SlideShare une entreprise Scribd logo
1  sur  68
Télécharger pour lire hors ligne
Building Layers of
Defense for Your
Application Using Spring
Security Framework
Neha Sardana
About Me
● Software Developer
● Fellow JUG Leader at Garden State Java User Group, NJ
and New York Java SIG, NY
● Building Spring based applications for almost 10 years
● Love to travel, practice yoga and watch cricket
● Github : nsardana-bny
● linkedin.com/in/nehasardana9786/
● Twitter: @nehasardana09, Medium: @neha-nsit
2
Agenda
● Authentication and Authorization
● Layers of defense for a web app
● Spring Security - The 5Ws
● Common Security Threats
● Protection against threats
● Basic Authentication
● JWT, OAuth and OpenID Connect
● Code!
● Principles of Application Security
3
Pre-requisites
● Java
● Spring Framework
● Maven
4
What is Security?
5
Authentication
● Authentication is about validating your credentials like User Name/User
ID and password to verify your identity.
● The system determines whether you are what you say you are using your
credentials.
6
Authorization
● Authorization is the process to determine whether the authenticated
user has access to particular resources.
● It verifies your rights to grant you access to resources such as
information, databases, files, etc.
● Authorization usually comes after authentication which confirms your
privileges to perform.
7
Layers of defense for a web app
8
● Network Firewall
● Login Page
● Security Questions
● Authentication or Multi-factor Authentication
● Hashing and/or Salting
● Authorization
Don’t give very specific error message to the user!!! EVER!
Introducing Spring
Security Framework
9
10
What is Spring Security?
● Spring Security is a powerful and highly customizable authentication and
access-control framework for Java based applications.
● It is the de-facto standard for securing Spring-based applications.
● Like all Spring projects, the real power of Spring Security is found in how
easily it can be extended to meet custom requirements
11
Why Use Spring Security?
● Easy Integration with Spring Boot
● Supported by large Open Source Community
● Authentication/Authorization (Out of the box)
● Application layer framework (not tied to a particular web server)
● Loosely Coupled
● Filter Entry point/Servlet
● Multiple authentication models
● Protects from Common Security Threats!
12
Why use Spring Security?
● Due to increased adoption of frameworks like Spring Security, many of
the previously common exploits such as: Cross Site Request Forgery and
Clickjacking and many others are no longer on OWASP (Open Web
Application Security Project) top 10.
13
How Spring Security
integrates
14
15
How to use Spring
Security in your
application
16
17
Add below code to your
pom.xml in Spring Boot Project
How Spring Security
Works
18
19
● To enable Spring Security, you have to register Spring Security Filter, also known
as, DelegatingFilterProxy, with your servlet container.
● DelegatingFilterProxy will forward all requests to other Spring Security Filters to
perform Authentication or Authorization checks.
● Two important things to kick start your security framework: Dispatcher Servlet &
Delegating Proxy Filter.
20
How Spring Security Works
21
Filter Interface
22
Filter Interface
● Init() - Called by the web container to indicate to a filter that it is being
placed into service.
● destroy() - Called by the web container to indicate to a filter that it is
being taken out of service.
● doFilter() - The doFilter method of the Filter is called by the container
each time a request/response pair is passed through the chain due to a
client request for a resource at the end of the chain.
● The FilterChain passed in to this method allows the Filter to pass on the
request and response to the next entity in the chain.
23
FilterChainProxy & Security Filter
Chain
● DelegatingFilterProxy delegates the request to FilterChainProxy (FCP) which in
turn delegates to another object SecurityFilterChain (SFC).
● SFC is a wrapper around collection of Spring Filters that performs actual security
tasks.
● When a request comes, FCP iterates through SFC in order to find the one which
matches with the request url.
● After the above step, the appropriate Filter is invoked to perform security tasks.
● The Order of SFC matters a lot!
● There are options to have multiple SFC in one application to have multiple types of
authentication for different types of URLs.
24
SecurityFilterChain Interface
25
SecurityFilterChain Interface
● matches() - returns boolean to checks if the request matches the filter
chain
● getFilters() - returns a list of security filters for the matched request
26
27
Authentication Flow
28
Authentication Flow
● Authentication Filter creates an “Authentication Request” and passes it to the
Authentication Manager
● Authentication Manager delegates to the Authentication Provider
● Authentication Provider uses UserDetailsService to load the UserDetails and
returns an “Authenticated Principal”
● Authentication Filter sets the Authentication in the SecurityContext
29
30
AuthenticationFilter
Authentication Principal
AuthenticationManager
Authentication Providers
Authentication Principal
Security Context
UserDetailsService
generates
authenticates
delegates
get UserDetails
SecurityContextHolder
adds
Authentication Object
● Principal - identifies the user. When authenticating with a
username/password this is often an instance of UserDetails.
● Credentials - Often a password. In many cases this will be cleared after
the user is authenticated to ensure it is not leaked.
● Authorities - the GrantedAuthorities are high level permissions the user
is granted. A few examples are roles or scopes.
31
32
Authentication Object
Authorization Flow
33
Authorization Flow
● FilterSecurityInterceptor obtains the “Security Metadata” by matching
the current request
● FilterSecurityInterceptor gets the current Authentication
● The Authentication, Security Metadata and Request is passed to the
AccessDecisionManager
● AccessDecisionManager delegates it to the AccessDecisionVoter(s) for
decisioning
34
What happens when there is
Exception?
● When “Access Denied” for current Authentication,
ExceptionTranslationFilter delegates to the AccessDeniedHandler and
returns a Http 403 status code
● When current Authentication is “Anonymous”,
ExceptionTranslationFilter delegates to the AuthenticationEntryPoint to
start the Authentication Process
35
Filter Chain Ordering
1. ChannelProcessingFilter
2. WebAsyncManagerIntegrationFilter
3. SecurityContextPersistenceFilter
4. HeaderWriterFilter
5. CorsFilter
6. CsrfFilter
7. LogoutFilter
8. OAuth2AuthorizationRequestRedirectFilter
9. Saml2WebSsoAuthenticationRequestFilter
