SlideShare a Scribd company logo

Fun With Spring Security

Burt Beckwith
Burt Beckwith

GR8Conf India 2016

Software
1 of 19
Download to read offline
Fun With Spring Security Burt Beckwith
It Doesn't Work … Please Help ● Step one is always to enable debug logging ● Grails 2 ● Grails 3+ log4j = { debug 'org.springframework.security', trace 'grails.plugin.springsecurity' // optional debug 'org.hibernate.SQL' trace 'org.hibernate.type.descriptor.sql.BasicBinder' } logger 'org.springframework.security', DEBUG logger 'grails.plugin.springsecurity', TRACE // optional logger 'org.hibernate.SQL', DEBUG logger 'org.hibernate.type.descriptor.sql.BasicBinder', TRACE
Checking match of request : '/secure/index'; against '/assets/**' Checking match of request : '/secure/index'; against '/**/js/**' Checking match of request : '/secure/index'; against '/**/css/**' Checking match of request : '/secure/index'; against '/**/images/**' Checking match of request : '/secure/index'; against '/**/favicon.ico' Request '/secure/index' matched by universal pattern '/**' Determining The Filter Chain
Walking The Filter Chain FilterChainProxy - /secure/index at position 1 of 9 in additional filter chain; firing Filter: 'SecurityRequestHolderFilter' FilterChainProxy - /secure/index at position 2 of 9 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' HttpSessionSecurityContextRepository - No HttpSession currently exists HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created. FilterChainProxy - /secure/index at position 3 of 9 in additional filter chain; firing Filter: 'MutableLogoutFilter' AntPathRequestMatcher - Checking match of request : '/secure/index'; against '/logoff' FilterChainProxy - /secure/index at position 4 of 9 in additional filter chain; firing Filter: 'OrganizationFilter' FilterChainProxy - /secure/index at position 5 of 9 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
Walking The Filter Chain (cont.) FilterChainProxy - /secure/index at position 6 of 9 in additional filter chain; firing Filter: 'GrailsRememberMeAuthenticationFilter' FilterChainProxy - /secure/index at position 7 of 9 in additional filter chain; firing Filter: 'GrailsAnonymousAuthenticationFilter' GrailsAnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'grails.plugin.springsecurity.authentication.GrailsAnonymousAuthenti cationToken@dc4337e: Principal: org.springframework.security.core.userdetails.User@dc730200: Username: __grails.anonymous.user__; Password: [PROTECTED]; Enabled: false; AccountNonExpired: false; credentialsNonExpired: false; AccountNonLocked: false; Granted Authorities: ROLE_ANONYMOUS; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDet ails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS' FilterChainProxy - /secure/index at position 8 of 9 in additional filter chain; firing Filter: 'ExceptionTranslationFilter' FilterChainProxy - /secure/index at position 9 of 9 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
Failed Login FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /secure/index; Attributes: [ROLE_USER] FilterSecurityInterceptor - Previously Authenticated: grails.plugin.springsecurity.authentication.GrailsAnonymousAuthentic ationToken RoleHierarchyImpl - getReachableGrantedAuthorities() - From the roles [ROLE_ANONYMOUS] one can reach [ROLE_ANONYMOUS] in zero or more steps. WebExpressionVoter - No WebExpressionConfigAttribute found ClosureVoter - No ClosureConfigAttribute found ExceptionTranslationFilter - Access is denied (user is anonymous); redirecting to authentication entry point
Failed Login (cont.) ProviderManager - Authentication attempt using hacking.extralogin.auth.OrganizationAuthenticationProvider TokenBasedRememberMeServices - Interactive login attempt was unsuccessful. TokenBasedRememberMeServices - Cancelling cookie AjaxAwareAuthenticationFailureHandler - Redirecting to /login/authfail?login_error=1 GrailsRedirectStrategy - Redirecting to '/login/authfail? login_error=1' HttpSessionSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession. SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
