Basic and core concepts of Spring Boot Starter Security

In this article, we are going to see how to secure the spring boot application using spring boot starter security. Here I explained basic and some of the major advanced concepts of spring boot security. So please keep reading the series of articles.

First, let me explain what is spring boot security? and why we need that?. Spring security is a mechanism of providing security to the application to prevent hacking attacks or prevent some vulnerabilities.

Spring boot starter security handles all kinds of vulnerabilities like session fixation, clickjacking, cross-site request forgery to provide more security for an application.

Basic Things need to know about Spring Boot Security

Some of the basic things we need to do for securing spring boot application. The features are below.

1. Need to give Login / Logout Functionality.
2. Securing Endpoints which includes.

• URL's accessible publicly.
• URL's accessible by only logged-in users.
• URL's accessible by only the people who are having certain authority or roles.

Spring boot provides lots of authentication mechanisms to secure the web application. The lists are below.

• Default user name / Password authentication (or) Form Login authentication.
• Single Sign-On authentication (SSO) like okta or LDAP.
• OAuth authentication - Authenticate one application through another application.
• Micro Services Security - There are some micro-level services using these security features. Microservices are talking with each other by exposing API's one to another securely with this. (Example - JWT Token based authentication).
• Implements method level security - We can secure not only the URL's but we can secure methods also by using method level security. This is more powerful security in Spring Security.

These are all some basic things you need to know about Spring Security. But still some more core concepts you need to know regarding security. What are they?. Let me explain one by one in detail below.

Five Important features of Spring Boot Security

1. Authentication
2. Authorization
3. Principal
4. Authority
5. Role

Authentication

Authentication is a process for identifying the users with their proof of identities like username and password. Simply say it will ask the question who you are?. you need to answer that question to verify.

All the user information is there in the database with user name and password with some unique id as reference. Authentication is a entry level security to validate the users by checking their username and password is found in the database or not to proceed further.

For example, Let's take a movie theater when we go to a movie what we have to do first?. we have to show the ticket to the security guard at the endurance to enter into the theater right. Security guard only allows the person inside the theater who are all having movie ticket. This kind of checking is called authentication.

There are several authentication factors available to authenticate the users. Those factors are listed below.

1. Knowledge Factor
2. Possession Factor
3. Inherence Factor
4. Location Factor
5. Behavioral Factor

Here let us see the major two factors Knowledge Factor and Possession Factor

1. Knowledge Factor Authentication - Knowledge factor requires the user to provide some information for doing authentication. Mostly the information is PIN or PASSWORD. This authentication is not more secure because anyone can enter this and log in if they know it right!.
2. Possession Factor Authentication - Possession factors require the user to provide the information which is sent to the user's device like mobile phone and extra. This kind of authentication is more secure when compared to the knowledge factor.

Nowadays most web applications using these two factors (Knowledge and Possession) based authentication to secure the application.

Authorization

Authorization is a process to define which are all services are accessible by the authenticated users. It asks the question like can this user access this? (or) can this user allow to do this?.

For example, let's take a movie theater example again. First, you entered the theater by showing your movie ticket to the security guard. Here authentication is finished. Now inside the theater, there are many screens playing a different movie right. You are only allowed to see the movie which is mentioned in the ticket, not all the movies. Here authorization over.

Principal

The principal is the details of logged-in users. I can say details of currently logged-in users (or) authenticated users in the context of the application.

Authorities

Authorities are a collection of permissions. Authenticated users should have some permissions to do some set of work (or) can access some set of resources. Permissions decide whether the user can do this or can access this.

So authorized users having some granted authority. These are fine grained permission of users.

For example, I have given some users with their corresponding authorities mentioned below.

Users	Authorities (Can Access)
Admin	Can access only admin info
Teacher	Can access only teacher info
Student	Can access only student info

All the users mentioned above can access only their info but not others.

Role

A role is a group of authorities. Sometimes most of them are using authority and role as same. But there are some differences in that. Let me explain why we need roles and what is the difference between the roles and authorities.

Let us see the table mentioned in the authorities section. In that users can access only some resources based on their authority. In that example teacher can't act as an admin, I mean a teacher can not access the admin resources.

But in some situations, a teacher will become an admin and he can also access the admin resources right. For this kind of situation, role helps out. We can define the role for the users and bind more authorities to them. Let see the diagram below to understand.

Users	Roles	Authorities (Can Access)
Admin	ROLE_ADMIN ROLE_TEACHER ROLE_STUDENT	Admin, Teacher, and Student info
Teacher	ROLE_ADMIN ROLE_TEACHER ROLE_STUDENT	Admin, Teacher, and Student info
Student	ROLE_STUDENT	Student info

Hope you understand some of the basic concepts regarding spring boot security. In the next article let me explain how to configure the spring boot starter security in a fresh spring boot application. Please keep reading. Thanks!.