
Introducing the Demo App and its Components
Databases (PostGreSQL):
Business application database/schema
User/security database/schema
Web Services (Spring Boot)
Business Application: “FboAce”
Authorization Server/Gateway to User Database: “Fortress”
Client UI Application (Angular)
Database: Schema Design Considerations
Application database/schema
Application design (surrogate keys)
with additional namespace differentiator column in all transactional tables for data segregation.
User/Security database/schema
"Utility" design (immutable unique business identifiers)
with overloaded usage of username column for data namespace specification
The Business Application Database Design & DDL
Tables, views, triggers, functions
The attached file resource contains all of the SQL scripts to create and pre-populate the business AND user/security database tables and related objects.
For a more in-depth introduction to PostGreSQL, see my course "Introduction to Database Application Development with Spring Boot, Angular and PostGres": https://www.udemy.com/course/intro-db-app-dev-springboot-angular/
Web Services:
Authorization Server/Gateway to User Database: “Fortress”
Business Application: “FboAce”
Fortress and FboAce share common library: “RadSpringSecurity”
Review of Database CRUD operations with the Java Persistence API (JPA):
See my course “Introduction to Database Application Development with Spring Boot, Angular, and Postgres”
https://www.udemy.com/course/intro-db-app-dev-springboot-angular
JPA video discourses included in Extra Appendix to this course
Spring Security User Management/Service interfaces
interface UserDetailsService
Methods:
UserDetails loadUserByUsername(String username)
interface UserDetailsManager extends UserDetailsService
Methods:
void createUser(UserDetails user)
void updateUser(UserDetails user)
void deleteUser(String username)
void changePassword(String oldPassword, String newPassword)
UserService extends UserDetailsManager
Custom methods:
List<? extends SimpleUser> getAllSimple ();
SimpleUser getSimpleUser(String userName) throws Exception;
SimpleUserPass getSimpleUserPass(String userName) throws Exception;
SimpleUser addUserPass (SimpleUserPass userPass);
SimpleUser updateUserPass (SimpleUserPass userPass) throws Exception;
int deleteUserPass (String username) throws Exception;
Boolean validateUserPass (SimpleUserPass userPass) throws Exception;
int addUserRole (UserRole userRole) throws Exception;
int removeUserRole (UserRole userRole) throws Exception;
List<? extends SimpleUser> getAllUsersPerPrincipal(String principal);
List<? extends UserRole> getAllRolesPerUser(String username);
List<? extends GrantedAuthority> getAuthorities (String username);
User Accounts (and passwords): Creating, Retrieving, Updating and Deleting
Fortress is our demo Spring Boot web service which exposes CRUD operations on the User/security database tables.
When creating/updating User records, we don’t save the password in clear text.
We encrypt (hash) them before saving to the database.
org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder
implements PasswordEncoder
Also enables us to validate them later, during Authentication
Sneak Peek: @EnableWebSecurity
The class with this annotation is the heart of the Spring Security configuration and magic in your Spring app.
We will have much more to say about it later (under “Authorization”), but for now we are only interested in its secondary function as a(n) @Configuration class, provider of @Beans.
Specifically, a bean of type PasswordEncoder.
HOW does Fortress provide for FboAce to log in/authenticate?
Authorization: Introducing @EnableWebSecurity and @Bean SecurityFilterChain
How does Fortress know how to permit or deny access to a requested resource?
HttpSecurity and its builder methods
FboAce:
public class FortressAuthenticationProvider implements AuthenticationProvider ...
Different implementation than Fortress:
public class UserPassAuthenticationProvider implements AuthenticationProvider ...
FortressAuthenticationProvider calls/delegates to Fortress
WebClient (More current than RestTemplate):
pom.xml entry:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-webflux</artifactId>
</dependency>
See code examples in FboAce:
./main/java/com/radinfodesign/fboace04/security/config/WebClientConfig.java
./main/java/com/radinfodesign/fboace04/security/component/FortressAuthenticationProvider.java
./main/java/com/radinfodesign/fboace04/security/service/FortressLoginService.java
Resources:
https://docs.spring.io/spring-framework/reference/web/webflux-webclient.html
https://spring.academy/guides/spring-webclient-gs
https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/reactive/function/client/WebClient.html
https://www.baeldung.com/webflux-webclient-parameters
@EnableMethodSecurity, MethodSecurityExpressionHandler and PermissionEvaluator
@PreAuthorize()
@PostAuthorize()
Spring Expression Language:
https://docs.spring.io/spring-framework/docs/3.0.x/reference/expressions.html
https://docs.spring.io/spring-security/site/docs/3.1.x/apidocs/org/springframework/security/access/PermissionEvaluator.html
More on method-level authorization:
https://www.baeldung.com/spring-security-method-security
https://docs.spring.io/spring-security/reference/servlet/authorization/method-security.html
Implementing Authentication and (Role-based) Authorization in Angular
How can an Angular UI app facilitate Authentication of its users against a web service like FboAce?
