Identification and Implementation of Authentication and Authorization Patterns in the Spring Security Framework Aleksander Dikanski, Roland Steinegger, Sebastian Abeck Research Group Cooperation & Management (C&M) Karlsruhe Institute of Technology (KIT) Karlsruhe, Germany { a.dikanski, abeck }@kit.edu, [email protected] Abstract—In the development of secure applications, patterns business functionality, the reuse of existing functionality are useful in the design of security functionality. Mature increases the efficiency of the implementation process. security products or frameworks are usually employed to Implementing security patterns using existing security implement such functionality. Yet, without a deeper functionality is complicated. For one, their built-in flexibility comprehension of these products, the implementation of to support many different application contexts leads to a high security patterns is difficult, as a non-guided implementation complexity, requiring a deep understanding of the internal leads to non-deterministic results. In this paper, the Spring workings. This often raises the question, if and how the Security framework is analyzed with the goal of identifying required security patterns can be implemented with the supported authentication and authorization patterns. selected product. In such a case, the security functionality Additionally, a best practice guide on implementing the needs to be analyzed by security experts to determine the identified patterns using the framework is presented. A real world case study is presented, in which the findings are supported patterns. employed to implement security requirements in a web Such an analysis is especially useful, if a model-driven application. With this approach it is possible to overcome the approach is used to automatically generate security-related gap between pattern-based security design and implementation artifacts from design models. The identified and supported to implement high quality security functionality in software patterns of the framework or product can be used to describe systems. the target platform and to generate framework artifacts from design models. Such an approach is part of a reuse-based Keywords - security patterns; security framework; security security engineering approach, which we outlined in earlier engineering; authorization; authentication works [3]. In this paper, the capabilities of the popular open source I. INTRODUCTION authentication and authorization framework Spring Security [4] are examined. The goal thereby is to identify support for Security engineering aims for a consecutive secure common pattern by Spring Security and provide a reusable software development by introducing methods, tools, and catalog of best practice advice on how to implement them in activities into a software development process [1]. As such, a high quality fashion. Theses informal description can be each phase of the software development needs to consider used by developers in the need to evaluate security security aspects: in the analysis phase security requirements frameworks as well as a guide to implementation. Also, they are identified, in the design phase security functionality is can be used to describe formal transformation rules for a modeled in conjunction with the main business functionality model-driven approach. and finally, security solutions are realized in the The rest of this paper is structured as followed: Section 2 implementation phase. introduces the Spring Security framework and discusses Security patterns are an agreed upon method to describe related work. In Section 3, the relationship of the pattern- best practice solutions for common security problems [2]. based framework description to our reuse-based security When designing security functionality for an application engineering approach is described. The identified security such patterns can be instantiated in the design model to cover patterns and their equivalent implementation using Spring a certain security requirement. Security are covered in Section 4. In Section 5, a real-world The reuse of existing security functionality, i.e., in the case study is presented, which shows the security pattern form of security components, frameworks or products, is implementation using Spring Security. A conclusion and considered best practice as well, as they usually cover a great outlook on future work closes the body of this paper. percentage of existing security requirements. Their maturity can usually not be achieved by implementing it completely II. BACKGROUND AND RELATED WORK new, so self-made solutions should extend it as well. By The following section provides a background on the doing so, the quality of the security functionality of the Spring Security framework and discusses related works. developed application is increased. Also, as the main focus of software development lies upon the implementation of the A. Background on Spring Security Security framework. Pattern based security engineering Spring Security is an open source Java framework, processes are discussed in [11] and [12], yet they do not providing highly flexible and extensible authentication, consider the implementation of patterns using security authorization, and access control solutions [5][6]. platforms. The modular framework consists of loosely coupled An automated retrieval of security patterns in existing components, which are connected using dependency software, such as discussed in [13] and [14], would be useful injection. The core classes and their dependencies are shown in the identification process. Unfortunately, the retrieval rate in Figure 1. The Authentication class stores user information. of the approaches is still to low to be useful for our goals. It is part of a SecurityContext class for every authenticated Applying them would only show the patterns implemented in user in an application. An AuthenticationManager loads this the software not all possibilities of the security framework. data and which verifies the authenticity of users using This is why a manual approach was applied. offered credentials and information from a user store [5]. The pattern-based platform description presented here is To intercept secured resource access, classes extend the a feasible enhancement to model-driven security approaches, AbstractSecurityInterceptor class, which is the central class which is not considered by other such approaches, e.g., in terms of authorization. Thereby, the SecurityContext and [15][16][17]. We aim at describing the target security SecurityMetadataSource classes offer information about the platform using security patterns, to simplify the current user and the secured object respectively. Access transformations and easily adapt them to new platforms. decisions are performed by the AccessDecisionManager, Background information on the Spring Security which is also called by the AbstractSecurityInterceptor. The framework, its inner relations and concepts as well as its AccessDecisionManager calls voters, which decide whether usage can be found in the community documentation as well access is granted or not and which can be added dynamically as in [5] and [6]. These descriptions are not based on security to the application. Thus, the voter system abstracts from an patterns and do not show all possible applications of the access control mechanism. framework. Although it can be used for desktop applications, the III. REUSE-BASED SECURITY ENGINEERING main purpose of Spring Security is to secure web applications based on the Java Platform Enterprise Edition The pattern-based identification and description of (JEE, [26]). The framework integrates with many security functionality in existing frameworks is part of a authentication technologies and standards, e.g., Lightweight reuse-oriented security engineering approach, presented in Directory Access Protocol (LDAP), Central Authentication [3]. We argue for reuse of existing security functionality as System (CAS), OpenID and OAuth. Spring Security also well as knowledge throughout the phases of development provides support for basic role-based access control [6]. Due processes to increase the quality and the development to its flexible architecture the framework can easily be efficiency of the implemented software artifacts. Security adapted and extended to support other forms of problems, which can not be covered by existing models and authentication and authorization and access control as well. functionality, can benefit from a reuse approach by extending or adapting them to a new context. B. Related Work For one, the reuse of knowledge about possible threats Due to the identification of security patterns, the work is and attacks against information resources, as well as based on common security pattern literature. A appropriate countermeasures, is feasible in the analysis of comprehensive catalog of abstract and context-specific security requirements of an application. security patterns for, e.g., operating systems, can be found in The topic discussed in this paper covers the design and [2]. Identity management as well access control patterns are implementation phase of the engineering process. In the discussed in [7] and [8]. Patterns specific to the JEE platform design phase existing security knowledge should be used to are described in [9]. Authorization patterns for the Extensible determine possible solutions for security problems. Security Access Control Markup language (XACML) are discussed in patterns