Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
From 0 to Spring Security 4.0 
Rob Winch 
@rob_winch 
© 2014 SpringOne 2GX. All rights reserved. Do not distribute without...
Agenda 
• Introductions 
• Hello Spring Security (Java Config) 
• Custom Authentication 
• Spring Data Integration 
• Test...
About Me 
• Open Source fanatic 
• Spring Security & Spring 
Project Lead 
• Committer on Spring 
Framework 
• Co-author o...
What is Spring Security? 
• Comprehensive support for Authentication And Authorization 
• Protection against common attack...
Demo 
Message 
Application 
Unless otherwise indicated, these sl ides are 
© 2013-2014 Pivotal Sof tware, Inc. and l icens...
Spring Security
web.xml 
<filter> 
<filter-name>springSecurityFilterChain</filter-name> 
<filter-class> 
org.springframework.web.filter.De...
Hello Java Configuration – Replaces web.xml 
public class SecurityWebInitializer 
extends AbstractSecurityWebApplicationIn...
Hello Java Configuration – WebSecurityConfig 
@Configuration 
@EnableWebMvcSecurity 
public class WebSecurityConfig 
exten...
Hello Java Configuration – WebSecurityConfig 
@Autowired 
public void configureGlobal( 
AuthenticationManagerBuilder auth)...
Hello Java Configuration
Hello Java Configuration
Hello Java Configuration 
<div th:with="currentUser=${#httpServletRequest.userPrincipal?.name}"> 
<div th:if="${currentUse...
Hello Java Configuration 
<div th:with="currentUser=${#httpServletRequest.userPrincipal?.name}"> 
<div th:if="${currentUse...
Hello Java Configuration 
<div th:with="currentUser=${#httpServletRequest.userPrincipal?.name}"> 
<div th:if="${currentUse...
Hello Java Configuration 
<div th:with="currentUser=${#httpServletRequest.userPrincipal?.name}"> 
<div th:if="${currentUse...
Custom Log in Form
Java Configuration 
@Override 
protected void configure(HttpSecurity http) 
throws Exception { 
http 
.authorizeRequests()...
Java Configuration 
http 
.authorizeRequests() 
.anyRequest().authenticated() 
.and() 
.formLogin().and() 
.httpBasic(); 
...
Java Configuration 
http 
.authorizeRequests() 
.anyRequest().authenticated() 
.and() 
.formLogin() 
.loginPage("/login”) ...
Java Configuration 
http 
.authorizeRequests() 
.antMatchers("/resources/**”).permitAll() 
.anyRequest().authenticated() 
...
Java Configuration 
<form th:action="@{/login}" method="post"> 
<label for="username">Username</label> 
<input type="text"...
Java Configuration 
<form th:action="@{/login}" method="post"> 
<label for="username">Username</label> 
<input type="text"...
Java Configuration 
<form th:action="@{/login}" method="post"> 
<label for="username">Username</label> 
<input type="text"...
Custom Authentication
Java Configuration – Custom Authentication 
public interface UserDetailsService { 
UserDetails loadUserByUsername(String u...
Java Configuration – Custom Authentication 
public interface UserDetails extends Serializable { 
Collection<? extends Gran...
Java Configuration – Custom Authentication 
@Entity 
public class User implements Serializable { 
@Id 
@GeneratedValue(str...
Java Configuration – Custom Authentication 
pubic class CustomUserDetails extends User 
implements UserDetails { 
public C...
Java Configuration – Custom Authentication 
public UserDetails loadUserByUsername(String username) 
throws UsernameNotFoun...
Java Configuration – Custom Authentication 
@Autowired 
public void configureGlobal( 
AuthenticationManagerBuilder auth, 
...
Java Configuration – Custom Authentication 
<div 
th:with="currentUser=${#httpServletRequest.userPrincipal?.name} 
"> 
<di...
Java Configuration – Custom Authentication 
<div 
th:with="currentUser=${#httpServletRequest.userPrincipal?.name} 
"> 
<di...
Java Configuration – Custom Authentication 
<div 
th:with="currentUser=${#httpServletRequest.userPrincipal?.name} 
"> 
<di...
Java Configuration – Custom Authentication 
<div 
th:with="currentUser=${#httpServletRequest.userPrincipal?.princip 
al}">...
