Development Notes
  • Introduction
  • Programming Langauges
    • Java
      • Cache
      • Java Fundamentals
      • Multithreading & Concurrency
      • Spring Boot
        • Spring Security
        • Development tips
      • ORM
        • Mybatis
      • Implementation & Testing
    • Node.js
      • Asynchronous Execution
      • Node.js Notes
    • Python
      • Memo
  • Data Structure & Algorithm
  • Database
  • Design Pattern
  • AWS Notes
    • Services
      • API Gateway
      • CloudHSM
      • Compute & Load Balancing
        • Auto Scaling Group
        • EC2
        • ECS
        • ELB
        • Lambda
      • Data Engineering
        • Athena
        • Batch
        • EMR
        • IoT
        • Kinesis
        • Video Streaming
        • Quicksight
      • Deployment
        • CloudFormation
        • Code Deploy
        • Elastic Beanstalk
        • OpsWorks
        • SAM
        • SSM
      • ElasticSearch
      • Identity & Federation
        • Directory Service
        • IAM
        • Organizations
        • Resource Access Manager (RAM)
        • SSO
        • STS
      • KMS
      • Management Tools
        • Catalog
        • CloudTrail
        • CloudWatch
        • Config
        • Cost Allocation Tags
        • GuardDuty
        • Savings Plans
        • Trusted Advisor
        • X-Ray
      • Migration
        • Cloud Migration: The 6R
        • Disaster Recovery
        • DMS
        • VM Migrations
      • Networking
        • ACM
        • CloudFront
        • Direct Connect
        • EIP & ENI
        • Network Security
        • PrivateLink
        • Route53
        • VPC
        • VPN
      • Service Commnucation
        • Amazon MQ
        • SNS
        • SQS
        • Step Functions
        • SWF
      • Storage
        • Aurora
        • DynamoDB
        • EBS
        • EFS
        • ElastiCache
        • RDS
        • Redshift
        • S3
        • Storage Gateway
      • Other Services
        • Alexa for Business, Lex, Connect
        • AppStream 2.0
        • CloudSearch
        • Comprehend
        • Data Tools
        • Elastic Transcoder
        • Mechanical Turk
        • Rekognition
        • WorkDocs
        • WorkSpaces
    • Well Architect Framework
      • Security
      • Reliability
      • Performance Effeciency
      • Cost Optimization
      • Operational Excellence
    • Labs
      • Webserver Implementation
      • ELB Implementation
      • Auto-scaling Implementation
      • A 3-tier Architecture In VPC
  • Architecture
    • Security
  • Spark
    • Memo
  • Conference Notes
    • Notes of JCConf 2017
  • AI Notes
Powered by GitBook
On this page

Was this helpful?

  1. Programming Langauges
  2. Java
  3. Spring Boot

Spring Security

Key concepts

  • Config with @EnableWebSecurity and extends WebSecurityConfigurerAdapter

  • Authority of antMatchers can be delegated with has(Any)Role, has(Any)Authority.

    • Order of antMatcher matters, specific path should be defined first.

    • In Pojo Enum design, can set up permission enum as the Set attribute of role enum

    • Authority can either be set up with @EnableGlobalMethodSecurity in config and @PreAuthorize in controllers.

  • To load users for AA, creating a service (with @Service) that implements UserDetailsService, and overrides loadUserByUsername()

  • Authentication

    • Basic

      • Using header to send based64-encoded username:password so HTTPS is recommended

      • Simple and fast, but cannot logout

    • Form-based

      • Using form to send username, password to get sessionid back and then store in cookies

      • Can logout

      • Session id can be stored to external DBs. like: Redis

  • CSRF

    • Turned on by default, and a token issued by Spring Security would be kept in browser cookies. And POST / PUT / PATCH / DELETE requests must carry the token.

    • If the client is not a browser, turn CSRF protection off.

PreviousSpring BootNextDevelopment tips

Last updated 4 years ago

Was this helpful?