Successful Login AntPathRequestMatcher - Request '/login/authenticate' matched by universal pattern '/**' FilterChainProxy - /login/authenticate at position 1 of 9 in additional filter chain; firing Filter: 'SecurityRequestHolderFilter' FilterChainProxy - /login/authenticate at position 2 of 9 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' HttpSessionSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@232c542c. A new one will be created. FilterChainProxy - /login/authenticate at position 3 of 9 in additional filter chain; firing Filter: 'MutableLogoutFilter'
Successful Login (cont.) AntPathRequestMatcher - Checking match of request : '/login/authenticate'; against '/logoff' FilterChainProxy - /login/authenticate at position 4 of 9 in additional filter chain; firing Filter: 'OrganizationFilter' ProviderManager - Authentication attempt using hacking.extralogin.auth.OrganizationAuthenticationProvider RoleHierarchyImpl - getReachableGrantedAuthorities() - From the roles [ROLE_USER] one can reach [ROLE_USER] in zero or more steps. SessionFixationProtectionStrategy - Invalidating session with Id '59DB715075D9716460E931ACEB6D60FB' and migrating attributes. SessionFixationProtectionStrategy - Started new session: 5B4C50B452A7FA2D5E7253AF68EC9E15 TokenBasedRememberMeServices - Did not send remember-me cookie (principal did not set parameter 'remember-me')
Successful Login (cont.) TokenBasedRememberMeServices - Remember-me login not requested. AjaxAwareAuthenticationSuccessHandler - Redirecting to DefaultSavedRequest Url: http://localhost:8080/secure/index GrailsRedirectStrategy - Redirecting to 'http://localhost:8080/secure/index' HttpSessionSecurityContextRepository - SecurityContext 'org.springframework.security.core.context.SecurityContextImpl@bbd64 3f3: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenti cationToken@bbd643f3: Principal: grails.plugin.springsecurity.userdetails.GrailsUser ... Granted Authorities: ROLE_USER' stored to HttpSession HttpSessionRequestCache - Removing DefaultSavedRequest from session if present SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
Demo Apps ● Source is available at https://github.com/burtbeckwith/FunWithSpringSecurity
Auto-assigning Roles ● You don't have to store all granted roles – some can be inferred ● Use existing attributes, a user class hierarchy, etc. in a custom UserDetailsService ● See the “autorole” demo app
Not Using Roles ● You don't have to store role information at all; they can be entirely inferred ● See the “noroles” demo app
Hacking New Delhi ● To demonstrate creating a custom authentication process, I updated the demo app from Greach 2015 (“hacking_madrid”) which was an update of the demo app from GGX 2011 (“hacking_london”) ● Updated to Grails 3, spring-security-core 3.0.3 ● Adds an “organization” drop-down to the login page in addition to username and password ● See the “hacking_newdelhi” demo app
Locking After Multiple Auth Fails ● Spring Security generates events for several scenarios ● One is a failed login because of an incorrect or missing password ● To slow down attackers attempting to hack your app by brute force, you can listen for AuthenticationFailureBadCredentialsEvent and lock the user's account after N failures ● See the “lockout” demo app
X.509 ● Spring Security supports using browser certificates to authenticate ● There aren't a lot of steps required to configure this, but it can be confusing ● See the “x509” demo app
X.509 Chained ● I've been mulling over the idea of adding support for using more than one AuthenticationProvider to authenticate ● X.509 seems like a good candidate, since if you have physical access to a user's browser you can perform actions with their account; adding a second authentication phase (e.g. typical form auth) would be more secure ● See the “x509chained” demo app