How may the Angular app know what modules, elements and/or data it may present to and/or enable for a user?
For an in-depth treatment (from complete beginner) of Angular, Typescript and the demo UI app for FboAce, see the course "Introduction to Database Application Development with Spring Boot, Angular and PostGres": https://www.udemy.com/course/intro-db-app-dev-springboot-angular/
(Role-based) Authorization in Angular (External to Spring Boot/Security)
Even if you have little or no interest in Angular or Typescript, we highly recommend watching this discourse, if only to get a conceptual understanding of the mechanics of this very important feature.
LoginService
public isPermitted(subject: string, permission: string): boolean
AuthorizationService
public isPermitted(subject: string, permission: string, authorities: string[]): Boolean
Entity Component class / constructor
this.mayEditData = this.isPermitted(PATH_ENTITY, PERMISSION__ALL);
Entity Component HTML template
Structural Directive: *ngIf
<button *ngIf=" isPermitted(SUBJECT_AIRPORT, PERMISSION_NAVIGATE)"
spring-boot-starter-security and @EnableWebSecurity
Custom Filter Insertions
HttpSecurity
.addFilterBefore(customFilterBean1Name, SpringFilter.class)
.addFilterAt(customFilterBean2Name, SpringFilter.class)
.addFilterAfter(customFilterBean3Name, SpringFilter.class)
https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/config/annotation/web/HttpSecurityBuilder.html#addFilter(jakarta.servlet.Filter)
Maintaining User Data Records (SQL)
Using (Jdbc)UserDetailsManager
to:
Create, update, delete users
Grant, revoke authorities
The videos in this appendix are taken from the author's course “Introduction to Database Application Development with Spring Boot, Angular and Postgres” at
https://www.udemy.com/course/intro-db-app-dev-springboot-angular/?referralCode=3AB74AFDA723F00C4762
These videos are offered as a convenience to help students implement the SQL DDL and DML scripts associated with this course.
The video in this appendix is taken from the author's course “Introduction to Database Application Development with Spring Boot, Angular and Postgres” at
https://www.udemy.com/course/intro-db-app-dev-springboot-angular/learn/lecture/32221706
This discourse illustrates database design and ER Diagraming techniques with ER Studio, an in-depth discussion of the FboAce schema, and set-based business rule enforcement and facilitation in particular ("Only Pilots certified in an Aircraft Type may be assigned to Flights piloting Aircraft of that Type").
The enforcement of business rules of this nature are as much a part of your application's Security profile as anything else; remember Confidentiality, Availability and INTEGRITY.
A complete practical case study and tutorial featuring the Spring Security framework.
Filters and configuration
Authentication
JSON Web Tokens (JWT)
Role-based Authorization
In-depth theory
Also:
General Cybersecurity principles and concepts
Cryptography: Encryption, encoding and hashing
Symmetric and Asymmetric (public/private key) encryption
HTTP over SSL/TLS (HTTPS)
Digital Certificates & Public Key Infrastructure (PKI)
TLS Cipher Suites and handshakes
Case study of a Demo App with 2 Spring Boot REST web services, an Angular/Typescript UI client app and PostGreSQL database(s), which
Encrypts all communication between browser and server via HTTP over SSL/TLS (HTTPS)
Establishes trust via signed digital certificates (Public Key Infrastructure -- PKI)
Requires valid credentials to log in.
Custom example user/role/resource/action/authority database.
Limits access to resources in web service and client app according to roles / authorities of user account; detailed development of Authorization
Employs JSON Web Tokens (JWTs) as its authorization mechanism.
NOT WebMvc: Does NOT track sessions or JSESSONID cookies; does not output HMTL, login forms etc. (not JSP or Thymeleaf)
Rather, REpresentational State Transfer (REST): Exchanges JSON data payloads with clients
Assumes clients take care of all UI elements, HTML code, css, Javascript etc.
Course Structure
Part 0: Is this Course Right for Me?
Part 1: General Cyber Security Principles
Part 2: Introducing the Demo App and its Components
Part 3: Application Security elements BEFORE adding the Spring Security Framework
Part 4: The Spring Security Framework in our Demo App
Part 5: A Deeper Dive into Spring Security Architecture and Theory