10. X509AuthenticationFilter
11. AbstractPreAuthenticatedProcessingFilter
12. CasAuthenticationFilter
13. OAuth2LoginAuthenticationFilter
14. Saml2WebSsoAuthenticationFilter
15. UsernamePasswordAuthenticationFilter
16. OpenIDAuthenticationFilter
17. DefaultLoginPageGeneratingFilter
36
Filter Chain Ordering (Contd.)
18. DefaultLogoutPageGeneratingFilter
19. ConcurrentSessionFilter
20. DigestAuthenticationFilter
21. BearerTokenAuthenticationFilter
22. BasicAuthenticationFilter
23. RequestCacheAwareFilter
24. SecurityContextHolderAwareRequestFilter
25. JaasApiIntegrationFilter
26. RememberMeAuthenticationFilter
27. AnonymousAuthenticationFilter
28. OAuth2AuthorizationCodeGrantFilter
29. SessionManagementFilter
30. ExceptionTranslationFilter
31. FilterSecurityInterceptor
32. SwitchUserFilter
37
Common Security Threats
● Injection
● Broken Authentication
● Sensitive Data Exposure
● XML External Entities
● Broken Access Control
● Security Misconfiguration
● Cross-Site Scripting
● Insecure Deserialization
● Using Components with Known Vulnerabilities
● Insufficient logging and monitoring
38
How Spring Security
protects against
Threats
39
Spring Security Headers
40
Spring Security Headers
● Disables Browser Cache
○ If your application provides its own cache control headers Spring Security will
back out of the way
● Disables Content Sniffing
○ Content Sniffing- when the browser is trying to guess the content type of a
request
● Disables Frame (prevents Clickjacking)
○ By default Spring Security disables rendering pages within an iframe
● HTTP Strict Transport Security (HSTS)
○ Instructs Browser to treat this domain and subdomains as an HSTS host for a year
by default
41
Spring Security Headers
● Reflective XSS
○ Prevents Browser from rendering a page if it suspects a reflective XSS attack
42
CSRF Protection
● Cross-Site Request Forgery is an attack that forces a user to execute unwanted
actions in an application they’re currently logged into.
● If the user is a normal user, a successful attack can involve state-changing requests like
transferring funds or changing their email address.
● If the user has elevated permissions, a CSRF attack can compromise the entire
application.
● Spring Security uses Synchronizer Token Pattern where along with creating the
session cookie on authentication, it also creates a csrf token which a malicious site can
not access or use.
● On the backend side, CSRF Filter expects this token along with state changing
requests to allow the request to pass through.
43
Example of CSRF for SPA
44
HTTP Verb Tampering
● HTTP Verb Tampering is an attack that exploits vulnerabilities in HTTP verb (also
known as HTTP method) authentication and access control mechanisms.
● Many authentication mechanisms only limit access to the most common HTTP
methods, thus allowing unauthorized access to restricted resources by other HTTP
methods.
45
Example of HTTP Verb
Tampering
46
Enable Content Security Policy to
Prevent XSS Attacks
● Content Security Policy (CSP) is an added layer of security that helps mitigate XSS
(cross-site scripting) and data injection attacks.
● To enable it, you need to configure your app to return a Content-Security-Policy
header.
● You can also use a <meta http-equiv="Content-Security-Policy"> tag in your HTML
page.
47
Example for Content Security
Policy prevention
48
Session Fixation
● Session fixation attacks are a potential risk where it is possible for a malicious
attacker to create a session by accessing a site, then persuade another user to log
in with the same session (by sending them a link containing the session identifier
as a parameter, for example).
● Spring Security protects against this automatically by creating a new session or
otherwise changing the session ID when a user logs in.
49
HTTPS in Production and NOT
HTTP!
50
Basic Authentication
51
Basic Authentication
● Credentials are transmitted through header
● Header name: Authentication
● Header value: Basic + Base64(username:password)
● Eg: Authorization: Basic YMDDdnskdslkdlklsklddlk
52
Common Challenges with
Basic Authentication
● Base64 is easy to decode!
● Managing password hash with application data is a bottleneck.
● Sharing username and password for integrating with third party vendor can cause a lot
of problems.
● In case of a distributed application, while scaling up, you have to scale up the identity
and authentication mechanism as well.
● If starting from a monolith application and going further down into Microservices, you
will require Authentication and Authorization for each of the service which creating a
problem later.
53
Introducing OAuth2,
OIDC and JWT
54
55
Goal of OAuth2
● This was driven mainly because the applications realised that user password sharing
with multiple unknown apps was a big security threat.
● To allow applications to access data from third party apps without the users sharing
their password.
● Problems while implementing single sign on because of the need to share passwords
between applications
56
OAuth2
● OAuth 2.0 is the industry-standard protocol for authorization.
● OAuth 1.0 was published in Dec 2007.
● It uses scopes to define permissions about what actions an authorized user can
perform.
● However, OAuth 2.0 is not an authentication protocol and provides no information
about the authenticated user.
● https://auth0.com/
57
OpenID Connect
● OpenID Connect (OIDC) is an OAuth 2.0 extension that provides user information.
● It adds an ID token in addition to an access token, as well as a /userinfo endpoint that
you can get additional information from.
● It also adds an endpoint discovery feature and dynamic client registration.
58
59
JSON Web Token (JWT)
● Light weight
○ JSON Map Information
● Verifiable
○ Digitally signed and Base64 URL encoded
● Protocol Agnostic
○ Can be used standalone
● Expiration Time
60
Field Description
iat Indicates the token was "issued at"
jit JSON Token ID
iss Issuer of the token
exp Expiry time
sub Subject
aud Audience
JSON Structure
● Header
● Payload
● Signature
61
62
63
Code:
https://github.com/nsardana-bny/spring-security-
oauth2-okta-sample
64
Final Thoughts
65
Core Principles of Application
Security
● Minimize attack surface area
● Establish secure defaults
● The principle of least privilege
● The principle of defense in depth
● Fail securely
● Don’t trust services
● Separation of duties
● Avoid security by obscurity
● Keep security simple
● Fix security issues correctly
66
References
Medium Blog - Spring Security Code Walkthrough
Spring Design Principles
Top Courses on Spring Security
OWASP Top 10
Spring Security Reference
OAuth 2.1
Picture Credits: https://tinyurl.com/fp5pfux7 (Pluralsight.com)
67
Thank you!
Twitter: @nehasardana09
68