Recommended

Spring Security
Spring SecuritySpring Security
Spring SecuritySumit Gole
 
Spring Framework - Spring Security
Spring Framework - Spring SecuritySpring Framework - Spring Security
Spring Framework - Spring SecurityDzmitry Naskou
 
Spring Security 3
Spring Security 3Spring Security 3
Spring Security 3Jason Ferguson
 
Spring Security
Spring SecuritySpring Security
Spring SecurityBoy Tech
 
Spring security
Spring securitySpring security
Spring securitySaurabh Sharma
 
Spring Security
Spring SecuritySpring Security
Spring SecurityManish Sharma
 
Spring Security Introduction
Spring Security IntroductionSpring Security Introduction
Spring Security IntroductionMindfire Solutions
 
Building Layers of Defense with Spring Security
Building Layers of Defense with Spring SecurityBuilding Layers of Defense with Spring Security
Building Layers of Defense with Spring SecurityJoris Kuipers
 

Recommended

Spring Security
Spring SecuritySpring Security
Spring SecuritySumit Gole
 
Spring Framework - Spring Security
Spring Framework - Spring SecuritySpring Framework - Spring Security
Spring Framework - Spring SecurityDzmitry Naskou
 
Spring Security 3
Spring Security 3Spring Security 3
Spring Security 3Jason Ferguson
 
Spring Security
Spring SecuritySpring Security
Spring SecurityBoy Tech
 
Spring security
Spring securitySpring security
Spring securitySaurabh Sharma
 
Spring Security
Spring SecuritySpring Security
Spring SecurityManish Sharma
 
Spring Security Introduction
Spring Security IntroductionSpring Security Introduction
Spring Security IntroductionMindfire Solutions
 
Building Layers of Defense with Spring Security
Building Layers of Defense with Spring SecurityBuilding Layers of Defense with Spring Security
Building Layers of Defense with Spring SecurityJoris Kuipers
 
J2EE Security with Apache SHIRO
J2EE Security with Apache SHIROJ2EE Security with Apache SHIRO
J2EE Security with Apache SHIROCygnet Infotech
 
Javacro 2014 Spring Security 3 Speech
Javacro 2014 Spring Security 3 SpeechJavacro 2014 Spring Security 3 Speech
Javacro 2014 Spring Security 3 SpeechFernando Redondo Ramírez
 
What's New in spring-security-core 2.0
What's New in spring-security-core 2.0What's New in spring-security-core 2.0
What's New in spring-security-core 2.0Burt Beckwith
 
From 0 to Spring Security 4.0
From 0 to Spring Security 4.0From 0 to Spring Security 4.0
From 0 to Spring Security 4.0robwinch
 
Hacking the Grails Spring Security 2.0 Plugin
Hacking the Grails Spring Security 2.0 PluginHacking the Grails Spring Security 2.0 Plugin
Hacking the Grails Spring Security 2.0 PluginBurt Beckwith
 
Learn Apache Shiro
Learn Apache ShiroLearn Apache Shiro
Learn Apache ShiroSmita Prasad
 
Java Security Framework's
Java Security Framework'sJava Security Framework's
Java Security Framework'sMohammed Fazuluddin
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EERudy De Busscher
 
Intro to Apache Shiro
Intro to Apache ShiroIntro to Apache Shiro
Intro to Apache ShiroClaire Hunsaker
 
Java Security
Java SecurityJava Security
Java Securityelliando dias
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...CA API Management
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkAvoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkErlend Oftedal
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java ApplicationsStormpath
 
Deep dive into Java security architecture
Deep dive into Java security architectureDeep dive into Java security architecture
Deep dive into Java security architecturePrabath Siriwardena
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101 Stormpath
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web SecuritySharePointRadi
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!Stormpath
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding GuideGeoffrey Vandiest
 
Spring security
Spring securitySpring security
Spring securitySlimen Belhaj Ali
 
Advanced GORM - Performance, Customization and Monitoring
Advanced GORM - Performance, Customization and MonitoringAdvanced GORM - Performance, Customization and Monitoring
Advanced GORM - Performance, Customization and MonitoringBurt Beckwith
 

More Related Content

What's hot

J2EE Security with Apache SHIRO
J2EE Security with Apache SHIROJ2EE Security with Apache SHIRO
J2EE Security with Apache SHIROCygnet Infotech
 
What's New in spring-security-core 2.0
What's New in spring-security-core 2.0What's New in spring-security-core 2.0
What's New in spring-security-core 2.0Burt Beckwith
 
From 0 to Spring Security 4.0
From 0 to Spring Security 4.0From 0 to Spring Security 4.0
From 0 to Spring Security 4.0robwinch
 
Hacking the Grails Spring Security 2.0 Plugin
Hacking the Grails Spring Security 2.0 PluginHacking the Grails Spring Security 2.0 Plugin
Hacking the Grails Spring Security 2.0 PluginBurt Beckwith
 
Learn Apache Shiro
Learn Apache ShiroLearn Apache Shiro
Learn Apache ShiroSmita Prasad
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EERudy De Busscher
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...CA API Management
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkAvoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkErlend Oftedal
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java ApplicationsStormpath
 