Java Configuration – Custom Authentication 
<div 
th:with="currentUser=${#httpServletRequest.userPrincipal?.princip 
al}">...
Java Configuration – Custom Authentication 
<div 
th:with="currentUser=${#httpServletRequest.userPrincipal?.princip 
al}">...
Java Configuration – Custom Authentication 
<div 
th:with="currentUser=${#httpServletRequest.userPrincipal?.princip 
al}">...
Java Configuration – Custom Authentication 
@RequestMapping(method=RequestMethod.GET) 
public ModelAndView list() { 
Secur...
Java Configuration – Custom Authentication 
@RequestMapping(method=RequestMethod.GET) 
public ModelAndView list(Authentica...
Java Configuration – Custom Authentication 
@RequestMapping(method=RequestMethod.GET) 
public ModelAndView list( 
@Authent...
Java Configuration – Custom Authentication 
@Target(ElementType.PARAMETER) 
@Retention(RetentionPolicy.RUNTIME) 
@Document...
Java Configuration – Custom Authentication 
@RequestMapping(method=RequestMethod.GET) 
public ModelAndView list( 
@Current...
Spring Security / Spring Data 
SpEL Support
Spring Security / Spring Data 
@Bean 
public SecurityEvaluationContextExtension 
securityEvaluationContextExtension() { 
r...
Spring Security / Spring Data 
public interface MessageRepository 
extends CrudRepository<Message, Long> { 
@Query("select...
Spring Security / Spring Data 
public interface MessageRepository 
extends CrudRepository<Message, Long> { 
@Query("select...
Spring Security / Spring Data
In the year 2000…. 
@EnableAclSecurity 
public interface SecuredMessageRepository 
extends MessageRepository {}
Password Storage
Password Storage 
auth 
.userDetailsService(userDetailsService) 
.passwordEncoder(new BCryptPasswordEncoder());
CSRF Protection
Demo 
CSRF Protection 
Unless otherwise indicated, these sl ides are 
© 2013-2014 Pivotal Sof tware, Inc. and l icensed un...
CSRF Protection
CSRF Protection
CSRF Protection 
“When do I use CSRF protection?
CSRF Protection 
“... but my application uses JSON
CSRF Protection 
<form ... method="post" enctype="text/plain"> 
<input type='hidden' 
name=’{"summary":"Hi", … "ignore_me"...
CSRF Protection 
{ 
"summary": "Hi", 
"message": "New Message", 
"to": "luke@example.com", 
"ignore_me": "=test" 
}
CSRF Protection 
“… but my application is stateless
CSRF Protection
CSRF Protection 
“…and I use a custom header for 
authentication and ignore cookies
CSRF Protection 
• Use proper HTTP Verbs 
• Configure CSRF Protection 
• Include the CSRF Token
CSRF Protection – Providing the Token 
<form ... method="post"> 
... 
<input type="hidden" 
name="${_csrf.parameterName}" ...
CSRF Protection – Providing the Token 
<form ... method="post"> 
... 
<sec:csrfInput /> 
</form>
CSRF Protection – Providing the Token 
<form:form … method="post”> 
... 
</form:form>
CSRF Protection – Providing the Token 
<form ... method="post"> 
... 
<input type="hidden" name="_csrf" value="f81d4fae-…"...
Security HTTP Response Headers
Demo 
Click Jacking 
Unless otherwise indicated, these sl ides are 
© 2013-2014 Pivotal Sof tware, Inc. and l icensed unde...
Security HTTP Response Headers
Security HTTP Response Headers
Test Support
Testing Support 
@Before 
public void setup() { 
Authentication auth = 
new TestingAuthenticationToken("user",”pass","ROLE...
Testing Support 
UserDetails user = ... 
List<GrantedAuthority> roles = 
AuthorityUtils.createAuthorityList("ROLE_USER"); ...
Testing Support 
User user = ... 
List<GrantedAuthority> roles = 
AuthorityUtils.createAuthorityList("ROLE_USER"); 
Authen...
Testing Support 
... 
@WithMockUser 
public class SecurityMethodTests { 
... 
}
Testing Support 
... 
public class SecurityMethodTests { 
@Test 
@WithMockUser 
public void findAllMessages() { 
... 
} 
}
Testing Support 
... 
public class SecurityMethodTests { 
@Test 
@WithMockUser(username="admin",roles="ADMIN”) 
public voi...