Contenu connexe

Tendances

Spring Framework - AOP
Spring Framework - AOPSpring Framework - AOP
Spring Framework - AOPDzmitry Naskou
 
Reactive programming by spring webflux - DN Scrum Breakfast - Nov 2018
Reactive programming by spring webflux - DN Scrum Breakfast - Nov 2018Reactive programming by spring webflux - DN Scrum Breakfast - Nov 2018
Reactive programming by spring webflux - DN Scrum Breakfast - Nov 2018Scrum Breakfast Vietnam
 
REST API Design & Development
REST API Design & DevelopmentREST API Design & Development
REST API Design & DevelopmentAshok Pundit
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
200.마이크로서비스에 적합한 오픈소스 WAS는 무엇?
200.마이크로서비스에 적합한 오픈소스 WAS는 무엇?200.마이크로서비스에 적합한 오픈소스 WAS는 무엇?
200.마이크로서비스에 적합한 오픈소스 WAS는 무엇?Opennaru, inc.
 
The Role of IAM in Microservices
The Role of IAM in MicroservicesThe Role of IAM in Microservices
The Role of IAM in MicroservicesWSO2
 
Introduction to Spring Cloud
Introduction to Spring Cloud           Introduction to Spring Cloud
Introduction to Spring Cloud VMware Tanzu
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
Maturity Model of Security Disciplines
Maturity Model of Security Disciplines Maturity Model of Security Disciplines
Maturity Model of Security Disciplines Florian Roth
 
The Beginner’s Guide To Spring Cloud
The Beginner’s Guide To Spring CloudThe Beginner’s Guide To Spring Cloud
The Beginner’s Guide To Spring CloudVMware Tanzu
 
F5 - BigIP ASM introduction
F5 - BigIP ASM introductionF5 - BigIP ASM introduction
F5 - BigIP ASM introductionJimmy Saigon
 
Spring boot introduction
Spring boot introductionSpring boot introduction
Spring boot introductionRasheed Waraich
 
Attacking ADFS Endpoints - DerbyCon
Attacking ADFS Endpoints - DerbyConAttacking ADFS Endpoints - DerbyCon
Attacking ADFS Endpoints - DerbyConKarl Fosaaen
 
Introduction to Swagger
Introduction to SwaggerIntroduction to Swagger
Introduction to SwaggerKnoldus Inc.
 