Deep dive into Java security architecture
Deep dive into Java security architectureDeep dive into Java security architecture
Deep dive into Java security architecturePrabath Siriwardena
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101 Stormpath
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!Stormpath
 

What's hot (20)

J2EE Security with Apache SHIRO
J2EE Security with Apache SHIROJ2EE Security with Apache SHIRO
J2EE Security with Apache SHIRO
 
Javacro 2014 Spring Security 3 Speech
Javacro 2014 Spring Security 3 SpeechJavacro 2014 Spring Security 3 Speech
Javacro 2014 Spring Security 3 Speech
 
What's New in spring-security-core 2.0
What's New in spring-security-core 2.0What's New in spring-security-core 2.0
What's New in spring-security-core 2.0
 
From 0 to Spring Security 4.0
From 0 to Spring Security 4.0From 0 to Spring Security 4.0
From 0 to Spring Security 4.0
 
Hacking the Grails Spring Security 2.0 Plugin
Hacking the Grails Spring Security 2.0 PluginHacking the Grails Spring Security 2.0 Plugin
Hacking the Grails Spring Security 2.0 Plugin
 
Learn Apache Shiro
Learn Apache ShiroLearn Apache Shiro
Learn Apache Shiro
 
Java Security Framework's
Java Security Framework'sJava Security Framework's
Java Security Framework's
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EE
 
Intro to Apache Shiro
Intro to Apache ShiroIntro to Apache Shiro
Intro to Apache Shiro
 
Java Security
Java SecurityJava Security
Java Security
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkAvoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might think
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java Applications
 
Deep dive into Java security architecture
Deep dive into Java security architectureDeep dive into Java security architecture
Deep dive into Java security architecture
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web Security
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
 

Viewers also liked

Advanced GORM - Performance, Customization and Monitoring
Advanced GORM - Performance, Customization and MonitoringAdvanced GORM - Performance, Customization and Monitoring
Advanced GORM - Performance, Customization and MonitoringBurt Beckwith
 
Little Did He Know ...
Little Did He Know ...Little Did He Know ...
Little Did He Know ...Burt Beckwith
 
Grails Worst Practices
Grails Worst PracticesGrails Worst Practices
Grails Worst PracticesBurt Beckwith
 
Hacking the Grails Spring Security Plugins
Hacking the Grails Spring Security PluginsHacking the Grails Spring Security Plugins
Hacking the Grails Spring Security PluginsGR8Conf
 
When the saints go marching in recorder
When the saints go marching in recorderWhen the saints go marching in recorder
When the saints go marching in recorderChris Kozak
 
Geb+spock: let your functional tests live long and prosper
Geb+spock: let your functional tests live long and prosperGeb+spock: let your functional tests live long and prosper
Geb+spock: let your functional tests live long and prosperEsther Lozano
 
GriffDnie (Griffon Demo)
GriffDnie (Griffon Demo)GriffDnie (Griffon Demo)
GriffDnie (Griffon Demo)Jorge Aguilera
 
Macro macro, burrito burrit
Macro macro, burrito burritMacro macro, burrito burrit
Macro macro, burrito burritMario García
 
Introducing thymeleaf
Introducing thymeleafIntroducing thymeleaf
Introducing thymeleafeiryu
 
Angular2 - getting-ready
Angular2 - getting-ready Angular2 - getting-ready
Angular2 - getting-ready Nir Kaufman
 
아라한사의 스프링 시큐리티 정리
아라한사의 스프링 시큐리티 정리아라한사의 스프링 시큐리티 정리
아라한사의 스프링 시큐리티 정리라한사 아
 

Viewers also liked (16)

Spring security
Spring securitySpring security
Spring security
 
Advanced GORM - Performance, Customization and Monitoring
Advanced GORM - Performance, Customization and MonitoringAdvanced GORM - Performance, Customization and Monitoring
Advanced GORM - Performance, Customization and Monitoring
 
Little Did He Know ...
Little Did He Know ...Little Did He Know ...
Little Did He Know ...
 
