-
Be the first to like this
Upcoming SlideShare
Spring Security Patterns
- 1. Spring Security Patterns September 2–3, 2020 springone.io Ria Stein – Spring Security Maintainer Josh Cummings – Spring Security Maintainer – @jzheaux
- 2. Secure by Default PG application.properties App H2 App App H2 application-prod.properties PG App application.properties application-dev.properties
- 3. Principle of Least Privilege Username: Forgot Password jzheaux OK Sorry, we don’t recognize that username Username: Forgot Password jzheaux OK If that username exists, we’ve just sent an email
- 4. Request Thread Local try { SecurityContext ctx = lookup(request); SecurityContextHolder.setContext(ctx); chain.doFilter(request, response); } finally { SecurityContextHolder.clearContext() } public void serviceLayerMethod() { var ctx = SecurityContextHolder.getContext(); } Stores data in a ThreadLocal so only visible to this thread Clears data so ThreadLocal can be used for next request Now data can be retrieved at the service layer ForReactiveapps,use theReactorContext insteadofThreadLocals
- 5. Composition registration.html <div class=“registration-banner”> <button class=“registration-button”> Register Now </button> </div> <div> <span>Welcome to our talk!</span> <registration/> </div> homepage.html
- 6. Stay Connected. And be secure. https://github.com/spring-projects/spring-security https://github.com/jzheaux/springone2020 #springone@s1p
Be the first to comment