Tendances (20)

Spring Framework - AOP
Spring Framework - AOPSpring Framework - AOP
Spring Framework - AOP
 
Reactive programming by spring webflux - DN Scrum Breakfast - Nov 2018
Reactive programming by spring webflux - DN Scrum Breakfast - Nov 2018Reactive programming by spring webflux - DN Scrum Breakfast - Nov 2018
Reactive programming by spring webflux - DN Scrum Breakfast - Nov 2018
 
Owasp zap
Owasp zapOwasp zap
Owasp zap
 
REST API Design & Development
REST API Design & DevelopmentREST API Design & Development
REST API Design & Development
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
Reactive programming intro
Reactive programming introReactive programming intro
Reactive programming intro
 
200.마이크로서비스에 적합한 오픈소스 WAS는 무엇?
200.마이크로서비스에 적합한 오픈소스 WAS는 무엇?200.마이크로서비스에 적합한 오픈소스 WAS는 무엇?
200.마이크로서비스에 적합한 오픈소스 WAS는 무엇?
 
Spring Boot Tutorial
Spring Boot TutorialSpring Boot Tutorial
Spring Boot Tutorial
 
Introduction to GraphQL
Introduction to GraphQLIntroduction to GraphQL
Introduction to GraphQL
 
The Role of IAM in Microservices
The Role of IAM in MicroservicesThe Role of IAM in Microservices
The Role of IAM in Microservices
 
Introduction to Spring Cloud
Introduction to Spring Cloud           Introduction to Spring Cloud
Introduction to Spring Cloud
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
Maturity Model of Security Disciplines
Maturity Model of Security Disciplines Maturity Model of Security Disciplines
Maturity Model of Security Disciplines
 
The Beginner’s Guide To Spring Cloud
The Beginner’s Guide To Spring CloudThe Beginner’s Guide To Spring Cloud
The Beginner’s Guide To Spring Cloud
 
F5 - BigIP ASM introduction
F5 - BigIP ASM introductionF5 - BigIP ASM introduction
F5 - BigIP ASM introduction
 
Spring boot introduction
Spring boot introductionSpring boot introduction
Spring boot introduction
 
Attacking ADFS Endpoints - DerbyCon
Attacking ADFS Endpoints - DerbyConAttacking ADFS Endpoints - DerbyCon
Attacking ADFS Endpoints - DerbyCon
 
Introduction to Swagger
Introduction to SwaggerIntroduction to Swagger
Introduction to Swagger
 
An Introduction To REST API
An Introduction To REST APIAn Introduction To REST API
An Introduction To REST API
 
Spring boot
Spring bootSpring boot
Spring boot
 

Similaire à Building layers of defense for your application

Top 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answerTop 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answerShivamSharma909
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
How to Test for The OWASP Top Ten
 How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation SecurityAman Singh
 
Security Testing
Security TestingSecurity Testing
Security TestingISsoft
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks Ahmed Sherif
 
TW SEAT - DevOps: Security 干我何事?
TW SEAT - DevOps: Security 干我何事?TW SEAT - DevOps: Security 干我何事?
TW SEAT - DevOps: Security 干我何事?smalltown
 
Web applications security conference slides
Web applications security  conference slidesWeb applications security  conference slides
Web applications security conference slidesBassam Al-Khatib
 
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)Security Innovation
 
Client /server security overview
Client /server security overviewClient /server security overview
Client /server security overviewMohamed Sayed
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With ExamplesAlwin Thayyil
 

Similaire à Building layers of defense for your application (20)

SCWCD : Secure web
SCWCD : Secure webSCWCD : Secure web
SCWCD : Secure web
 
SCWCD : Secure web : CHAP : 7
SCWCD : Secure web : CHAP : 7SCWCD : Secure web : CHAP : 7
SCWCD : Secure web : CHAP : 7
 
Top 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answerTop 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answer
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Cloud Identity Management
Cloud Identity ManagementCloud Identity Management
Cloud Identity Management
 
How to Test for The OWASP Top Ten
 How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation Security
 
Hyderabad MuleSoft Meetup
Hyderabad MuleSoft MeetupHyderabad MuleSoft Meetup
Hyderabad MuleSoft Meetup
 
Security Testing
Security TestingSecurity Testing
Security Testing
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks
 
TW SEAT - DevOps: Security 干我何事?
TW SEAT - DevOps: Security 干我何事?TW SEAT - DevOps: Security 干我何事?
TW SEAT - DevOps: Security 干我何事?
 
