Performance and should be considered as most important non-functional requirements while working on technical architecture. Usually enough consideration is done for performance while security is not contemplated that much. Security framework is plugged-in once complete application is already implemented. Typical approach is to have security checks scattered throughout the application. With increasing number of electronic transactions involving business critical data this trend needs to change. Business are feeling need for comprehensive security of data in rest and in motion. Increasingly it is becoming imperative to incorporate great security infrastructure in application. This is driven by business needs as well as laws governing compliance requirements for various industry e.g. HIPAA, GLM, SOX.
Home grown solution developed to apply security in a web application is not unusual. Few years back, I worked on an insurance application with custom security framework. It requirements well and the application was HIPAA compliant. But it was technically very challenging to perform , maintenance and tweaking of the framework was tedious. Moreover, implementing security in a similar application resulted in complete rewrite of security framework .
To alleviate these issues, spring framework has come up with excellent security framework. It provides out of the box security solution that can be used in majority of applications as-is. Framework is easy to understand and implement and security can be speedily applied to most of the applications. I used most in last sentence as in our case understanding framework was easy but application required lots of thinking and effort. We used spring security in a completely different avatar requiring loads of creativity and patience to get desired results. We faced problems during our journey but eventually tweaked spring security to suit our requirements. In this blog, I'll describe various spring security features for authentication and authorization and the tweaking we did to make framework suit our requirements.
Authentication with spring security works on filter-based approach and there are multiple mechanisms (Digest, Basic, CAS, DB, LDAP) to implement authentication. It is very easy to use spring security in a application developed with traditional JSP-based MVC framework viz. Struts. Spring security provides multiple encoding algorithms viz. base64, md5, SHA. Best part is that all this is easily configurable and actual processing is left to spring security. Mechanism to tackle frequent problems like concurrent session handling, logout, session fixation, remember-me are simple and easy to use in configurable manner. Spring security provides a chain of providers so that you can have your application authenticate via database and then via ldap if the previous one fails or any other combination as per your needs. Sprig security provides very easy approach to localize all the default error messages it provides, provides channel security if HTTPS is required and this can again be done via configuration. Spring security provides very easy Basic authentication for authenticating requests from web-services / XML-RPC requests where authentication information is provided in request header. We did require to do some tweaking because we are using GWT, AJAX framework, as we were required to customize Authentication entry point and exception translation filter so that AJAX response can be sent in case user is unauthorized rather than redirecting the user to login page as is normally done. Spring security has come up with all possible combinations for all security needs for example, if you need to do authentication via LDAP then you can use bind authentication of passwordencoder authentication as required.
Applying authorization to UI object using Spring Security is very easy, especially If you are using JSP based MVC framework like Struts. It is very easy to hide or display controls based on available permissions using tag libraries provided by Spring. But, since we are using GWT, an AJAX based framework we needed to come up with customized approach . Our approach is to access database on module load to fetch all permissions and save these in memory. Later, while UI creation, these permissions stored in memory are used for controlling display of UI objects.
To implement authorization on objects, spring security provides a db model which can be used in most of applications. Though, In our case because of stringent requirements for granular authorization on different objects, we were required to come up with customized db model and a custom approach. One more disadvantage we found with default approach is that Spring Security uses after-invocation to filter out objects. This means incase there are thousand of object then first all records are retrieved and then desired ones are filtered out. For us, this was a performance problem because of very high transaction volume in our application.
Owing to above mentioned reason, we tweaked db model. Additionally, we used spring method interceptor to enable Hibernate Filters and to set required parameters. Hibernate filters were used to filter out data at database layer itself so as to achieve performance benefits. Additionally , we used Mvel2, an expression language to enforce operation permissions on objects e.g. for delete on customer object. One more interesting fact in default functionality provided by Spring security is that it provides role voter. Incase, requirement is to have role definition and provide security on the basis of role then default implementation can be used. If application data is not huge in your application, then default ACL based approach should work fine.
Spring security helped us in other modules like Auditing. Since Spring security raises events for login, logout, session timeout, authentication failure we could easily capture these events for auditing purpose.
Since we are covering security I will briefly touch base on other additional measures for security e.g. using SSL for transport security, message encryption for message transfer security, partitioning and encryption of data in database. You would also be required to implement a solid auditing framework to audit and record all access to sensitive application.
Looking back through our express, I will recommend Spring security for any J2EE web application. Depending on requirements, you can use default security framework or tweak it as we did. My suggestion is to be ready for challenges and to get a firm knowledge of the framework incase you decide to tread the relatively difficult path of implementing granular security as we did.
[End]
Friday, April 2, 2010
Subscribe to:
Posts (Atom)