How to Secure Your Web Application (Part 3) – Authentication & Access Control

Everything’s good so far. We developed a web application and secured it using Spring Security and other practices. Though Spring Security offers in-memory authentication, it’s best to use a cloud-based Identity Provider to help us with this as our application grows. This would be the most advisable approach.

“Authentication? Cloud-based Identity Provider? What?”. I know, I know. I’m driving too fast. It’s time to slow down, take a step back and understand all these and next see how we can integrate these with our application.

What is known as Authentication?

Authentication is the process of verifying the identity of an entity, typically a user or a system, to ensure that they are who they claim to be.

There are various authentication protocols in existence, and let’s go into a brief overview of each of them.

OAuth (Open Authorization)

This is designed for delegated authorization, allowing third-party applications to access resources on behalf of the resource owner (user) without sharing credentials.

OpenID Connect (OIDC)

It’s an authentication layer built on top of OAuth 2.0, enabling authentication and Single Sign-On (SSO) capabilities.

SAML (Security Assertion Markup Language)

XML-based framework for exchanging authentication and authorization data between parties.

What is an IDP?

A cloud-based IDP operates in the cloud environment, offering identity and access management services through a cloud-based platform. Examples of cloud-based IdPs are Okta, Asgardeo, OneLogin and Azure AD.

A cloud-based IDP provides services such as,

1. Single Sign-on (SSO)

2. User Authentication

3. Access Control and Authorization

4. Security

5. User provisioning and Management

In our application, we are going to use, Okta as our IDP. Though Okta supports the integration of almost all the popular Authentication protocols, we’ll be using OIDC and OAuth 2.0 as they are complementary protocols.

Okta as an IDP

The authorization code flow of Okta looks like this

Implementing Authentication Using Okta

First, we need to create a Free Okta Developer account by accessing the Okta Developer page.

Next, we have to create a new application integration. Choose OIDC as the protocol and web as the application type.

After filling in the necessary details, save the application and obtain the client's secret and client ID. This comes in handy later.

Now let’s go to our application, and in pom.xml add the following dependencies

<dependency>
    <groupId>com.okta.sdk</groupId>
    <artifactId>okta-sdk-httpclient</artifactId>
    <version>7.0.0</version>
</dependency>
 
<dependency>
    <groupId>com.okta.sdk</groupId>
    <artifactId>okta-sdk-api</artifactId>
    <version>7.0.0</version>
</dependency>
 
<dependency>
    <groupId>com.okta.sdk</groupId>
    <artifactId>okta-sdk-impl</artifactId>
    <version>7.0.0</version> 
</dependency>
 
<dependency>
    <groupId>com.okta.spring</groupId>
    <artifactId>okta-spring-boot-starter</artifactId>
    <version>3.0.5</version>
</dependency>

Now, the overridden configure method of the SecurityConfig class looks like this

@Override
    protected void configure(HttpSecurity http) throws Exception{
        http
                .authorizeRequests()
                .antMatchers("/customer/?**","/booking/?**").permitAll()
                .antMatchers("/api/**").permitAll()
                .anyRequest().authenticated()
                .and()
                .formLogin()
                .loginPage("/login")
                .permitAll()
                .and()
                .logout()
                    .logoutRequestMatcher(new AntPathRequestMatcher("/clickfortrips/logout")) // Define the logout URL
                    .invalidateHttpSession(true) // Invalidate session
                    .deleteCookies("JSESSIONID") // Remove cookies upon logout
                    .permitAll()
                .and()
                .oauth2Login()
                .loginPage("/login")
                .and()
                .csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
 
 
    }

Configure your application.properties by adding the following. Make sure to replace these values with the values you obtained previously in Okta

okta.oauth2.issuer=your_okta_issuer_uri
okta.oauth2.clientId=your_okta_clientID
okta.oauth2.clientSecret=your_okta_client_secret

Redirect the user to the Okta sign in page by placing a button or link. The link is navigating us to /oauth2/authorization/okta

Implementing Access Control with Okta

First, upon successful authentication with Okta, retrieve the sub-value associated with the authenticated user. This sub-value uniquely identifies the user.

Then make sure to associate your sub value with the User Id field in your database.

Next, we can modify the data retrieval logic to filter database queries based on the sub value provided by Okta. For example, when fetching data, include a condition in your queries to fetch only records that match the user’s sub value.

Finally, in your service or controller layer, retrieve data using the findByUserSub method from your repository. Pass the sub value obtained from Okta to this method to fetch data associated with that specific user.

Looks like we’ve come to the end of the journey. It was a safe ride with all the security aspects on point, wasn’t it?

Hope you got something out of this 3-part article series about securing your web application. So, when you embark on your journey of developing a web application, make sure to wear your seatbelts, because in this journey through the wild terrains of the internet, safety is always, always first!

If you want to take a look at the full project, it’s available here in this GitHub repository.

With much love,