Testing Support 
... 
public class SecurityMethodTests { 
@Test 
@WithUserDetails(”rob@example.com") 
public void findAllM...
Testing Support 
@Target({ ElementType.METHOD, ElementType.TYPE }) 
@Retention(RetentionPolicy.RUNTIME) 
@Inherited 
@Docu...
Testing Support 
public class WithCustomUserSecurityContextFactory 
implements WithSecurityContextFactory<WithCustomUser> ...
Testing Support 
... 
public class SecurityMethodTests { 
@Test 
@WithCustomUser 
public void findAllMessages() { 
reposit...
Testing Support 
... 
public class SecurityMethodTests { 
@Test 
@WithCustomUser(id=1,email=”luke@example.com") 
public vo...
Testing Support 
“…what about Spring Test MVC?
Testing Support 
... 
public class SecurityMockMvcTests { 
@Before 
public void setup() { 
mvc = MockMvcBuilders 
.webAppC...
Testing Support 
@Test 
@WithCustomUser 
public void inboxShowsOnlyTo() throws Exception { 
... 
}
Testing Support 
@Test 
@WithCustomUser(id=1,email=”luke@example.com") 
public void inboxShowsOnlyTo() throws Exception { ...
Testing Support 
@Test 
@WithCustomUser 
public void compose() throws Exception { 
MockHttpServletRequestBuilder compose =...
WebSocket Security
Demo 
Web Socket 
Authorization 
Unless otherwise indicated, these sl ides are 
© 2013-2014 Pivotal Sof tware, Inc. and l ...
WebSocket Authorization 
@MessageMapping("/im") 
/app/im 
/queue/messages-user<id> 
Client (Web Browser) 
Browser
WebSocket Authorization 
@Configuration 
public class WebSocketSecurityConfig extends 
AbstractSecurityWebSocketMessageBro...
WebSocket Authorization 
protected void configure( 
MessageSecurityMetadataSourceRegistry messages) { 
messages 
.matchers...
WebSocket Authorization 
// avoid processing outbound channel 
public void configureClientOutboundChannel( 
ChannelRegistr...
WebSocket Security 
Spring Session
Learn More. Stay Connected. 
• Source http://github.com/rwinch/spring-security-0-to-4.0 
• http://spring.io/spring-securit...
Upcoming SlideShare
Loading in …5
×

From 0 to Spring Security 4.0

12,002 views

Published on

Speaker: Rob Winch
Core Spring Track

Spring Security is a framework that focuses on providing both authentication and authorization to Java applications. Like all Spring projects, the real power of Spring Security is found in how easily it can be extended to meet custom requirements. In this presentation Rob will start with an insecure application and incrementally Spring Security 4 to demonstrate how easily you can secure your application. Throughout the presentation, new features found in Spring Security 4 will be highlighted. Whether you are new to Spring Security or are wanting to learn what is new in Spring Security 4, this presentation is a must!

Published in: Software
  • Hello! Get Your Professional Job-Winning Resume Here - Check our website! https://vk.cc/818RFv
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Video Link: https://www.youtube.com/watch?v=TjlDbIIJBi8
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

From 0 to Spring Security 4.0

  1. 1. From 0 to Spring Security 4.0 Rob Winch @rob_winch © 2014 SpringOne 2GX. All rights reserved. Do not distribute without permission.