Spring Security
Spring SecuritySpring Security
Spring Security
 
Security testing
Security testingSecurity testing
Security testing
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10
 
Security testing
Security testingSecurity testing
Security testing
 
Web applications security conference slides
Web applications security  conference slidesWeb applications security  conference slides
Web applications security conference slides
 
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
 
Client /server security overview
Client /server security overviewClient /server security overview
Client /server security overview
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With Examples
 
OWASP Top 10 Proactive Control 2016 (C5-C10)
OWASP Top 10 Proactive Control 2016 (C5-C10)OWASP Top 10 Proactive Control 2016 (C5-C10)
OWASP Top 10 Proactive Control 2016 (C5-C10)
 

Plus de VMware Tanzu

What AI Means For Your Product Strategy And What To Do About It
What AI Means For Your Product Strategy And What To Do About ItWhat AI Means For Your Product Strategy And What To Do About It
What AI Means For Your Product Strategy And What To Do About ItVMware Tanzu
 
Make the Right Thing the Obvious Thing at Cardinal Health 2023
Make the Right Thing the Obvious Thing at Cardinal Health 2023Make the Right Thing the Obvious Thing at Cardinal Health 2023
Make the Right Thing the Obvious Thing at Cardinal Health 2023VMware Tanzu
 
Enhancing DevEx and Simplifying Operations at Scale
Enhancing DevEx and Simplifying Operations at ScaleEnhancing DevEx and Simplifying Operations at Scale
Enhancing DevEx and Simplifying Operations at ScaleVMware Tanzu
 
Spring Update | July 2023
Spring Update | July 2023Spring Update | July 2023
Spring Update | July 2023VMware Tanzu
 
Platforms, Platform Engineering, & Platform as a Product
Platforms, Platform Engineering, & Platform as a ProductPlatforms, Platform Engineering, & Platform as a Product
Platforms, Platform Engineering, & Platform as a ProductVMware Tanzu
 
Building Cloud Ready Apps
Building Cloud Ready AppsBuilding Cloud Ready Apps
Building Cloud Ready AppsVMware Tanzu
 
Spring Boot 3 And Beyond
Spring Boot 3 And BeyondSpring Boot 3 And Beyond
Spring Boot 3 And BeyondVMware Tanzu
 
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdfSpring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdfVMware Tanzu
 
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023VMware Tanzu
 
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023VMware Tanzu
 
tanzu_developer_connect.pptx
tanzu_developer_connect.pptxtanzu_developer_connect.pptx
tanzu_developer_connect.pptxVMware Tanzu
 
Tanzu Virtual Developer Connect Workshop - French
Tanzu Virtual Developer Connect Workshop - FrenchTanzu Virtual Developer Connect Workshop - French
Tanzu Virtual Developer Connect Workshop - FrenchVMware Tanzu
 
Tanzu Developer Connect Workshop - English
Tanzu Developer Connect Workshop - EnglishTanzu Developer Connect Workshop - English
Tanzu Developer Connect Workshop - EnglishVMware Tanzu
 
Virtual Developer Connect Workshop - English
Virtual Developer Connect Workshop - EnglishVirtual Developer Connect Workshop - English
Virtual Developer Connect Workshop - EnglishVMware Tanzu
 
Tanzu Developer Connect - French
Tanzu Developer Connect - FrenchTanzu Developer Connect - French
Tanzu Developer Connect - FrenchVMware Tanzu
 
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023VMware Tanzu
 
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring BootSpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring BootVMware Tanzu
 
SpringOne Tour: The Influential Software Engineer
SpringOne Tour: The Influential Software EngineerSpringOne Tour: The Influential Software Engineer
SpringOne Tour: The Influential Software EngineerVMware Tanzu
 
SpringOne Tour: Domain-Driven Design: Theory vs Practice
SpringOne Tour: Domain-Driven Design: Theory vs PracticeSpringOne Tour: Domain-Driven Design: Theory vs Practice
SpringOne Tour: Domain-Driven Design: Theory vs PracticeVMware Tanzu
 
SpringOne Tour: Spring Recipes: A Collection of Common-Sense Solutions
SpringOne Tour: Spring Recipes: A Collection of Common-Sense SolutionsSpringOne Tour: Spring Recipes: A Collection of Common-Sense Solutions
SpringOne Tour: Spring Recipes: A Collection of Common-Sense SolutionsVMware Tanzu
 

Plus de VMware Tanzu (20)

What AI Means For Your Product Strategy And What To Do About It
What AI Means For Your Product Strategy And What To Do About ItWhat AI Means For Your Product Strategy And What To Do About It
What AI Means For Your Product Strategy And What To Do About It
 
Make the Right Thing the Obvious Thing at Cardinal Health 2023
Make the Right Thing the Obvious Thing at Cardinal Health 2023Make the Right Thing the Obvious Thing at Cardinal Health 2023
Make the Right Thing the Obvious Thing at Cardinal Health 2023
 
Enhancing DevEx and Simplifying Operations at Scale
Enhancing DevEx and Simplifying Operations at ScaleEnhancing DevEx and Simplifying Operations at Scale
Enhancing DevEx and Simplifying Operations at Scale
 
Spring Update | July 2023
Spring Update | July 2023Spring Update | July 2023
Spring Update | July 2023
 
