServletContext) performs the settings previously defined in web.xml.

public abstract class AbstractSecurityWebApplicationInitializer
        implements WebApplicationInitializer {

    public static final String DEFAULT_FILTER_NAME = "springSecurityFilterChain";

    public final void onStartup(ServletContext servletContext) throws ServletException {
        beforeSpringSecurityFilterChain(servletContext);
        if (this.configurationClasses != null) {
            AnnotationConfigWebApplicationContext rootAppContext = new AnnotationConfigWebApplicationContext();
            rootAppContext.register(this.configurationClasses);
            servletContext.addListener(new ContextLoaderListener(rootAppContext));
        }
        if (enableHttpSessionEventPublisher()) {
            servletContext.addListener(
                    "org.springframework.security.web.session.HttpSessionEventPublisher");
        }
        servletContext.setSessionTrackingModes(getSessionTrackingModes());
        insertSpringSecurityFilterChain(servletContext);
        afterSpringSecurityFilterChain(servletContext);
    }

    private void insertSpringSecurityFilterChain(ServletContext servletContext) {
        String filterName = DEFAULT_FILTER_NAME;
        DelegatingFilterProxy springSecurityFilterChain = new DelegatingFilterProxy(filterName);
        String contextAttribute = getWebApplicationContextAttribute();
        if (contextAttribute != null) {
            springSecurityFilterChain.setContextAttribute(contextAttribute);
        }
        registerFilter(servletContext, true, filterName, springSecurityFilterChain);
    }
}

The key point is that the implementation now performs the configuration previously written in web.xml.

Spring Security | Authentication

kc@example.com (kc kim) — Wed, 04 Oct 2017 22:41:52 +0900

Spring Security | Authentication | UserDetailsService: Searching User Information

kc@example.com (kc kim) — Wed, 04 Oct 2017 22:41:52 +0900

The role of searching for user information is handled by UserDetailsService. Spring Security includes several classes that implement UserDetailsService.

Using Memory

This implements storing user information in memory. The concrete class is InMemoryUserDetailsManager.

XML Configuration

applicationContext.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:sec="http://www.springframework.org/schema/security"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       ...>

    ...

    <sec:authentication-manager>
        <sec:authentication-provider>
            <sec:user-service>
                <sec:user name="hoge" password="HOGE" authorities="ROLE_USER" />
            </sec:user-service>
        </sec:authentication-provider>
    </sec:authentication-manager>
</beans>

Declare it by using the <user-service> and <user> tags.

Java Configuration

MySpringSecurityConfig.java

package sample.spring.security;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@EnableWebSecurity
public class MySpringSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    public void configure(HttpSecurity http) throws Exception {
        ...
    }

    @Autowired
    public void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
                .withUser("hoge").password("HOGE").roles("USER");
    }
}

Declare a method that receives AuthenticationManagerBuilder in the configuration class and add the @Autowired annotation.
Configure the definition information with the inMemoryAuthentication() method.

JDBC

This implements retrieving user information from a database. The actual class is JdbcUserDetailsManager.

build.gradle (additional dependencies)

    compile 'org.springframework:spring-jdbc:4.3.6.RELEASE'
    compile 'com.h2database:h2:1.4.193'

H2 is added and used as the database for verification.
spring-jdbc is also added as a dependency to create a DataSource.

src/main/resources/sql/create_database.sql

CREATE TABLE USERS (
    USERNAME VARCHAR_IGNORECASE(50) NOT NULL PRIMARY KEY,
    PASSWORD VARCHAR_IGNORECASE(50) NOT NULL,
    ENABLED  BOOLEAN NOT NULL
);

CREATE TABLE AUTHORITIES (
    USERNAME  VARCHAR_IGNORECASE(50) NOT NULL,
    AUTHORITY VARCHAR_IGNORECASE(50) NOT NULL,
    CONSTRAINT FK_AUTHORITIES_USERS FOREIGN KEY (USERNAME) REFERENCES USERS(USERNAME),
    CONSTRAINT UK_AUTHORITIES UNIQUE (USERNAME, AUTHORITY)
);

INSERT INTO USERS VALUES ('fuga', 'FUGA', true);
INSERT INTO AUTHORITIES VALUES ('fuga', 'USER');

If you declare the table columns as written above, user information is retrieved automatically by default.
This can also be changed depending on the configuration.
Place the file under the classpath. It will be used later as the initialization script when creating the data source.