  2. 2. Agenda • Introductions • Hello Spring Security (Java Config) • Custom Authentication • Spring Data Integration • Testing Support • WebSocket Support • White Hat Hacker 2
  3. 3. About Me • Open Source fanatic • Spring Security & Spring Project Lead • Committer on Spring Framework • Co-author of Spring Security 3.1 book • Twitter @rob_winch 3
  4. 4. What is Spring Security? • Comprehensive support for Authentication And Authorization • Protection against common attacks • Servlet API Integration • Optional integration with Spring MVC • Optional Spring Data Integration • WebSocket Support 4
  5. 5. Demo Message Application Unless otherwise indicated, these sl ides are © 2013-2014 Pivotal Sof tware, Inc. and l icensed under a Creat ive Commons At tribut ion-NonCommercial l icense: ht tp: / /creat ivecommons.org/ l icenses/by -nc/3.0/ SPRING SECURITY
  6. 6. Spring Security
  7. 7. web.xml <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class> org.springframework.web.filter.DelegatingFilterProxy </filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
  8. 8. Hello Java Configuration – Replaces web.xml public class SecurityWebInitializer extends AbstractSecurityWebApplicationInitializer { // optionally override methods }
  9. 9. Hello Java Configuration – WebSecurityConfig @Configuration @EnableWebMvcSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { ... }
  10. 10. Hello Java Configuration – WebSecurityConfig @Autowired public void configureGlobal( AuthenticationManagerBuilder auth) throws Exception { auth .inMemoryAuthentication() .withUser("admin”) .password("password”) .roles("ADMIN","USER") .and() .withUser("user") .password("password") .roles("USER"); }
  11. 11. Hello Java Configuration
  12. 12. Hello Java Configuration
  13. 13. Hello Java Configuration <div th:with="currentUser=${#httpServletRequest.userPrincipal?.name}"> <div th:if="${currentUser != null}"> <form th:action="@{/logout}" method="post”> <input type="submit" value="Log out" /> </form> <p th:text="${currentUser}”> sample_user </p> </div>
  14. 14. Hello Java Configuration <div th:with="currentUser=${#httpServletRequest.userPrincipal?.name}"> <div th:if="${currentUser != null}"> <form th:action="@{/logout}" method="post”> <input type="submit" value="Log out" /> </form> <p th:text="${currentUser}”> sample_user </p> </div> public interface HttpServletRequest … { Principal getUserPrincipal(); ... }
  15. 15. Hello Java Configuration <div th:with="currentUser=${#httpServletRequest.userPrincipal?.name}"> <div th:if="${currentUser != null}"> <form th:action="@{/logout}" method="post”> <input type="submit" value="Log out" /> </form> <p th:text="${currentUser}”> sample_user </p> </div> public interface Principal … { String getName(); ... }
  16. 16. Hello Java Configuration <div th:with="currentUser=${#httpServletRequest.userPrincipal?.name}"> <div th:if="${currentUser != null}"> <form th:action="@{/logout}" method="post”> <input type="submit" value="Log out" /> </form> <p th:text="${currentUser}”> sample_user </p> </div> </div>
  17. 17. Custom Log in Form
  18. 18. Java Configuration @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .anyRequest().authenticated() .and() .formLogin().and() .httpBasic(); }
  19. 19. Java Configuration http .authorizeRequests() .anyRequest().authenticated() .and() .formLogin().and() .httpBasic(); <http use-expressions="true"> <intercept-url pattern="/**" access="authenticated"/> <form-login /> <http-basic /> </http>
  20. 20. Java Configuration http .authorizeRequests() .anyRequest().authenticated() .and() .formLogin() .loginPage("/login”) .permitAll() .and() .logout() .permitAll();
  21. 21. Java Configuration http .authorizeRequests() .antMatchers("/resources/**”).permitAll() .anyRequest().authenticated() .and() .formLogin() .loginPage("/login”) .permitAll() .and() .logout() .permitAll();
  22. 22. Java Configuration <form th:action="@{/login}" method="post"> <label for="username">Username</label> <input type="text" id="username" name="username"/> <label for="password">Password</label> <input type="password" id="password" name="password"/> <button type="submit">Log in</button> </form>
  23. 23. Java Configuration <form th:action="@{/login}" method="post"> <label for="username">Username</label> <input type="text" id="username" name="username"/> <label for="password">Password</label> <input type="password" id="password" name="password"/> <button type="submit">Log in</button> </form>
  24. 24. Java Configuration <form th:action="@{/login}" method="post"> <label for="username">Username</label> <input type="text" id="username" name="username"/> <label for="password">Password</label> <input type="password" id="password" name="password"/> <button type="submit">Log in</button> </form> http …. .formLogin() .loginPage("/login”)
  25. 25. Custom Authentication
  26. 26. Java Configuration – Custom Authentication public interface UserDetailsService { UserDetails loadUserByUsername(String username) throws UsernameNotFoundException; }
  27. 27. Java Configuration – Custom Authentication public interface UserDetails extends Serializable { Collection<? extends GrantedAuthority> getAuthorities(); String getPassword(); String getUsername(); boolean isAccountNonExpired(); boolean isAccountNonLocked(); boolean isCredentialsNonExpired(); boolean isEnabled(); }
  28. 28. Java Configuration – Custom Authentication @Entity public class User implements Serializable { @Id @GeneratedValue(strategy = GenerationType.AUTO) private Long id; private String firstName; private String lastName; private String email; private String password; ... }
  29. 29. Java Configuration – Custom Authentication pubic class CustomUserDetails extends User implements UserDetails { public CustomUserDetails(User u) { super(user); } public Collection getAuthorities() { return AuthorityUtils.createAuthorityList("ROLE_USER"); } public String getUsername() { return getEmail(); } public boolean isEnabled() { return true; } ...