Grails Transactions
Grails TransactionsGrails Transactions
Grails Transactions
 
Grails Worst Practices
Grails Worst PracticesGrails Worst Practices
Grails Worst Practices
 
Hacking the Grails Spring Security Plugins
Hacking the Grails Spring Security PluginsHacking the Grails Spring Security Plugins
Hacking the Grails Spring Security Plugins
 
When the saints go marching in recorder
When the saints go marching in recorderWhen the saints go marching in recorder
When the saints go marching in recorder
 
Geb+spock: let your functional tests live long and prosper
Geb+spock: let your functional tests live long and prosperGeb+spock: let your functional tests live long and prosper
Geb+spock: let your functional tests live long and prosper
 
De Java a Swift pasando por Groovy
De Java a Swift pasando por GroovyDe Java a Swift pasando por Groovy
De Java a Swift pasando por Groovy
 
GriffDnie (Griffon Demo)
GriffDnie (Griffon Demo)GriffDnie (Griffon Demo)
GriffDnie (Griffon Demo)
 
Macro macro, burrito burrit
Macro macro, burrito burritMacro macro, burrito burrit
Macro macro, burrito burrit
 
Introducing thymeleaf
Introducing thymeleafIntroducing thymeleaf
Introducing thymeleaf
 
Angular2 - getting-ready
Angular2 - getting-ready Angular2 - getting-ready
Angular2 - getting-ready
 
아라한사의 스프링 시큐리티 정리
아라한사의 스프링 시큐리티 정리아라한사의 스프링 시큐리티 정리
아라한사의 스프링 시큐리티 정리
 
Introduction to thymeleaf
Introduction to thymeleafIntroduction to thymeleaf
Introduction to thymeleaf
 
스프링컨트롤러예외처리,@ExceptionHandler, @ControllerAdvice
스프링컨트롤러예외처리,@ExceptionHandler, @ControllerAdvice스프링컨트롤러예외처리,@ExceptionHandler, @ControllerAdvice
스프링컨트롤러예외처리,@ExceptionHandler, @ControllerAdvice
 

Similar to Fun With Spring Security

TangoWithDjango - ch8
TangoWithDjango - ch8TangoWithDjango - ch8
TangoWithDjango - ch8Asika Kuo
 
JavaFest. Nanne Baars. Web application security for developers
JavaFest. Nanne Baars. Web application security for developersJavaFest. Nanne Baars. Web application security for developers
JavaFest. Nanne Baars. Web application security for developersFestGroup
 
Mitigating data theft_in_android
Mitigating data theft_in_androidMitigating data theft_in_android
Mitigating data theft_in_androidRashmi Bhandari
 
CBSecurity 3 - Secure Your ColdBox Applications
CBSecurity 3 - Secure Your ColdBox ApplicationsCBSecurity 3 - Secure Your ColdBox Applications
CBSecurity 3 - Secure Your ColdBox ApplicationsOrtus Solutions, Corp
 
Testing the Grails Spring Security Plugins
Testing the Grails Spring Security PluginsTesting the Grails Spring Security Plugins
Testing the Grails Spring Security PluginsBurt Beckwith
 
How to implement multiple authentication guards in laravel 8
How to implement multiple authentication guards in laravel 8How to implement multiple authentication guards in laravel 8
How to implement multiple authentication guards in laravel 8Katy Slemon
 
Building Grails Plugins - Tips And Tricks
Building Grails Plugins - Tips And TricksBuilding Grails Plugins - Tips And Tricks
Building Grails Plugins - Tips And TricksMike Hugo
 
Java EE Application Security With PicketLink
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLinkpigorcraveiro
 
securing-portlets-with-spring-security.pdf
securing-portlets-with-spring-security.pdfsecuring-portlets-with-spring-security.pdf
securing-portlets-with-spring-security.pdfjcarrey
 
securing-portlets-with-spring-security.pdf
securing-portlets-with-spring-security.pdfsecuring-portlets-with-spring-security.pdf
securing-portlets-with-spring-security.pdfjcarrey
 
How to execute Automation Testing using Selenium
How to execute Automation Testing using SeleniumHow to execute Automation Testing using Selenium
How to execute Automation Testing using Seleniumvaluebound
 
Securing your Oracle Fusion Middleware Environment, On-Prem and in the Cloud
Securing your Oracle Fusion Middleware Environment, On-Prem and in the CloudSecuring your Oracle Fusion Middleware Environment, On-Prem and in the Cloud
Securing your Oracle Fusion Middleware Environment, On-Prem and in the CloudRevelation Technologies
 
