Your SlideShare is downloading. ×
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redondo Ramírez
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redondo Ramírez

1,337
views

Published on

From previously developed a simple web application (based on X-Files tv series) the aim will be to set both user authentication and authorization of web resources both for themselves and for the …

From previously developed a simple web application (based on X-Files tv series) the aim will be to set both user authentication and authorization of web resources both for themselves and for the invocation of business components. It’ll be established a minimum security settings, which will be completed with more sophisticated mechanisms. All of these emphasizing the novelties of version 3.x of Spring Security as the use of SPEL, Annotations, Namespace, Java config, etc. Attendees will see many of the features that implements Spring Security to set security mechanisms within JEE applications. The tools to be used are Spring Tool Suite 3.4, Springframework 3.2, Maven 3 and Spring Tc Server 2.9.

Published in: Technology, News & Politics

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,337
On Slideshare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Securing web applications with Spring Security 3 Fernando Redondo Ramírez @pronoide_fer
  • 2. Roadmap • Who am I? • A brief introduction to Spring Security • Hands on • Furthermore
  • 3. Whoami • Entrepreneur and Business Manager at Pronoide since 2003 • Java & Friends Trainer (JEE, Spring, Groovy, Maven, Jenkins, Sonar, Weblogic, Jboss, Websphere, Disco Dancing and so ) • Doing things with Java from 1999 on • Computer Engineer • Happily married and proud father of two children • I used to wanna be a physics scientist and I really do love X-files series
  • 4. Brief Introduction to Spring Security • Isn’t Security within JEE is a standard feature? Yes indeed, but: • JEE Security ⇒ It’s constraint based • JEE Security ⇒ Only defines a secured perimeter • JEE Security ⇒ Features are depending on each App Server (Realms, SSO, Cipher, etc) • JEE Security ⇒ Secured JEE Applications can’t easily move across different platforms or between server versions • JEE Security ⇒ Complex to adapt to Web 2.0 or changing requirements
  • 5. Brief Introduction to Spring Security • Why use Spring Security then? because: • Spring Security ⇒ It’s granted based • Spring Security ⇒ Both perimeter and hierarchical • Spring Security ⇒ Features independent of the App Server • Spring Security ⇒ Transportable Secured JEE Applications • Spring Security ⇒ Adaptable and versatile
  • 6. Brief Introduction to Spring Security • Architecture and we are done! Spring Security 3 internals SecurityContextHolder SecurityContext Authentication GrantedAuthority Web Requests Web/HTTP Security Security filter chain Authentication AuthenticationManager AuthenticationProviders UserDetailsService Authorization AccessDecisionManager Voters AfterInvocationManager Business Methods Business Object (Method) Security Proxies/Security Interceptors
  • 7. Your next mission I need to put security within our FBI X-Files application!
  • 8. Hands on! (Later at home) Before start, you have to… 1. Install git in your computer http://git-scm.com/book/en/Getting-Started-Installing-Git 2. Download Spring Tool Suite 3.5 https://spring.io/tools/sts/all 3. Start Spring Tool Suite 3.5 (STS) and choose or create a workspace (remember run it with a JDK) 4. Download http://pronoide.com/downloads/javacro2014- spring-security-xfiles.zip and unzip it into workspace folder. 5. Pace yourself! It’s all quite straightforward…
  • 9. FBI X Files webapp Import webapp (File/Import/Git/Proyect from Git)
  • 10. FBI X Files webapp Run webapp!
  • 11. Stage: Setup Spring Security in webapp i. Setup a interceptor filter for all web requests
  • 12. Stage: Setup Spring Security in webapp ii. Create a new spring bean configuration file with the least config and load through web.xml context parameter
  • 13. Stage: Setup Spring Security in webapp iii. Explicitly config login / logout procedures iv. Fix issues with resources, images and CSS files
  • 14. FBI X Files webapp
  • 15. Stage: Setup Spring Security in webapp v. Encrypt user’s paswords via Spring Security Crypto Module • Encode passwords • Configure algorithm and salt field. Then use passwords within security config file
  • 16. Stage: Setup Spring Security in webapp vi. Add Remember Me feature to users login process
  • 17. Stage: Setup Spring Security in webapp vii. Secure transport channel (HTTPS) • Setup constrains and ports • Configure tomcat server (create SSL connector)
  • 18. Stage: Setup Spring Security in webapp viii. Session expiration control ix. Session concurrency control
  • 19. Stage: Setup Spring Security in webapp x. JSP tag library usage (Spring Security Taglibs)
  • 20. Stage: Setup Spring Security in webapp xi. SpEL usage to protect URLs (Spring Expression Language) xii. SpEL usage with Spring security taglib
  • 21. what have you done! Is there only security in the web resources access? Is that the very best you can make it? Try this URL and watch what is gonna happen: https://localhost:8443/fbi/xfiles/declassify?id=0
  • 22. Stage: Setup Spring Security in business methods xii. Secure business method invocations thru Spring Security Annotations
  • 23. Stage: Setup Spring Security in business methods xiii. Secure business method invocations thru AspectJ pointcuts
  • 24. Stage: Setup Spring Security in business methods xiv. Secure business method invocations thru SpEL (Pre Invocation)
  • 25. Much better! But… What are you doing viewing files that aren’t yours? How come you are able to access to your sister’s files? And why are you accessing at this time of the day?
  • 26. Stage: Setup Spring Security in an hierarchical way xv. Secure business method invocations thru SpEL (Post Invocation) xvi. Secure business method invocations thru SpEL (Result Filtering)
  • 27. Stage: Setup Spring Security in an hierarchical way xvii. Customization of access voters • Code a new voter
  • 28. Stage: Setup Spring Security in an hierarchical way xviii.Customization of access voters (continuation) • Dismiss Spring Security auto-config and reveal actual config • Customize Access decision manager behavior
  • 29. Stage: Spring Security Extras xix. Customization of security filter chain (Example A) • Create custom filter • Place it within the filter chain
  • 30. Stage: Spring Security Extras xx. Customization of security filter chain (Example B) • Create custom filter • Place it within the filter chain
  • 31. The smoking man All of these features about Spring Security are pretty fine, but I can always leverage a Java2 attack: <%System.exit(0);%>
  • 32. Beyond this talk • Not implicit but explicit configs • ACL’s management • Autentification with DataSources, LDAP, X509, OPENID, JEE, etc • Captcha • Single Sign On • Java Config “… in most of my work, the laws of physics rarely seems to apply.” Fox Mulder 1x01 "Pilot"
  • 33. Thanks! @pronoide_fer https://github.com/fredondo/ fredondo@pronoide.com http://pronoide.com
  • 34. Apendix: Hands on (Later at home)! Navigate along the proyect code with git presenter 1. Install jruby or ruby http://jruby.org/getting-started https://www.ruby-lang.org/en/installation/ 2. Install git presenter (gem install git_presenter) 3. When the code is ready use the "git-presenter init" command to initialize 4. Once it is initialized you can start the presentation with "git- presenter start" 5. Then use the following commands to navigate the presentation • next/n: move to the next slide (commit) • back/b: move to the back slide (commit) • end/e: move to the end of presentation • start/s: move to the start of presentation • list/l : list slides in presentation • help/h: display this message

×