XML Configuration

applicationContext.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:sec="http://www.springframework.org/schema/security"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:jdbc="http://www.springframework.org/schema/jdbc"
       xsi:schemaLocation="
         ...
         http://www.springframework.org/schema/jdbc
         http://www.springframework.org/schema/jdbc/spring-jdbc.xsd">

    ...

    <jdbc:embedded-database id="dataSource" type="H2">
        <jdbc:script location="classpath:/sql/create_database.sql" />
    </jdbc:embedded-database>

    <sec:authentication-manager>
        <sec:authentication-provider>
            <sec:jdbc-user-service data-source-ref="dataSource"  />
        </sec:authentication-provider>
    </sec:authentication-manager>
</beans>

Use the <jdbc-user-service> tag.
The data source definition runs the initialization script written above by using the <jdbc:script> tag.

Java Configuration

MySpringSecurityConfig.java

package sample.spring.security;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.jdbc.datasource.embedded.EmbeddedDatabaseBuilder;
import org.springframework.jdbc.datasource.embedded.EmbeddedDatabaseType;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

import javax.sql.DataSource;

@EnableWebSecurity
public class MySpringSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    public void configure(HttpSecurity http) throws Exception {
        ...
    }

    @Bean
    public DataSource dataSource() {
        return new EmbeddedDatabaseBuilder()
                .generateUniqueName(true)
                .setType(EmbeddedDatabaseType.H2)
                .setScriptEncoding("UTF-8")
                .addScript("/sql/create_database.sql")
                .build();
    }

    @Autowired
    public void configure(AuthenticationManagerBuilder auth, DataSource dataSource) throws Exception {
        auth.jdbcAuthentication().dataSource(dataSource);
    }
}

Use the jdbcAuthentication() method of AuthenticationManagerBuilder.

Changing Table and Column Names

CREATE TABLE USERS (
    LOGIN_ID VARCHAR_IGNORECASE(50) NOT NULL PRIMARY KEY,
    PASSWORD VARCHAR_IGNORECASE(50) NOT NULL,
    ENABLED  BOOLEAN NOT NULL
);

CREATE TABLE AUTHORITIES (
    LOGIN_ID  VARCHAR_IGNORECASE(50) NOT NULL,
    ROLE VARCHAR_IGNORECASE(50) NOT NULL,
    CONSTRAINT FK_AUTHORITIES_USERS FOREIGN KEY (LOGIN_ID) REFERENCES USERS(LOGIN_ID),
    CONSTRAINT UK_AUTHORITIES UNIQUE (LOGIN_ID, ROLE)
);

Change USERNAME to LOGIN_ID and AUTHORITY to ROLE.
To change table names and column names to whatever you want, change the SQL used to search user information.
As long as the order of the selected items matches during retrieval, the column names can be anything.

XML Configuration

applicationContext.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:sec="http://www.springframework.org/schema/security"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:jdbc="http://www.springframework.org/schema/jdbc"
       ...>

    ...

    <sec:authentication-manager>
        <sec:authentication-provider>
            <sec:jdbc-user-service
                data-source-ref="dataSource"
                users-by-username-query="SELECT LOGIN_ID, PASSWORD, ENABLED FROM USERS WHERE LOGIN_ID=?"
                authorities-by-username-query="SELECT LOGIN_ID, ROLE FROM AUTHORITIES WHERE LOGIN_ID=?" />
        </sec:authentication-provider>
    </sec:authentication-manager>
</beans>

Define a query that retrieves USERNAME, PASSWORD, and ENABLED with the users-by-username-query attribute.
Define a query that retrieves USERNAME and AUTHORITY with the authorities-by-username-query attribute.

