SlideShare a Scribd company logo

Javantura v3 - Java & JWT Stateless authentication – Karlo Novak

Download as PPTX, PDF
HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association

Javantura v3 - Java & JWT Stateless authentication – Karlo Novak

Technology
1 of 21
Java & JWT Stateless autentikacija Karlo Novak, SV Group d.o.o. karlo.novak@svgroup.hr
• Stateful autentikacija • JSON Web Tokens • Java i JWT • Implementacija sa Springom • Zaključak Sadržaj
• Cookie-i su „klasičan” mehanizam održavanja autentikacije između različitih zahtjeva istog korisnika (session) • ID sessiona pamti se u memoriji na serveru čime se kreira stanje (state) – otežava skaliranje Stateful autentikacija 1/5
Stateful autentikacija 2/5 Session se pohranjuje u memoriji i identificra se putem cookiea kojeg korisnik na svakom zahtjevu šalje. Što ako imamo više od jednog aplikacijskog servera?
Stateful autentikacija 3/5 Moramo pronaći način da oba servera prepoznaju isti cookie!
Stateful autentikacija 4/5 Što ako se aplikacijski server na kojem se nalazi korisnikov session sruši? Rješenje 1 – Sticky session
Stateful autentikacija 5/5 Svaki request ide na bazu? Možemo uvesti cache, ali to se teško skalira (na veći broj servera) Rješenje 2 – Session u bazi
JSON Web Tokens • Otvoren standard koji omogućava siguran prijenos informacija među različitim stranama (sustavima, korisnicima..) • Najčešće korišten pri autentikaciji, no može se koristiti i za prijenos ostalih podataka Koristi se nakon uspješne inicijalne autentikacije! (npr. Basic Auth-om)
Struktura tokena • Header – tip tokena i algoritam hashiranja • Payload – podaci tj. prava (claims), mogu biti reserved, public ili private • Signature – potpis kao potvrda da se korisnik ne predstavlja lažno i da poruka nije mijenjana na putu
JWT u akciji Token nije spremljen u memoriji, bazi ili cache-u! Stateless autentikacija ✓
Java i JWT • JWT je (trenutno) relativno slabo podržan • 3 najpopularnija librarya za generiranje i verifikaciju tokena: – JJWT – Nimbus – Java JWT • Većina popularnih security frameworka i dalje ne podržava JWT out of the box
Kako to implementirati? • Potrebna je ručna implementacija korištenjem jednog od navedenih librarya • Idealno ako imamo security framework koji se lagano može proširivati....
Spring Security + JWT SecurityContextPersistenceFilter LogoutFilter UsernamePasswordProcessingFilter ExceptionTranslationFilter FilterSecurityInterceptor Resource {NašJwtFilter
Spring Security + JWT AuthenticationManager AuthenticationProvider DaoAuthenticationProvider LdapAuthenticationProvider JWTAuthenticationProvider
Spring Security + JWT Filter dohvaća token iz HTTP requesta i šalje ga na provjeru AuthenticationManager-u
Spring Security + JWT AuthenticationProvider uz pomoć JWT librarya parsira token i izvlači iz njega podatke. U ovom slučaju to je korisničko ime od kojeg se zatim kreira User objekt koji se sprema u SecurityContext kao logirani korisnik. Ako je taj objekt postavljen Spring Security propušta korisnika do zaštićenog resursa.
Pohrana tokena na klijentu • U local storage-u (HTML5) – XSS? • U.... cookieu! – CSRF? • Šalje se u headeru pri svakom requestu
Prednosti JWT-a • Veličina – Malen, stane u HTTP header, malen overhead prijenosa • Samostalan – Sadrži sve informacije potrebne za autentikaciju čime miče potrebu za višestrukim korištenjem baze ili drugog autentikacijskog resursa • Izračunljiv – Nije ga potrebno pohranjivati na serveru, podatke je moguće na svakom zahtjevu „izračunati” iz tokena
Ima li to i kakvu manu? • Na svakom requestu potrebno je procesorsko vrijeme za provjeru i „izračun” podataka iz tokena – S druge strane i dohvat iz baze traje određeno vrijeme... • Neporez pri rukovanju na klijentu – Podložno XSS, CSRF napadima • Nepodržanost out of the box
Zaključak Budućnost = Rast korisnika na Internetu Rast korisnika na Internetu = Skaliranje Skaliranje = JWT JWT = Budućnost
A sad vi... karlo.novak@svgroup.hr

