Photo by Kenny Eliason on Unsplash
Introduction
Spring Security Basics: Implementing Authentication and Authorization
Hello everyone, this document will guide you through the process of integrating authentication and authorization mechanisms into a Spring Boot web application using Spring Security. The following topics will be covered:.
PART 1: Create the base application.
Create the project.
Implement the API end points.
Create user and role entities.
Create user and role repositories.
Configure database connectivity.
Populate database with sample users.
Verify users and roles are created by querying the database.
Run the application.
PART 2: Enable Spring Security
Add the Spring Security dependency
Restart the application
Verify Spring Security is enabled
PART 3: Configuring security of the API end points
Create the security configuration class
Make all APIs to be accessed only by logged in users
Allow /api/hello to be accessed by anyone
Restrict access to /api/admin to user with ADMIN role only
PART 4: Integrate the database with Spring Security.
Add the password encoder bean.
Update the plain text password to encrypted password.
Configure user details service.
Configure the authentication provider.
Before going in let's see what is,
Authentication
Authorization
User details service
Authentication provider
Authentication
Authentication is the process of proving that someone is who they claim to be. The authentication can be done via certain ways such as Username and password, fingerprint. token etc...
To authenticate against an application, a user must have valid credentials. When these credentials are provided to the application for access, the application verifies them against the database where the credentials are stored. If the credentials match, the authentication is successful and the user can proceed to use the application.
Authorization.
While authentication verifies the identity of a user in an application, authorization determines what actions the user is permitted to perform. This means it addresses the permissions assigned to a user.
In an application, there may be multiple users, each with different levels of operational rights. For example, an ADMIN user may have the right to delete a user, whereas a regular user will not have this capability.
A basic flow of user authentication and authorization
Authentication
User submits the credentials to the application.
The application verifies the credentials by checking in the database.
If the credentials are valid allow access to the application.
Authorization
User requests a resource.
The authorization module checks if the user has rights to access the resource.
If user has rights the resource is given to the user.
Else the access to resource is denied.
User details service
This service provides the necessary data, such as username, password, or other details required for authentication. In Spring Security, we configure a UserDetailsService
object, which instructs Spring Security on where to load the required data for authentication. For example, when a username is provided as "test@test.com," Spring Security needs to look up the user data where the username is "test@test.com." This lookup is typically performed on a database. The database required for this lookup is configured using the user details service.
In essence, the user details service is a service that retrieves user data from the database based on a given key.
Authentication provider
The authentication provider is responsible for authenticating users based on the provided credentials.
The authentication provider requests the user's details from the user details service using the received username. The user details service fetches and returns the user information if a user with the requested name is found. Then, it proceeds to compare the password.
The authentication provider and the user details service collaborate to authenticate a user effectively.