Implementing application security using the .net framework
Implementing application security using the .net frameworkImplementing application security using the .net framework
Implementing application security using the .net frameworkLalit Kale
 
Chris Rutter: Avoiding The Security Brick
Chris Rutter: Avoiding The Security BrickChris Rutter: Avoiding The Security Brick
Chris Rutter: Avoiding The Security BrickMichael Man
 
Lesson_07_Spring_Security_Login_NEW.pdf
Lesson_07_Spring_Security_Login_NEW.pdfLesson_07_Spring_Security_Login_NEW.pdf
Lesson_07_Spring_Security_Login_NEW.pdfScott Anderson
 
Detecting headless browsers
Detecting headless browsersDetecting headless browsers
Detecting headless browsersSergey Shekyan
 
My first zf presentation part two
My first zf presentation part twoMy first zf presentation part two
My first zf presentation part twoisaaczfoster
 

Similar to Fun With Spring Security (20)

Spring Security.ppt
Spring Security.pptSpring Security.ppt
Spring Security.ppt
 
TangoWithDjango - ch8
TangoWithDjango - ch8TangoWithDjango - ch8
TangoWithDjango - ch8
 
JavaFest. Nanne Baars. Web application security for developers
JavaFest. Nanne Baars. Web application security for developersJavaFest. Nanne Baars. Web application security for developers
JavaFest. Nanne Baars. Web application security for developers
 
Mitigating data theft_in_android
Mitigating data theft_in_androidMitigating data theft_in_android
Mitigating data theft_in_android
 
CBSecurity 3 - Secure Your ColdBox Applications
CBSecurity 3 - Secure Your ColdBox ApplicationsCBSecurity 3 - Secure Your ColdBox Applications
CBSecurity 3 - Secure Your ColdBox Applications
 
Testing the Grails Spring Security Plugins
Testing the Grails Spring Security PluginsTesting the Grails Spring Security Plugins
Testing the Grails Spring Security Plugins
 
How to implement multiple authentication guards in laravel 8
How to implement multiple authentication guards in laravel 8How to implement multiple authentication guards in laravel 8
How to implement multiple authentication guards in laravel 8
 
Pyramid Security
Pyramid SecurityPyramid Security
Pyramid Security
 
Building Grails Plugins - Tips And Tricks
Building Grails Plugins - Tips And TricksBuilding Grails Plugins - Tips And Tricks
Building Grails Plugins - Tips And Tricks
 
Java EE Application Security With PicketLink
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLink
 
securing-portlets-with-spring-security.pdf
securing-portlets-with-spring-security.pdfsecuring-portlets-with-spring-security.pdf
securing-portlets-with-spring-security.pdf
 
securing-portlets-with-spring-security.pdf
securing-portlets-with-spring-security.pdfsecuring-portlets-with-spring-security.pdf
securing-portlets-with-spring-security.pdf
 
How to execute Automation Testing using Selenium
How to execute Automation Testing using SeleniumHow to execute Automation Testing using Selenium
How to execute Automation Testing using Selenium
 
Securing your Oracle Fusion Middleware Environment, On-Prem and in the Cloud
Securing your Oracle Fusion Middleware Environment, On-Prem and in the CloudSecuring your Oracle Fusion Middleware Environment, On-Prem and in the Cloud
Securing your Oracle Fusion Middleware Environment, On-Prem and in the Cloud
 
Implementing application security using the .net framework
Implementing application security using the .net frameworkImplementing application security using the .net framework
Implementing application security using the .net framework
 
Chris Rutter: Avoiding The Security Brick
Chris Rutter: Avoiding The Security BrickChris Rutter: Avoiding The Security Brick
Chris Rutter: Avoiding The Security Brick
 
Lesson_07_Spring_Security_Login_NEW.pdf
Lesson_07_Spring_Security_Login_NEW.pdfLesson_07_Spring_Security_Login_NEW.pdf
Lesson_07_Spring_Security_Login_NEW.pdf
 
Detecting headless browsers
Detecting headless browsersDetecting headless browsers
Detecting headless browsers
 
My first zf presentation part two
My first zf presentation part twoMy first zf presentation part two
My first zf presentation part two
 
