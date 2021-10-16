6. Harden authentication

Most web applications need to decide which resource should be given access by the current user. Rules defining who can do what are defined as the authorization rules, and one key element they work with is the knowledge of who the user is, which is handled by authentication. A failure in authentication security can compromise the whole application, so it really is key to secure this as much as possible.

Spring Security simplifies authentication and helps you make it more secure. By default, it includes a form-based login page which verifies username and password provided by the user against the application users database, and then keeps track of the user authentication during their session. This behavior is configurable by extending the WebSecurityConfigurerAdapter class, allowing you to define how your users get authenticated and other aspects such as the presence of a “remember me” feature.

One key aspect to consider is the storage of passwords. If you store your users’ password hashes in your application database, you must assume that it is possible for a malicious actor to gain access to that database and use it to perform an offline brute-force attack on the passwords. One way to protect against that is by putting in place a one-way password encoding algorithm which is too complex for such a brute-force attack to be quickly completed. The current recommendation is to use bcrypt with a cost factor of 13. With Spring, you can do this by defining an implementation for passwordEncoder() interface.