  30. 30. Java Configuration – Custom Authentication public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { User user = userRepository.findByEmail(username); if(user == null) { throw new UsernameNotFoundException(…); } return new CustomUserDetails(user); }
  31. 31. Java Configuration – Custom Authentication @Autowired public void configureGlobal( AuthenticationManagerBuilder auth, UserDetailsService userDetailsService) throws Exception { auth .userDetailsService(userDetailsService); }
  32. 32. Java Configuration – Custom Authentication <div th:with="currentUser=${#httpServletRequest.userPrincipal?.name} "> <div th:if="${currentUser != null}"> <form th:action="@{/logout}" method="post”> <input type="submit" value="Log out" /> </form> <p th:text="${currentUser}”> sample_user </p> </div>
  33. 33. Java Configuration – Custom Authentication <div th:with="currentUser=${#httpServletRequest.userPrincipal?.name} "> <div th:if="${currentUser != null}"> <form th:action="@{/logout}" method="post”> <input type="submit" value="Log out" /> </form> <p th:text="${currentUser}”> sample_user </p> </div> public interface HttpServletRequest … { Principal getUserPrincipal(); ... }
  34. 34. Java Configuration – Custom Authentication <div th:with="currentUser=${#httpServletRequest.userPrincipal?.name} "> <div th:if="${currentUser != null}"> <form th:action="@{/logout}" method="post”> <input type="submit" value="Log out" /> </form> <p th:text="${currentUser}”> sample_user </p> </div> public interface HttpServletRequest … { (Authentication) Principal getUserPrincipal(); ... }
  35. 35. Java Configuration – Custom Authentication <div th:with="currentUser=${#httpServletRequest.userPrincipal?.princip al}"> <div th:if="${currentUser != null}"> <form th:action="@{/logout}" method="post”> <input type="submit" value="Log out" /> </form> <p th:text="${currentUser}”> sample_user </p> </div> public interface Authentication … { Object getPrincipal(); ... }
  36. 36. Java Configuration – Custom Authentication <div th:with="currentUser=${#httpServletRequest.userPrincipal?.princip al}"> <div th:if="${currentUser != null}"> <form th:action="@{/logout}" method="post”> <input type="submit" value="Log out" /> </form> <p th:text="${currentUser}”> sample_user </p> </div> public interface Authentication … { (UserDetails) Object getPrincipal(); ... }
  37. 37. Java Configuration – Custom Authentication <div th:with="currentUser=${#httpServletRequest.userPrincipal?.princip al}"> <div th:if="${currentUser != null}"> <form th:action="@{/logout}" method="post”> <input type="submit" value="Log out" /> </form> <p th:text="${currentUser}”> sample_user </p> </div> public interface Authentication … { (CustomUserDetails) Object getPrincipal(); ... }
  38. 38. Java Configuration – Custom Authentication <div th:with="currentUser=${#httpServletRequest.userPrincipal?.princip al}"> <div th:if="${currentUser != null}"> <form th:action="@{/logout}" method="post”> <input type="submit" value="Log out" /> </form> <p th:text="${currentUser.firstName}”> sample_user </p> </div> public class CustomUserDetails … { String getFirstName(); ... }
  39. 39. Java Configuration – Custom Authentication @RequestMapping(method=RequestMethod.GET) public ModelAndView list() { SecurityContext ctx = SecurityContextHolder.getContext(); Authentication authentication = ctx.getAuthentication(); User custom = authentication == null ? null : (User) authentication.getPrincipal(); ... }
  40. 40. Java Configuration – Custom Authentication @RequestMapping(method=RequestMethod.GET) public ModelAndView list(Authentication authentication) { User custom = authentication == null ? null : (User) authentication.getPrincipal(); ... }
  41. 41. Java Configuration – Custom Authentication @RequestMapping(method=RequestMethod.GET) public ModelAndView list( @AuthenticationPrincipal User currentUser) { ... }
