To Spring Security 4.1 and Beyond


Published on

SpringOne Platform 2016
Speakers: Rob Winch; Spring Security Lead, Pivotal & Joe Grandja; Spring Security Senior Engineer, Pivotal

Exploits are continually evolving making security hard. This is compounded by the fact that the technologies we need to secure are a moving target.

In this talk we will discuss how to easily secure an application with Spring Security 4.1. We will focus on some of the new features found in Spring Security 4.1 and discuss the future direction of Spring Security.

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

To Spring Security 4.1 and Beyond

  1. 1. To Spring Security 4.1 and Beyond By Rob Winch and Joe Grandja Pivotal
  2. 2. Agenda • Demo SecureMail Application • Hello Security • Debugging Tips • CSRF • Form Login • Logout • XSS Exploit in AngularJS • Content Security Policy (CSP) 2
  3. 3. Demo • SecureMail • Single Page Application with AngularJS 1.4 • Spring Boot 1.4 • Spring Security 4.1 • Spring Session 1.2 (backed by Redis) • Demo “unsecure” application 3
  4. 4. Hello Security • Security is auto-configured by Spring Boot via SecurityAutoConfiguration • By default, all web endpoints are secured with HTTP Basic Authentication with the exception of some well-known static resource locations, for example, /css/**, /js/**, /images/**, etc. • Override default security auto-configuration (using Java Configuration) by providing a “security-specific” configuration class and annotate it with @EnableWebSecurity 4
  5. 5. Debugging Tips • FilterChainProxy known as the Spring Security Filter Chain (registered bean “springSecurityFilterChain”) • Authentication – UsernamePasswordAuthenticationFilter (form login) or BasicAuthenticationFilter (HTTP Basic) • Authorization – FilterSecurityInterceptor • Exception Handling - ExceptionTranslationFilter • Debug Logging - WebSecurity.debug(true) 5
  6. 6. Cross Site Request Forgery (CSRF) • CSRF integration for AngularJS via CookieCsrfTokenRepository • By default, the CookieCsrfTokenRepository will write to a cookie named XSRF-TOKEN and read it from a HTTP header named X-XSRF-TOKEN (following the conventions of AngularJS) 6
  7. 7. Form Login • UsernamePasswordAuthenticationFilter is wired into the FilterChainProxy • If no login page is configured, a default login page is generated automatically • Let’s configure a custom login page and an endpoint for handling authentication failures 7
  8. 8. Logout • LogoutFilter is wired into the FilterChainProxy • By default, a successful logout redirects (302) to login page • Let’s configure a custom logout strategy via LogoutSuccessHandler. The strategy should return a 204 status after a successful logout. 8
  9. 9. XSS Exploit in AngularJS • The Angular Expression Sandbox {{ }} • PortSwigger Web Security Blog • “XSS without HTML: Client-Side Template Injection with AngularJS” o • Exploited when user input is dynamically embedded into client templates 9
  10. 10. Content Security Policy • Content Security Policy Level 2 • Candidate Recommendation • A mechanism that web applications can leverage to mitigate content injection vulnerabilities, such as cross-site scripting (XSS). • Allows you to create a “white-list” of sources (origins) of trusted content. • CSP prohibits inline scripts and styles. You need to ensure all scripts and styles are in an external file. • Content-Security-Policy HTTP header is the mechanism for delivering a policy. A policy specifies one or more directives and their associated value(s). • Content-Security-Policy-Report-Only HTTP header instructs the user-agent to monitor a policy, reporting violations, but not enforcing the restrictions. 10
  11. 11. Content Security Policy • Directives • script-src - defines the origins from which scripts can be loaded. • style-src - is script-src’s counterpart for style sheets. • child-src - lists the URL’s for workers and embedded frame contents. • connect-src - limits the origins to which you can connect (via XHR, WebSockets, and EventSource). • frame-ancestors - specifies the sources that can embed the current page. This directive applies to <frame>, <iframe>, <embed>, and <applet> tags. • img-src - defines the origins from which images can be loaded. • media-src - restricts the origins allowed to deliver video and audio. • object-src - allows control over Flash and other plugins. • report-uri - specifies a URL where the user-agent will send reports when a content security policy is violated. 11
  12. 12. Learn More. Stay Connected. Follow @SpringSecurity on Twitter for the latest info! @springcentral @pivotal @pivotalcf