Platforms, Platform Engineering, & Platform as a Product
Platforms, Platform Engineering, & Platform as a ProductPlatforms, Platform Engineering, & Platform as a Product
Platforms, Platform Engineering, & Platform as a Product
 
Building Cloud Ready Apps
Building Cloud Ready AppsBuilding Cloud Ready Apps
Building Cloud Ready Apps
 
Spring Boot 3 And Beyond
Spring Boot 3 And BeyondSpring Boot 3 And Beyond
Spring Boot 3 And Beyond
 
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdfSpring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
 
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
 
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
 
tanzu_developer_connect.pptx
tanzu_developer_connect.pptxtanzu_developer_connect.pptx
tanzu_developer_connect.pptx
 
Tanzu Virtual Developer Connect Workshop - French
Tanzu Virtual Developer Connect Workshop - FrenchTanzu Virtual Developer Connect Workshop - French
Tanzu Virtual Developer Connect Workshop - French
 
Tanzu Developer Connect Workshop - English
Tanzu Developer Connect Workshop - EnglishTanzu Developer Connect Workshop - English
Tanzu Developer Connect Workshop - English
 
Virtual Developer Connect Workshop - English
Virtual Developer Connect Workshop - EnglishVirtual Developer Connect Workshop - English
Virtual Developer Connect Workshop - English
 
Tanzu Developer Connect - French
Tanzu Developer Connect - FrenchTanzu Developer Connect - French
Tanzu Developer Connect - French
 
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
 
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring BootSpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
 
SpringOne Tour: The Influential Software Engineer
SpringOne Tour: The Influential Software EngineerSpringOne Tour: The Influential Software Engineer
SpringOne Tour: The Influential Software Engineer
 
SpringOne Tour: Domain-Driven Design: Theory vs Practice
SpringOne Tour: Domain-Driven Design: Theory vs PracticeSpringOne Tour: Domain-Driven Design: Theory vs Practice
SpringOne Tour: Domain-Driven Design: Theory vs Practice
 
SpringOne Tour: Spring Recipes: A Collection of Common-Sense Solutions
SpringOne Tour: Spring Recipes: A Collection of Common-Sense SolutionsSpringOne Tour: Spring Recipes: A Collection of Common-Sense Solutions
SpringOne Tour: Spring Recipes: A Collection of Common-Sense Solutions
 

Dernier

10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024Mind IT Systems
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfproinshot.com
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnAmarnathKambale
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdfPearlKirahMaeRagusta1
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesVictorSzoltysek
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfAzure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfryanfarris8
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 

Dernier (20)

10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdf
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfAzure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 

