Donation

If you found the contents in this blog useful, then please make a donation to keep this blog running. You can make donations via Skrill with email address shazin.sadakath@gmail.com

Tuesday, April 26, 2016

Spring Security 4.1.0 Features implemented by Me

Recently I got the chance to contribute to an open source project which I have been using for a really long time. Spring Security is one of the de-facto projects when it comes to protecting Web Applications as well as some Standalone applications.

It provides many features with regards to Authentication and Authorization out of the box and it is highly customizable and extendable to work with any third party, proprietary Security implementations (SSO, OAuth, Openid etc).

I took the dive in by forking the Spring security project available at github and went through the issues and found issues that are interesting to me and sent pull requests. I must thank Rob Winch who is the Spring security Project Lead who instructed me on how things need to work.

Before I knew it I have submitted 4 pull requests which have been merged with of course minor changes based on Project Lead's review. The Spring Security version 4.1.0.RC2 is now available to use if you are using the Milestone repository of the Spring project. Which means the features I implemented are almost available to the rest of the world.

Well I took that opportunity to write about the features I implemented which are also documented in the Spring Security reference guide. Following are the features I partially/fully contributed to Spring Security.

SCryptPasswordEncoder

Spring Security ships alot of Password encoders such as MD5, SHA which the developers can use to encode the password before storing in the database. This gives added security in case of Security breaches because all the hackers will be getting is an hash not a clear text password.

Scrypt is a similar encoding algorithm and I implemented the PasswordEncoder implementation using the Bouncy Castle library to be used in Spring Security.


ForwardAuthenticationSuccessHandler

AuthenticaionSuccessHandlers give the ability to extend the capabilities of the Spring Security to allow the developers to do a task after a successful login by a user. This can be auditing, etc. In order to forward to a URL after the successful authentication the user had to write custom implementation of AuthenticationSuccessHandler. Well not any more.

ForwardAuthenticationFailureHandler



AuthenticaionFailureHandlers give the ability to extend the capabilities of the Spring Security to allow the developers to do a task after a failed login by a user. This can be auditing, locking out etc. In order to forward to a URL after the failed authentication the user had to write custom implementation of AuthenticationFailureHandler. Well not any more.


FormLoginConfigurer.successForwardUrl

Since creating and initializing ForwardAuthenticationSuccessHandler can be cumbersome at times. The lead wanted a convenient method to set successForwardUrl in a fluid API way. Now the same thing can be accomplished using XML as well using authentication-success-forward-url under form-login XML tag.

FormLoginConfigurer.failureForwardUrl

Since creating and initializing ForwardAuthenticationFailureHandler can be cumbersome at times. The lead wanted a convenient method to set failureForwardUrl in a fluid API way. Now the same thing can be accomplished using XML as well using authentication-failure-forward-url under form-login XML tag.

DelegatingLogoutSuccessHandler

LogoutSuccessHandlers are an extension in Spring Security where an action can be performed based on Success of the logout. For this there can be different use cases for example. If a request came from a web browser the logout may redirect to a web page after logout. But if the request came from within an AJAX can there seems to be no point of redirecting to page but better to return a status code alone. This implementation takes care of that in a configurable way. A request matcher and logout success handler is mapped based on the request criteria.

The complete source codes for the examples is available at https://github.com/shazin/spring-security-examples and following image shows the example in action.


Mentions

Spring Blog - https://spring.io/blog/2016/03/24/spring-security-4-1-0-rc1-released