Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

How to use Spring Security to Supercharge AppSec with OpenID Connect & OAuth2

725 views

Published on

Spring Live
April 19-20, 2020
Mark Heckler
Principal Technologist & Developer Advocate, VMware

Published in: Software
  • Be the first to comment

How to use Spring Security to Supercharge AppSec with OpenID Connect & OAuth2

  1. 1. How to Supercharge AppSec with Spring Security, OpenID Connect, & OAuth2 Mark Heckler Spring Developer & Advocate mark@thehecklers.com mheckler@vmware.com @mkheck
  2. 2. @mkheck www.thehecklers.com Who am I? • Author • Architect & Developer • Java Champion, Rockstar • Professional Problem Solver • Spring Developer & Advocate • Creador y curador de
  3. 3. @mkheck www.thehecklers.com New book! But you can’t buy it yet… DISCLAIMER: artist’s rendition only, not the real cover
  4. 4. @mkheck www.thehecklers.com New book! But you can’t buy it yet… DISCLAIMER: artist’s rendition only, not the real cover
  5. 5. @mkheck www.thehecklers.com Takeaways Foundational security concepts review using Spring Security OSS Authentication & Authorization: who’s who in the zoo OpenID Connect & OAuth2: what they do & what’s the value The roles The grants SHOW ME THE CODE
  6. 6. @mkheck www.thehecklers.com Takeaways Foundational security concepts review using Spring Security OSS Authentication & Authorization: who’s who in the zoo OpenID Connect & OAuth2: what they do & what’s the value The roles The grants SHOW ME THE CODE
  7. 7. @mkheck www.thehecklers.com Takeaways Foundational security concepts review using Spring Security OSS Authentication & Authorization: who’s who in the zoo OpenID Connect & OAuth2: what they do & what’s the value The roles The grants SHOW ME THE CODE
  8. 8. @mkheck www.thehecklers.com 3000 meter view Filter Filter Filter Filter Filter HttpFirewall SecurityFilterChain Request headers
  9. 9. @mkheck www.thehecklers.com 3000 meter view Filter Filter Filter Filter Filter HttpFirewall SecurityFilterChain Request headers Of course, there is more…
  10. 10. @mkheck www.thehecklers.com Spring Security request filtering (simplified) DelegatingFilterProxy SecurityFilterChain Filter 1 Filter 2 Filter 3 Filter n… FilterChainProxy … SecurityFilterChain n User Servlet
  11. 11. @mkheck www.thehecklers.com About those headers… HTTP/1.1 200 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Content-Length: 20 Content-Type: text/plain;charset=UTF-8 Date: Wed, 26 Feb 2020 20:13:58 GMT Expires: 0 Pragma: no-cache Set-Cookie: JSESSIONID=EB199990E5ABA3EA0E1A0B4430EF8E5C; Path=/; HttpOnly X-Content-Type-Options: nosniff X-Frame-Options: DENY X-XSS-Protection: 1; mode=block
  12. 12. @mkheck www.thehecklers.com Authentication vs. Authorization Who are you? What can you (legitimately) access?
  13. 13. @mkheck www.thehecklers.com Authentication vs. Authorization Who are you? What can you (legitimately) access? (Authentication)
  14. 14. @mkheck www.thehecklers.com Authentication vs. Authorization Who are you? What can you (legitimately) access? (Authentication) (Authorization)
  15. 15. @mkheck www.thehecklers.com Authentication vs. Authorization Who are you? What can you (legitimately) access? (Authentication) (Authorization) OIDC OAuth2
  16. 16. @mkheck www.thehecklers.com Why OpenID Connect & OAuth2? In traditional authentication, the client requests an access-restricted resource on the server by authenticating with the server using the resource owner’s credentials To provide third-party applications (3PAs) access, the resource owner shares credentials with the 3P. This creates several problems: 3PAs store the resource owner’s credentials for future use, typically a password in clear-text Servers must support password authentication, despite the security weaknesses inherent in passwords 3PAs gain overly broad access to the resource owner’s protected resources, removing any ability to restrict duration or access to a limited subset of resources Resource owners cannot revoke access to an individual 3P without revoking access to all third parties, and must do so by changing the 3P’s password Compromise of any 3PA results in compromise of the end-user’s password and all data protected by that password From IETF rfc6749, The OAuth2 Authorization Framework
  17. 17. @mkheck www.thehecklers.com User Agent Authorization code grant Client Resource Owner Authorization Server Email/UID ********************* Resource Server 💰 Redirect URI: mysite.com/callback return to mysite.com/callback with authorization code Exchange authorization code for ID token & access token Provide access token with resource request and receive requested resources Client ID: abc123 User authenticates Response type: code
  18. 18. @mkheck www.thehecklers.com Let’s code!
  19. 19. @mkheck www.thehecklers.com Let’s code!
  20. 20. @mkheck www.thehecklers.com
  21. 21. @mkheck www.thehecklers.com Resources https://github.com/mkheck/spring-security-oidc-oauth2 https://github.com/jgrandja/oauth2-protocol-patterns https://spring.io/projects/spring-security
  22. 22. @mkheck www.thehecklers.com Resources https://github.com/mkheck/spring-security-oidc-oauth2 https://github.com/jgrandja/oauth2-protocol-patterns https://spring.io/projects/spring-security Thanks for coming, stay in touch (& secure)!

×