Building layers of defense for your application

  • 1. Building Layers of Defense for Your Application Using Spring Security Framework Neha Sardana
  • 2. About Me ● Software Developer ● Fellow JUG Leader at Garden State Java User Group, NJ and New York Java SIG, NY ● Building Spring based applications for almost 10 years ● Love to travel, practice yoga and watch cricket ● Github : nsardana-bny ● linkedin.com/in/nehasardana9786/ ● Twitter: @nehasardana09, Medium: @neha-nsit 2
  • 3. Agenda ● Authentication and Authorization ● Layers of defense for a web app ● Spring Security - The 5Ws ● Common Security Threats ● Protection against threats ● Basic Authentication ● JWT, OAuth and OpenID Connect ● Code! ● Principles of Application Security 3
  • 4. Pre-requisites ● Java ● Spring Framework ● Maven 4
  • 6. Authentication ● Authentication is about validating your credentials like User Name/User ID and password to verify your identity. ● The system determines whether you are what you say you are using your credentials. 6
  • 7. Authorization ● Authorization is the process to determine whether the authenticated user has access to particular resources. ● It verifies your rights to grant you access to resources such as information, databases, files, etc. ● Authorization usually comes after authentication which confirms your privileges to perform. 7
  • 8. Layers of defense for a web app 8 ● Network Firewall ● Login Page ● Security Questions ● Authentication or Multi-factor Authentication ● Hashing and/or Salting ● Authorization Don’t give very specific error message to the user!!! EVER!
  • 10. 10
  • 11. What is Spring Security? ● Spring Security is a powerful and highly customizable authentication and access-control framework for Java based applications. ● It is the de-facto standard for securing Spring-based applications. ● Like all Spring projects, the real power of Spring Security is found in how easily it can be extended to meet custom requirements 11
  • 12. Why Use Spring Security? ● Easy Integration with Spring Boot ● Supported by large Open Source Community ● Authentication/Authorization (Out of the box) ● Application layer framework (not tied to a particular web server) ● Loosely Coupled ● Filter Entry point/Servlet ● Multiple authentication models ● Protects from Common Security Threats! 12
  • 13. Why use Spring Security? ● Due to increased adoption of frameworks like Spring Security, many of the previously common exploits such as: Cross Site Request Forgery and Clickjacking and many others are no longer on OWASP (Open Web Application Security Project) top 10. 13
  • 15. 15
  • 16. How to use Spring Security in your application 16
  • 17. 17 Add below code to your pom.xml in Spring Boot Project
  • 19. 19
  • 20. ● To enable Spring Security, you have to register Spring Security Filter, also known as, DelegatingFilterProxy, with your servlet container. ● DelegatingFilterProxy will forward all requests to other Spring Security Filters to perform Authentication or Authorization checks. ● Two important things to kick start your security framework: Dispatcher Servlet & Delegating Proxy Filter. 20 How Spring Security Works
  • 21. 21
  • 23. Filter Interface ● Init() - Called by the web container to indicate to a filter that it is being placed into service. ● destroy() - Called by the web container to indicate to a filter that it is being taken out of service. ● doFilter() - The doFilter method of the Filter is called by the container each time a request/response pair is passed through the chain due to a client request for a resource at the end of the chain. ● The FilterChain passed in to this method allows the Filter to pass on the request and response to the next entity in the chain. 23
  • 24. FilterChainProxy & Security Filter Chain ● DelegatingFilterProxy delegates the request to FilterChainProxy (FCP) which in turn delegates to another object SecurityFilterChain (SFC). ● SFC is a wrapper around collection of Spring Filters that performs actual security tasks. ● When a request comes, FCP iterates through SFC in order to find the one which matches with the request url. ● After the above step, the appropriate Filter is invoked to perform security tasks. ● The Order of SFC matters a lot! ● There are options to have multiple SFC in one application to have multiple types of authentication for different types of URLs. 24
  • 26. SecurityFilterChain Interface ● matches() - returns boolean to checks if the request matches the filter chain ● getFilters() - returns a list of security filters for the matched request 26
  • 27. 27
  • 29. Authentication Flow ● Authentication Filter creates an “Authentication Request” and passes it to the Authentication Manager ● Authentication Manager delegates to the Authentication Provider ● Authentication Provider uses UserDetailsService to load the UserDetails and returns an “Authenticated Principal” ● Authentication Filter sets the Authentication in the SecurityContext 29
  • 30. 30 AuthenticationFilter Authentication Principal AuthenticationManager Authentication Providers Authentication Principal Security Context UserDetailsService generates authenticates delegates get UserDetails SecurityContextHolder adds
  • 31. Authentication Object ● Principal - identifies the user. When authenticating with a username/password this is often an instance of UserDetails. ● Credentials - Often a password. In many cases this will be cleared after the user is authenticated to ensure it is not leaked. ● Authorities - the GrantedAuthorities are high level permissions the user is granted. A few examples are roles or scopes. 31
  • 34. Authorization Flow ● FilterSecurityInterceptor obtains the “Security Metadata” by matching the current request ● FilterSecurityInterceptor gets the current Authentication ● The Authentication, Security Metadata and Request is passed to the AccessDecisionManager ● AccessDecisionManager delegates it to the AccessDecisionVoter(s) for decisioning 34
  • 35. What happens when there is Exception? ● When “Access Denied” for current Authentication, ExceptionTranslationFilter delegates to the AccessDeniedHandler and returns a Http 403 status code ● When current Authentication is “Anonymous”, ExceptionTranslationFilter delegates to the AuthenticationEntryPoint to start the Authentication Process 35
  • 36. Filter Chain Ordering 1. ChannelProcessingFilter 2. WebAsyncManagerIntegrationFilter 3. SecurityContextPersistenceFilter 4. HeaderWriterFilter 5. CorsFilter 6. CsrfFilter 7. LogoutFilter 8. OAuth2AuthorizationRequestRedirectFilter 9. Saml2WebSsoAuthenticationRequestFilter 10. X509AuthenticationFilter 11. AbstractPreAuthenticatedProcessingFilter 12. CasAuthenticationFilter 13. OAuth2LoginAuthenticationFilter 14. Saml2WebSsoAuthenticationFilter 15. UsernamePasswordAuthenticationFilter 16. OpenIDAuthenticationFilter 17. DefaultLoginPageGeneratingFilter 36