Java EE Services
Java EE ServicesJava EE Services
Java EE Services
 

Recently uploaded

Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Bert Jan Schrijver
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park masabamasaba
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park masabamasaba
 
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in sowetomasabamasaba
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2
 
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxArtyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxAnnaArtyushina1
 
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...chiefasafspells
 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyviewmasabamasaba
 
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...masabamasaba
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastPapp Krisztián
 
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...WSO2
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareJim McKeeth
 
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With SimplicityWSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With SimplicityWSO2
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...masabamasaba
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidPhilip Schwarz
 
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benonimasabamasaba
 
WSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security ProgramWSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security ProgramWSO2
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...masabamasaba
 

Recently uploaded (20)

Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxArtyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptx
 
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
 
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
 
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK Software
 
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With SimplicityWSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
 
WSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security ProgramWSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security Program
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
 

Fun With Spring Security

  • 1. Fun With Spring Security Burt Beckwith
  • 2.
  • 3. It Doesn't Work … Please Help ● Step one is always to enable debug logging ● Grails 2 ● Grails 3+ log4j = { debug 'org.springframework.security', trace 'grails.plugin.springsecurity' // optional debug 'org.hibernate.SQL' trace 'org.hibernate.type.descriptor.sql.BasicBinder' } logger 'org.springframework.security', DEBUG logger 'grails.plugin.springsecurity', TRACE // optional logger 'org.hibernate.SQL', DEBUG logger 'org.hibernate.type.descriptor.sql.BasicBinder', TRACE
  • 4.
  • 5. Checking match of request : '/secure/index'; against '/assets/**' Checking match of request : '/secure/index'; against '/**/js/**' Checking match of request : '/secure/index'; against '/**/css/**' Checking match of request : '/secure/index'; against '/**/images/**' Checking match of request : '/secure/index'; against '/**/favicon.ico' Request '/secure/index' matched by universal pattern '/**' Determining The Filter Chain
  • 6. Walking The Filter Chain FilterChainProxy - /secure/index at position 1 of 9 in additional filter chain; firing Filter: 'SecurityRequestHolderFilter' FilterChainProxy - /secure/index at position 2 of 9 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' HttpSessionSecurityContextRepository - No HttpSession currently exists HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created. FilterChainProxy - /secure/index at position 3 of 9 in additional filter chain; firing Filter: 'MutableLogoutFilter' AntPathRequestMatcher - Checking match of request : '/secure/index'; against '/logoff' FilterChainProxy - /secure/index at position 4 of 9 in additional filter chain; firing Filter: 'OrganizationFilter' FilterChainProxy - /secure/index at position 5 of 9 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
  • 7. Walking The Filter Chain (cont.) FilterChainProxy - /secure/index at position 6 of 9 in additional filter chain; firing Filter: 'GrailsRememberMeAuthenticationFilter' FilterChainProxy - /secure/index at position 7 of 9 in additional filter chain; firing Filter: 'GrailsAnonymousAuthenticationFilter' GrailsAnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'grails.plugin.springsecurity.authentication.GrailsAnonymousAuthenti cationToken@dc4337e: Principal: org.springframework.security.core.userdetails.User@dc730200: Username: __grails.anonymous.user__; Password: [PROTECTED]; Enabled: false; AccountNonExpired: false; credentialsNonExpired: false; AccountNonLocked: false; Granted Authorities: ROLE_ANONYMOUS; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDet ails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS' FilterChainProxy - /secure/index at position 8 of 9 in additional filter chain; firing Filter: 'ExceptionTranslationFilter' FilterChainProxy - /secure/index at position 9 of 9 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