Java Configuration

MySpringSecurityConfig.java

package sample.spring.security;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.jdbc.datasource.embedded.EmbeddedDatabaseBuilder;
import org.springframework.jdbc.datasource.embedded.EmbeddedDatabaseType;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

import javax.sql.DataSource;

@EnableWebSecurity
public class MySpringSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    public void configure(HttpSecurity http) throws Exception {
        ...
    }

    @Bean
    public DataSource dataSource() {
        ...
    }

    @Autowired
    public void configure(AuthenticationManagerBuilder auth, DataSource dataSource) throws Exception {
        auth.jdbcAuthentication().dataSource(dataSource)
        .usersByUsernameQuery("SELECT LOGIN_ID, PASSWORD, ENABLED FROM USERS WHERE LOGIN_ID=?")
        .authoritiesByUsernameQuery("SELECT LOGIN_ID, ROLE FROM AUTHORITIES WHERE LOGIN_ID=?");
    }
}

Define a query that retrieves USERNAME, PASSWORD, and ENABLED with the usersByUsernameQuery(String) method.
Define a query that retrieves USERNAME and AUTHORITY with the authoritiesByUsernameQuery(String) method.

Creating UserDetailsService

MyUserDetailsService.java

package sample.spring.security;

import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;

public class MyUserDetailsService implements UserDetailsService {
    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        if ("hoge".equals(username)) {
            return new User(username, "HOGE", AuthorityUtils.createAuthorityList("USER"));
        }

        throw new UsernameNotFoundException("not found : " + username);
    }
}

Create a class that implements UserDetailsService.
UserDetailsService has only one method, loadUserByUsername(String).
- A string that identifies the user, usually the username entered on a login screen, is passed as an argument, so return the user information corresponding to that identifier.
- If there is no matching user information, throw UsernameNotFoundException.
User information is written as a class that implements the UserDetails interface.
- A standard class named User is provided.
- If you need to change the User class for some reason, create a class that implements the UserDetails interface.

Spring Security | Authentication | BCryptPasswordEncoder: Password Hashing

kc@example.com (kc kim) — Wed, 04 Oct 2017 22:41:52 +0900

Why Hash Passwords?

If data is leaked, storing passwords as plain text is extremely dangerous. Passwords should generally be stored in a form that does not reveal the original string. When decryption is unnecessary, use a hash function.

BCrypt

MD5 and SHA are well-known hash functions, but BCrypt is convenient for password hashing.

Applying a hash function only once remains vulnerable to brute-force attacks, dictionary attacks, and rainbow tables.

BCrypt adds a random salt and hashes repeatedly, making the original password harder to guess. Spring Security also recommends BCrypt.

Implementation

Configure a PasswordEncoder on DaoAuthenticationProvider. To use BCrypt, use the BCryptPasswordEncoder implementation. Store precomputed BCrypt hash values.

XML Configuration

applicationContext.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:sec="http://www.springframework.org/schema/security"
       ...>

    ...

    <bean id="passwordEncoder"
          class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>

    <sec:authentication-manager>
        <sec:authentication-provider>
            <sec:user-service>
                <sec:user
                    name="hoge"
                    password="$2a$08$CekzJRYhb5bzp5mx/eZmX.grG92fRXo267QVVyRs0IE.V.zeCIw8S"
                    authorities="ROLE_USER" />
            </sec:user-service>

            <sec:password-encoder ref="passwordEncoder" />
        </sec:authentication-provider>
    </sec:authentication-manager>
</beans>

Define BCryptPasswordEncoder as a Bean and set it in the ref attribute of <password-encoder>.
Configure <password-encoder> as a child element of <authentication-provider>.

Java Configuration

MySpringSecurityConfig.java

package sample.spring.security;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;

@EnableWebSecurity
public class MySpringSecurityConfig extends WebSecurityConfigurerAdapter {

    ...