  42. 42. Java Configuration – Custom Authentication @Target(ElementType.PARAMETER) @Retention(RetentionPolicy.RUNTIME) @Documented @AuthenticationPrincipal public @interface CurrentUser { }
  43. 43. Java Configuration – Custom Authentication @RequestMapping(method=RequestMethod.GET) public ModelAndView list( @CurrentUser User currentUser) { Iterable<Message> messages = messageRepository.findByToId(currentUser.getId()); ... }
  44. 44. Spring Security / Spring Data SpEL Support
  45. 45. Spring Security / Spring Data @Bean public SecurityEvaluationContextExtension securityEvaluationContextExtension() { return new SecurityEvaluationContextExtension(); }
  46. 46. Spring Security / Spring Data public interface MessageRepository extends CrudRepository<Message, Long> { @Query("select m from Message m where m.to.id = " + "?#{principal.id}”) Iterable<Message> findAllToCurrentUser(); }
  47. 47. Spring Security / Spring Data public interface MessageRepository extends CrudRepository<Message, Long> { @Query("select m from Message m where m.to.id = " + "?#{hasRole('ROLE_ADMIN') ? '%' : principal.id}”) Iterable<Message> findAll(); }
  48. 48. Spring Security / Spring Data
  49. 49. In the year 2000…. @EnableAclSecurity public interface SecuredMessageRepository extends MessageRepository {}
  50. 50. Password Storage
  51. 51. Password Storage auth .userDetailsService(userDetailsService) .passwordEncoder(new BCryptPasswordEncoder());
  52. 52. CSRF Protection
  53. 53. Demo CSRF Protection Unless otherwise indicated, these sl ides are © 2013-2014 Pivotal Sof tware, Inc. and l icensed under a Creat ive Commons At tribut ion-NonCommercial l icense: ht tp: / /creat ivecommons.org/ l icenses/by -nc/3.0/ SPRING SECURITY
  54. 54. CSRF Protection
  55. 55. CSRF Protection
  56. 56. CSRF Protection “When do I use CSRF protection?
  57. 57. CSRF Protection “... but my application uses JSON
  58. 58. CSRF Protection <form ... method="post" enctype="text/plain"> <input type='hidden' name=’{"summary":"Hi", … "ignore_me":"' value='test"}' /> </form>
  59. 59. CSRF Protection { "summary": "Hi", "message": "New Message", "to": "luke@example.com", "ignore_me": "=test" }
  60. 60. CSRF Protection “… but my application is stateless
  61. 61. CSRF Protection
  62. 62. CSRF Protection “…and I use a custom header for authentication and ignore cookies
  63. 63. CSRF Protection • Use proper HTTP Verbs • Configure CSRF Protection • Include the CSRF Token
  64. 64. CSRF Protection – Providing the Token <form ... method="post"> ... <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/> </form>
  65. 65. CSRF Protection – Providing the Token <form ... method="post"> ... <sec:csrfInput /> </form>
  66. 66. CSRF Protection – Providing the Token <form:form … method="post”> ... </form:form>
  67. 67. CSRF Protection – Providing the Token <form ... method="post"> ... <input type="hidden" name="_csrf" value="f81d4fae-…"/> </form>
  68. 68. Security HTTP Response Headers
  69. 69. Demo Click Jacking Unless otherwise indicated, these sl ides are © 2013-2014 Pivotal Sof tware, Inc. and l icensed under a Creat ive Commons At tribut ion-NonCommercial l icense: ht tp: / /creat ivecommons.org/ l icenses/by -nc/3.0/ SPRING SECURITY
  70. 70. Security HTTP Response Headers
  71. 71. Security HTTP Response Headers
  72. 72. Test Support
  73. 73. Testing Support @Before public void setup() { Authentication auth = new TestingAuthenticationToken("user",”pass","ROLE_USER"); SecurityContext ctx = SecurityContextHolder.getContext(); ctx.setAuthentication(auth); SecurityContextHolder.setContext(ctx); } @After public void cleanup() { SecurityContextHolder.clearContext(); }
  74. 74. Testing Support UserDetails user = ... List<GrantedAuthority> roles = AuthorityUtils.createAuthorityList("ROLE_USER"); Authentication auth = new UsernamePasswordAuthenticationToken(user,”pass", roles); SecurityContext ctx = SecurityContextHolder.getContext(); ctx.setAuthentication(auth);