  • 8. Failed Login FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /secure/index; Attributes: [ROLE_USER] FilterSecurityInterceptor - Previously Authenticated: grails.plugin.springsecurity.authentication.GrailsAnonymousAuthentic ationToken RoleHierarchyImpl - getReachableGrantedAuthorities() - From the roles [ROLE_ANONYMOUS] one can reach [ROLE_ANONYMOUS] in zero or more steps. WebExpressionVoter - No WebExpressionConfigAttribute found ClosureVoter - No ClosureConfigAttribute found ExceptionTranslationFilter - Access is denied (user is anonymous); redirecting to authentication entry point
  • 9. Failed Login (cont.) ProviderManager - Authentication attempt using hacking.extralogin.auth.OrganizationAuthenticationProvider TokenBasedRememberMeServices - Interactive login attempt was unsuccessful. TokenBasedRememberMeServices - Cancelling cookie AjaxAwareAuthenticationFailureHandler - Redirecting to /login/authfail?login_error=1 GrailsRedirectStrategy - Redirecting to '/login/authfail? login_error=1' HttpSessionSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession. SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
  • 10. Successful Login AntPathRequestMatcher - Request '/login/authenticate' matched by universal pattern '/**' FilterChainProxy - /login/authenticate at position 1 of 9 in additional filter chain; firing Filter: 'SecurityRequestHolderFilter' FilterChainProxy - /login/authenticate at position 2 of 9 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' HttpSessionSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@232c542c. A new one will be created. FilterChainProxy - /login/authenticate at position 3 of 9 in additional filter chain; firing Filter: 'MutableLogoutFilter'
  • 11. Successful Login (cont.) AntPathRequestMatcher - Checking match of request : '/login/authenticate'; against '/logoff' FilterChainProxy - /login/authenticate at position 4 of 9 in additional filter chain; firing Filter: 'OrganizationFilter' ProviderManager - Authentication attempt using hacking.extralogin.auth.OrganizationAuthenticationProvider RoleHierarchyImpl - getReachableGrantedAuthorities() - From the roles [ROLE_USER] one can reach [ROLE_USER] in zero or more steps. SessionFixationProtectionStrategy - Invalidating session with Id '59DB715075D9716460E931ACEB6D60FB' and migrating attributes. SessionFixationProtectionStrategy - Started new session: 5B4C50B452A7FA2D5E7253AF68EC9E15 TokenBasedRememberMeServices - Did not send remember-me cookie (principal did not set parameter 'remember-me')
  • 12. Successful Login (cont.) TokenBasedRememberMeServices - Remember-me login not requested. AjaxAwareAuthenticationSuccessHandler - Redirecting to DefaultSavedRequest Url: http://localhost:8080/secure/index GrailsRedirectStrategy - Redirecting to 'http://localhost:8080/secure/index' HttpSessionSecurityContextRepository - SecurityContext 'org.springframework.security.core.context.SecurityContextImpl@bbd64 3f3: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenti cationToken@bbd643f3: Principal: grails.plugin.springsecurity.userdetails.GrailsUser ... Granted Authorities: ROLE_USER' stored to HttpSession HttpSessionRequestCache - Removing DefaultSavedRequest from session if present SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
  • 13. Demo Apps ● Source is available at https://github.com/burtbeckwith/FunWithSpringSecurity
  • 14. Auto-assigning Roles ● You don't have to store all granted roles – some can be inferred ● Use existing attributes, a user class hierarchy, etc. in a custom UserDetailsService ● See the “autorole” demo app
  • 15. Not Using Roles ● You don't have to store role information at all; they can be entirely inferred ● See the “noroles” demo app
  • 16. Hacking New Delhi ● To demonstrate creating a custom authentication process, I updated the demo app from Greach 2015 (“hacking_madrid”) which was an update of the demo app from GGX 2011 (“hacking_london”) ● Updated to Grails 3, spring-security-core 3.0.3 ● Adds an “organization” drop-down to the login page in addition to username and password ● See the “hacking_newdelhi” demo app
  • 17. Locking After Multiple Auth Fails ● Spring Security generates events for several scenarios ● One is a failed login because of an incorrect or missing password ● To slow down attackers attempting to hack your app by brute force, you can listen for AuthenticationFailureBadCredentialsEvent and lock the user's account after N failures ● See the “lockout” demo app
  • 18. X.509 ● Spring Security supports using browser certificates to authenticate ● There aren't a lot of steps required to configure this, but it can be confusing ● See the “x509” demo app
  • 19. X.509 Chained ● I've been mulling over the idea of adding support for using more than one AuthenticationProvider to authenticate ● X.509 seems like a good candidate, since if you have physical access to a user's browser you can perform actions with their account; adding a second authentication phase (e.g. typical form auth) would be more secure ● See the “x509chained” demo app