Spring Security Patterns

VMware Tanzu
VMware TanzuVMware Tanzu
Spring Security Patterns
September 2–3, 2020
springone.io
Ria Stein – Spring Security Maintainer
Josh Cummings – Spring Security Maintainer – @jzheaux
Secure by Default
PG
application.properties
App
H2
App
App
H2
application-prod.properties
PG
App
application.properties application-dev.properties
Principle of Least Privilege
Username:
Forgot Password
jzheaux OK
Sorry, we don’t recognize that username
Username:
Forgot Password
jzheaux OK
If that username exists, we’ve just sent an email
Request Thread Local
try {
SecurityContext ctx = lookup(request);
SecurityContextHolder.setContext(ctx);
chain.doFilter(request, response);
}
finally {
SecurityContextHolder.clearContext()
}
public void serviceLayerMethod() {
var ctx = SecurityContextHolder.getContext();
}
Stores data in a
ThreadLocal so only
visible to this thread
Clears data so
ThreadLocal can be
used for next request
Now data can be
retrieved at the service
layer
ForReactiveapps,use
theReactorContext
insteadofThreadLocals
Composition
registration.html
<div class=“registration-banner”>
<button class=“registration-button”>
Register Now
</button>
</div>
<div>
<span>Welcome to our talk!</span>
<registration/>
</div>
homepage.html
Stay Connected.
And be secure.
https://github.com/spring-projects/spring-security
https://github.com/jzheaux/springone2020
#springone@s1p
1 of 6

More Related Content

What's hot(20)

Open Policy AgentOpen Policy Agent
Open Policy Agent
Torin Sandall7.2K views
NGINX Installation and TuningNGINX Installation and Tuning
NGINX Installation and Tuning
NGINX, Inc.10.3K views
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?
Mikhail Egorov8.5K views
Webauthn TutorialWebauthn Tutorial
Webauthn Tutorial
FIDO Alliance12.2K views
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
Prabath Siriwardena2.7K views
Spring Boot and REST APISpring Boot and REST API
Spring Boot and REST API
07.pallav625 views
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
Knoldus Inc.6.2K views
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
Mikhail Egorov13.2K views
SCIM presentation from CIS 2012SCIM presentation from CIS 2012
SCIM presentation from CIS 2012
Twobo Technologies9.5K views
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
Nat Sakimura18.3K views
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
Michael Furman2.9K views
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
Karl McGuinness7.5K views
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
Vladimir Dzhuvinov11.3K views
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2
Rodrigo Cândido da Silva18K views
Spring securitySpring security
Spring security
Saurabh Sharma900 views

Spring Security Patterns