Spring Boot Security & Authentication
As i have no prior experience with Spring Boot Framework, I've statrted exploring. Here is what i learnt and understood. Hope this helps all newbies.
What is Spring security: - Spring Security is a java framework which provides authentication, authorization and other security features for applications.
Why we need spring security: - Different clients access applications from different locations. At times, APIs needs to perform some tasks to generate and share sensitive data. All the clients are not supposed to access this sensitive data. Only privileged customers are allowed to access the data. To secure the application we need to implement security.
What is Authentication and Authorization: -- Its confusing between Authentication and Authorization.
Authentication is proving that it’s you. With User id and password, we can verify our authenticity.
Authorization is what you can access and what you are restricted to. Authorization comes into picture once verification passes. Its an industry gold standard to use OAuth2.0 for authorization.
Authentication methods in Spring Boot: - Here are some of the Authentication methods available in spring Boot.
1. Basic Authentication
2. JWT Authentication
3. JPA Authentication
4. OPEN ID connect
5. API keys
1. Basic Authentication: - It is a method for web browser to provide username and password when making a request. It is the simplest technique to access control to web resources. It doesn’t require cookies or session identifiers. HTTP basic authentication is a trivial way and not used in serious production systems. In Enterprise grade REST APIs people prefer to use JWT with OAuth2.0 Authorization. If we end up using HTTP Basic Authentication it’s better to use it through HTTPS so the connection between the parties is encrypted.
2. JWT (JSON Web Token): - A browser makes a request to the authentication server with user login information. The authentication server generates a new JWT access token and returns it to the client. On every request to a restricted resource, the client sends the access token in the query string or Authorization header. The server then validates the token. If access token is valid then it returns the secure resource to the client.
Advantages of Token-Based Authentication: -
Access token contains all the information to identify the user, so we don’t need the session state.
We can reuse the same token for authenticating user even if we have multiple servers running on multiple platforms. It is easy to build an application that shares permissions with another application.
We should still encrypt our tokens using JWE if we have to put any sensitive information in them. Transmit access tokens over HTTPS to prevent man-in-the-middle attacks.
3. JPA Authentication: - JPA Stands for Java Persistence API. JPA is a Java specification that provides certain functionality and standard to ORM (Object Relational Mapping) tools. Hibernate implements the specifications of JPA. Securing webpages in Java web applications based on Spring framework using Spring Security APIs. The credentials are stored in MySQL database, and Spring Data JPA with Hibernate is used for the data access layer.
4. Open ID Connect (OIDC): - OIDC is an identity layer built on the top of OAuth2.0 framework. OIDC allows third party applications like Facebook, google, yahoo etc. to verify end user’s identity. After user information is authenticated then the web requests follow JWTs to send/receive information.
5. API Keys Authentication: - If an application tries to access another application, The target API wants to know if the requesting API is a legitimate and authorized to access the information. This method creates unique keys for developers and passes along every request. The API generates a secret key that is a long, difficult to guess string of numbers and letters. Usually, it’s at least 30 characters long. This API key passes along the API authorization header.
Identifying the best Authentication method for your business is key thing to keep the application secure. Its always best practice to use certain level of security to applications rather than having “NO AUTHENTICATION” at all.