  75. 75. Testing Support User user = ... List<GrantedAuthority> roles = AuthorityUtils.createAuthorityList("ROLE_USER"); Authentication auth = new UsernamePasswordAuthenticationToken(user,”pass", roles); SecurityContext ctx = SecurityContextHolder.getContext(); ctx.setAuthentication(auth);
  76. 76. Testing Support ... @WithMockUser public class SecurityMethodTests { ... }
  77. 77. Testing Support ... public class SecurityMethodTests { @Test @WithMockUser public void findAllMessages() { ... } }
  78. 78. Testing Support ... public class SecurityMethodTests { @Test @WithMockUser(username="admin",roles="ADMIN”) public void findAllMessages() { repository.findAll(); } }
  79. 79. Testing Support ... public class SecurityMethodTests { @Test @WithUserDetails(”rob@example.com") public void findAllMessages() { repository.findAll(); } }
  80. 80. Testing Support @Target({ ElementType.METHOD, ElementType.TYPE }) @Retention(RetentionPolicy.RUNTIME) @Inherited @Documented @WithSecurityContext(factory = WithCustomUserSecurityContextFactory.class) public @interface WithCustomUser { String email() default "rob@example.com"; String firstName() default "Rob"; String lastName() default "Winch"; long id() default 0L; }
  81. 81. Testing Support public class WithCustomUserSecurityContextFactory implements WithSecurityContextFactory<WithCustomUser> { public SecurityContext createSecurityContext(WithCustomUser customUser) { User principal = new User(); principal.setEmail(customUser.email()); ... return ctx; } }
  82. 82. Testing Support ... public class SecurityMethodTests { @Test @WithCustomUser public void findAllMessages() { repository.findAll(); } }
  83. 83. Testing Support ... public class SecurityMethodTests { @Test @WithCustomUser(id=1,email=”luke@example.com") public void findAllMessages() { repository.findAll(); } }
  84. 84. Testing Support “…what about Spring Test MVC?
  85. 85. Testing Support ... public class SecurityMockMvcTests { @Before public void setup() { mvc = MockMvcBuilders .webAppContextSetup(context) .apply(springSecurity()) .build(); }
  86. 86. Testing Support @Test @WithCustomUser public void inboxShowsOnlyTo() throws Exception { ... }
  87. 87. Testing Support @Test @WithCustomUser(id=1,email=”luke@example.com") public void inboxShowsOnlyTo() throws Exception { ... }
  88. 88. Testing Support @Test @WithCustomUser public void compose() throws Exception { MockHttpServletRequestBuilder compose = post("/”) .param("summary", "Hello Luke”) .param("message", "This is my message”) .with(csrf()); mvc .perform(compose) .andExpect(status().is2xxSuccessful()); }
  89. 89. WebSocket Security
  90. 90. Demo Web Socket Authorization Unless otherwise indicated, these sl ides are © 2013-2014 Pivotal Sof tware, Inc. and l icensed under a Creat ive Commons At tribut ion-NonCommercial l icense: ht tp: / /creat ivecommons.org/ l icenses/by -nc/3.0/ SPRING SECURITY
  91. 91. WebSocket Authorization @MessageMapping("/im") /app/im /queue/messages-user<id> Client (Web Browser) Browser
  92. 92. WebSocket Authorization @Configuration public class WebSocketSecurityConfig extends AbstractSecurityWebSocketMessageBrokerConfigurer {
  93. 93. WebSocket Authorization protected void configure( MessageSecurityMetadataSourceRegistry messages) { messages .matchers(message("/topic/**","/queue/**")).denyAll() .anyMessage().hasRole("USER"); }
  94. 94. WebSocket Authorization // avoid processing outbound channel public void configureClientOutboundChannel( ChannelRegistration registration) {}
  95. 95. WebSocket Security Spring Session
  96. 96. Learn More. Stay Connected. • Source http://github.com/rwinch/spring-security-0-to-4.0 • http://spring.io/spring-security • Twitter: @rob_winch Security for Microservices with Spring & OAuth2 – 4:30 Today

×