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    @Autowired
    public void configure(AuthenticationManagerBuilder auth, PasswordEncoder passwordEncoder) throws Exception {
        auth.inMemoryAuthentication()
            .passwordEncoder(passwordEncoder)
            .withUser("hoge")
            .password("$2a$08$CekzJRYhb5bzp5mx/eZmX.grG92fRXo267QVVyRs0IE.V.zeCIw8S")
            .roles("USER");
    }
}

Specify the PasswordEncoder with the passwordEncoder() method of AbstractDaoAuthenticationConfigurer.
AbstractDaoAuthenticationConfigurer is the parent class of InMemoryUserDetailsManagerConfigurer, returned by AuthenticationManagerBuilder.inMemoryAuthentication().

Encoding Passwords

To encode a password, obtain PasswordEncoder from the container and use encode().

EncodePasswordServlet.java

package sample.spring.security.servlet;

import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.web.context.WebApplicationContext;
import org.springframework.web.context.support.WebApplicationContextUtils;

import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

@WebServlet("/encode-password")
public class EncodePasswordServlet extends HttpServlet {

    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        WebApplicationContext context = WebApplicationContextUtils.getRequiredWebApplicationContext(req.getServletContext());
        PasswordEncoder passwordEncoder = context.getBean(PasswordEncoder.class);

        String password = req.getParameter("password");
        String encode = passwordEncoder.encode(password);
        System.out.println(encode);
    }
}

The configuration is the same as described above: register BCryptPasswordEncoder as a Bean.
The example obtains PasswordEncoder explicitly for demonstration. In practice, inject it into a container-managed Bean.
Access http://localhost:8080/encode-password?password=fuga.

Server console output

$2a$10$2qVDkAqxp8eDrxR8Be2ZpubYGOCVZ7Qy9uK/XzOIY1ZoxpChtrWDK

Spring Security | Authentication | Authentication

kc@example.com (kc kim) — Wed, 04 Oct 2017 22:41:52 +0900

Authentication is one of the important classes in Spring Security. It contains authenticated user information, including the username and granted authorities.

When authentication succeeds, an AuthenticationProvider creates and returns an authenticated Authentication object whose isAuthenticated() method returns true. Subsequent processing, such as authorization checks, refers to this object.

Obtaining Authentication and Referencing Its Information

SecurityContextHolderSampleServlet.java

package sample.spring.security.servlet;

import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.web.authentication.WebAuthenticationDetails;

import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

import static java.util.stream.Collectors.*;

@WebServlet("/authentication")
public class SecurityContextHolderSampleServlet extends HttpServlet {

    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
        Authentication auth = SecurityContextHolder.getContext().getAuthentication();
        System.out.println("[authorities]");
        System.out.println("  " + auth.getAuthorities().stream()
                                    .map(GrantedAuthority::getAuthority)
                                    .collect(joining("\n  ")));

        WebAuthenticationDetails details = (WebAuthenticationDetails) auth.getDetails();
        System.out.println("[details]");
        System.out.println("  IP Address : " + details.getRemoteAddress());
        System.out.println("  Session ID : " + details.getSessionId());

        UserDetails principal = (UserDetails) auth.getPrincipal();
        System.out.println("[principal]");
        System.out.println("  username : " + principal.getUsername());
        System.out.println("  password : " + principal.getPassword());

        System.out.println("[credentials]");
        System.out.println("  " + auth.getCredentials());
    }
}

Result

[authorities]
  USER
[details]
  IP Address : 0:0:0:0:0:0:0:1
  Session ID : 0225051BCDFE2C34D55DF4FA9D9685C2
[principal]
  username : hoge
  password : null
[credentials]
  null

Use SecurityContextHolder.getContext().getAuthentication() to obtain the Authentication associated with the current request.
- SecurityContextHolder.getContext() returns the SecurityContext associated with the current request.
Authentication.getAuthorities() returns the granted authorities of the logged-in user.
Authentication.getDetails() returns WebAuthenticationDetails by default.
- This provides the IP address and session ID.
Authentication.getPrincipal() returns the logged-in user’s UserDetails.
Authentication.getCredentials() returns information used for authentication, typically the login password.