  • 37. Filter Chain Ordering (Contd.) 18. DefaultLogoutPageGeneratingFilter 19. ConcurrentSessionFilter 20. DigestAuthenticationFilter 21. BearerTokenAuthenticationFilter 22. BasicAuthenticationFilter 23. RequestCacheAwareFilter 24. SecurityContextHolderAwareRequestFilter 25. JaasApiIntegrationFilter 26. RememberMeAuthenticationFilter 27. AnonymousAuthenticationFilter 28. OAuth2AuthorizationCodeGrantFilter 29. SessionManagementFilter 30. ExceptionTranslationFilter 31. FilterSecurityInterceptor 32. SwitchUserFilter 37
  • 38. Common Security Threats ● Injection ● Broken Authentication ● Sensitive Data Exposure ● XML External Entities ● Broken Access Control ● Security Misconfiguration ● Cross-Site Scripting ● Insecure Deserialization ● Using Components with Known Vulnerabilities ● Insufficient logging and monitoring 38
  • 39. How Spring Security protects against Threats 39
  • 41. Spring Security Headers ● Disables Browser Cache ○ If your application provides its own cache control headers Spring Security will back out of the way ● Disables Content Sniffing ○ Content Sniffing- when the browser is trying to guess the content type of a request ● Disables Frame (prevents Clickjacking) ○ By default Spring Security disables rendering pages within an iframe ● HTTP Strict Transport Security (HSTS) ○ Instructs Browser to treat this domain and subdomains as an HSTS host for a year by default 41
  • 42. Spring Security Headers ● Reflective XSS ○ Prevents Browser from rendering a page if it suspects a reflective XSS attack 42
  • 43. CSRF Protection ● Cross-Site Request Forgery is an attack that forces a user to execute unwanted actions in an application they’re currently logged into. ● If the user is a normal user, a successful attack can involve state-changing requests like transferring funds or changing their email address. ● If the user has elevated permissions, a CSRF attack can compromise the entire application. ● Spring Security uses Synchronizer Token Pattern where along with creating the session cookie on authentication, it also creates a csrf token which a malicious site can not access or use. ● On the backend side, CSRF Filter expects this token along with state changing requests to allow the request to pass through. 43
  • 44. Example of CSRF for SPA 44
  • 45. HTTP Verb Tampering ● HTTP Verb Tampering is an attack that exploits vulnerabilities in HTTP verb (also known as HTTP method) authentication and access control mechanisms. ● Many authentication mechanisms only limit access to the most common HTTP methods, thus allowing unauthorized access to restricted resources by other HTTP methods. 45
  • 46. Example of HTTP Verb Tampering 46
  • 47. Enable Content Security Policy to Prevent XSS Attacks ● Content Security Policy (CSP) is an added layer of security that helps mitigate XSS (cross-site scripting) and data injection attacks. ● To enable it, you need to configure your app to return a Content-Security-Policy header. ● You can also use a <meta http-equiv="Content-Security-Policy"> tag in your HTML page. 47
  • 48. Example for Content Security Policy prevention 48
  • 49. Session Fixation ● Session fixation attacks are a potential risk where it is possible for a malicious attacker to create a session by accessing a site, then persuade another user to log in with the same session (by sending them a link containing the session identifier as a parameter, for example). ● Spring Security protects against this automatically by creating a new session or otherwise changing the session ID when a user logs in. 49
  • 50. HTTPS in Production and NOT HTTP! 50
  • 52. Basic Authentication ● Credentials are transmitted through header ● Header name: Authentication ● Header value: Basic + Base64(username:password) ● Eg: Authorization: Basic YMDDdnskdslkdlklsklddlk 52
  • 53. Common Challenges with Basic Authentication ● Base64 is easy to decode! ● Managing password hash with application data is a bottleneck. ● Sharing username and password for integrating with third party vendor can cause a lot of problems. ● In case of a distributed application, while scaling up, you have to scale up the identity and authentication mechanism as well. ● If starting from a monolith application and going further down into Microservices, you will require Authentication and Authorization for each of the service which creating a problem later. 53
  • 55. 55
  • 56. Goal of OAuth2 ● This was driven mainly because the applications realised that user password sharing with multiple unknown apps was a big security threat. ● To allow applications to access data from third party apps without the users sharing their password. ● Problems while implementing single sign on because of the need to share passwords between applications 56
  • 57. OAuth2 ● OAuth 2.0 is the industry-standard protocol for authorization. ● OAuth 1.0 was published in Dec 2007. ● It uses scopes to define permissions about what actions an authorized user can perform. ● However, OAuth 2.0 is not an authentication protocol and provides no information about the authenticated user. ● https://auth0.com/ 57
  • 58. OpenID Connect ● OpenID Connect (OIDC) is an OAuth 2.0 extension that provides user information. ● It adds an ID token in addition to an access token, as well as a /userinfo endpoint that you can get additional information from. ● It also adds an endpoint discovery feature and dynamic client registration. 58
  • 59. 59 JSON Web Token (JWT) ● Light weight ○ JSON Map Information ● Verifiable ○ Digitally signed and Base64 URL encoded ● Protocol Agnostic ○ Can be used standalone ● Expiration Time
  • 60. 60 Field Description iat Indicates the token was "issued at" jit JSON Token ID iss Issuer of the token exp Expiry time sub Subject aud Audience JSON Structure ● Header ● Payload ● Signature
  • 61. 61
  • 62. 62
  • 63. 63
  • 66. Core Principles of Application Security ● Minimize attack surface area ● Establish secure defaults ● The principle of least privilege ● The principle of defense in depth ● Fail securely ● Don’t trust services ● Separation of duties ● Avoid security by obscurity ● Keep security simple ● Fix security issues correctly 66
  • 67. References Medium Blog - Spring Security Code Walkthrough Spring Design Principles Top Courses on Spring Security OWASP Top 10 Spring Security Reference OAuth 2.1 Picture Credits: https://tinyurl.com/fp5pfux7 (Pluralsight.com) 67