For security, AuthenticationManager (ProviderManager) explicitly erases password information after login succeeds by setting it to null. You can disable this behavior with the eraseCredentialsAfterAuthentication option.

Where Authentication Is Stored

After authentication, the SecurityContext that holds Authentication is stored in the HttpSession by default.

When the same session accesses the application again, the stored SecurityContext is retrieved and placed in SecurityContextHolder.

By default, SecurityContextHolder stores the SecurityContext through a ThreadLocal, making the context associated with the current request globally accessible.

More precisely, SecurityContextHolder holds a SecurityContextHolderStrategy instance. ThreadLocalSecurityContextHolderStrategy stores the SecurityContext in a ThreadLocal.

SecurityContextPersistenceFilter loads and stores the SecurityContext and clears the request-specific ThreadLocal.

Storage Methods Other Than ThreadLocal

SecurityContextHolderStrategy also has two implementations besides ThreadLocalSecurityContextHolderStrategy.

GlobalSecurityContextHolderStrategy

Stores one SecurityContext for the entire application.

This is useful for stand-alone applications where there may be only one active user. Even when multiple threads exist, all of them may need to share the same authentication information.

InheritableThreadLocalSecurityContextHolderStrategy

Shares the parent thread’s SecurityContext when a new thread is created.

This is useful when multiple users can access an application but processing for each user creates new threads for background work. The threads are separate, but authentication information must be inherited from the parent thread.

You can change the storage strategy with either of the following methods.

Configuring a System Property

Pass the spring.security.strategy system property as a JVM startup option.

When starting Tomcat

$ set JAVA_OPTS=-Dspring.security.strategy=MODE_INHERITABLETHREADLOCAL

$ cd %TOMCAT_HOME%\bin

$ startup.bat

Using a static method

SecurityContextHolder.setStrategyName(SecurityContextHolder.MODE_INHERITABLETHREADLOCAL);

SecurityContextHolder provides setStrategyName(String). Pass one of the constants defined on SecurityContextHolder.

Spring Security

kc@example.com (kc kim) — Wed, 04 Oct 2017 22:41:52 +0900

Spring Security provides a powerful authentication system. This section explains it from the basics.

devkuma – Spring Security

Spring Security | What Is Spring Security?

Spring Security | What Is Spring Security? | Authentication and Authorization

What Is Authentication?

What Is Authorization?

Difference Between Authentication and Authorization

Adding Authentication to a WebMVC MCP Server with Spring and Kotlin

Getting Started

Adding Authentication

Creating MCP Server Security Configuration

Implementing a Test Client

References

Spring Security | What Is Spring Security? | Hello World

Dependencies in the Build Script

spring-security-web

spring-security-config

Initializing the Spring Container

Applying Spring Security to the Application

Spring Security Configuration

<http>

<intercept-url>

<form-login>

<logout>

<authentication-manager>

<authentication-manager>

<authentication-provider>

<user-service>

<user>

Display Screen

CSRF (Cross-site request forgery)

Check the Behavior

Spring Security | What Is Spring Security? | Java Configuration

Replacing Hello World with Java Configuration

Implementing the Container

Enabling Spring Security

Configuring Spring Security

Configuring User Information

Spring Security | What Is Spring Security? | Without web.xml

Structure

ServletContainerInitializer

AbstractSecurityWebApplicationInitializer

Spring Security | Authentication

Spring Security | Authentication | UserDetailsService: Searching User Information

Using Memory

XML Configuration

Java Configuration

JDBC

XML Configuration

Java Configuration

Changing Table and Column Names

XML Configuration

Java Configuration

Creating UserDetailsService

Spring Security | Authentication | BCryptPasswordEncoder: Password Hashing

Why Hash Passwords?

BCrypt

Implementation

XML Configuration

Java Configuration

Encoding Passwords

Spring Security | Authentication | Authentication

Obtaining Authentication and Referencing Its Information

Where Authentication Is Stored

Storage Methods Other Than ThreadLocal

GlobalSecurityContextHolderStrategy

InheritableThreadLocalSecurityContextHolderStrategy

Configuring a System Property

Spring Security