Recommended

Javantura v3 - Apache Spark revolution – what’s it all about – Petar Zečević
Javantura v3 - Apache Spark revolution – what’s it all about – Petar ZečevićJavantura v3 - Apache Spark revolution – what’s it all about – Petar Zečević
Javantura v3 - Apache Spark revolution – what’s it all about – Petar ZečevićHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Javantura v3 - CQRS – another view on application architecture – Aleksandar S...
Javantura v3 - CQRS – another view on application architecture – Aleksandar S...Javantura v3 - CQRS – another view on application architecture – Aleksandar S...
Javantura v3 - CQRS – another view on application architecture – Aleksandar S...HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Javantura v3 - Conquer the Internet of Things with Java and Docker – Johan Ja...
Javantura v3 - Conquer the Internet of Things with Java and Docker – Johan Ja...Javantura v3 - Conquer the Internet of Things with Java and Docker – Johan Ja...
Javantura v3 - Conquer the Internet of Things with Java and Docker – Johan Ja...HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Javantura v3 - Develop the right way with S-CASE – Marin Orlić
Javantura v3 - Develop the right way with S-CASE – Marin OrlićJavantura v3 - Develop the right way with S-CASE – Marin Orlić
Javantura v3 - Develop the right way with S-CASE – Marin OrlićHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Javantura v3 - FIWARE – from ideas to real projects – Krunoslav Hrnjak
Javantura v3 - FIWARE – from ideas to real projects – Krunoslav HrnjakJavantura v3 - FIWARE – from ideas to real projects – Krunoslav Hrnjak
Javantura v3 - FIWARE – from ideas to real projects – Krunoslav HrnjakHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Javantura v3 - Going Reactive with RxJava – Hrvoje Crnjak
Javantura v3 - Going Reactive with RxJava – Hrvoje CrnjakJavantura v3 - Going Reactive with RxJava – Hrvoje Crnjak
Javantura v3 - Going Reactive with RxJava – Hrvoje CrnjakHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Javantura v3 - The Internet of (Lego) Trains – Johan Janssen, Ingmar van der ...
Javantura v3 - The Internet of (Lego) Trains – Johan Janssen, Ingmar van der ...Javantura v3 - The Internet of (Lego) Trains – Johan Janssen, Ingmar van der ...
Javantura v3 - The Internet of (Lego) Trains – Johan Janssen, Ingmar van der ...HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Javantura v3 - Just say it – using language to communicate with the computer ...
Javantura v3 - Just say it – using language to communicate with the computer ...Javantura v3 - Just say it – using language to communicate with the computer ...
Javantura v3 - Just say it – using language to communicate with the computer ...HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 

Recommended

Javantura v3 - Apache Spark revolution – what’s it all about – Petar Zečević
Javantura v3 - Apache Spark revolution – what’s it all about – Petar ZečevićJavantura v3 - Apache Spark revolution – what’s it all about – Petar Zečević
Javantura v3 - Apache Spark revolution – what’s it all about – Petar ZečevićHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Javantura v3 - CQRS – another view on application architecture – Aleksandar S...
Javantura v3 - CQRS – another view on application architecture – Aleksandar S...Javantura v3 - CQRS – another view on application architecture – Aleksandar S...
Javantura v3 - CQRS – another view on application architecture – Aleksandar S...HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Javantura v3 - Conquer the Internet of Things with Java and Docker – Johan Ja...
Javantura v3 - Conquer the Internet of Things with Java and Docker – Johan Ja...Javantura v3 - Conquer the Internet of Things with Java and Docker – Johan Ja...
Javantura v3 - Conquer the Internet of Things with Java and Docker – Johan Ja...HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Javantura v3 - Develop the right way with S-CASE – Marin Orlić
Javantura v3 - Develop the right way with S-CASE – Marin OrlićJavantura v3 - Develop the right way with S-CASE – Marin Orlić
Javantura v3 - Develop the right way with S-CASE – Marin OrlićHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Javantura v3 - FIWARE – from ideas to real projects – Krunoslav Hrnjak
Javantura v3 - FIWARE – from ideas to real projects – Krunoslav HrnjakJavantura v3 - FIWARE – from ideas to real projects – Krunoslav Hrnjak
Javantura v3 - FIWARE – from ideas to real projects – Krunoslav HrnjakHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Javantura v3 - Going Reactive with RxJava – Hrvoje Crnjak
Javantura v3 - Going Reactive with RxJava – Hrvoje CrnjakJavantura v3 - Going Reactive with RxJava – Hrvoje Crnjak
Javantura v3 - Going Reactive with RxJava – Hrvoje CrnjakHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Javantura v3 - The Internet of (Lego) Trains – Johan Janssen, Ingmar van der ...
Javantura v3 - The Internet of (Lego) Trains – Johan Janssen, Ingmar van der ...Javantura v3 - The Internet of (Lego) Trains – Johan Janssen, Ingmar van der ...
Javantura v3 - The Internet of (Lego) Trains – Johan Janssen, Ingmar van der ...HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Javantura v3 - Just say it – using language to communicate with the computer ...
Javantura v3 - Just say it – using language to communicate with the computer ...Javantura v3 - Just say it – using language to communicate with the computer ...
Javantura v3 - Just say it – using language to communicate with the computer ...HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Javantura v3 - ES6 – Future Is Now – Nenad Pečanac
Javantura v3 - ES6 – Future Is Now – Nenad PečanacJavantura v3 - ES6 – Future Is Now – Nenad Pečanac
Javantura v3 - ES6 – Future Is Now – Nenad PečanacHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Javantura v3 - Husky – (y)our tool for tracking value in data – Mladen Marovi...
Javantura v3 - Husky – (y)our tool for tracking value in data – Mladen Marovi...Javantura v3 - Husky – (y)our tool for tracking value in data – Mladen Marovi...
Javantura v3 - Husky – (y)our tool for tracking value in data – Mladen Marovi...HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Javantura v3 - Rational Team Concert – integrated agile development and colla...
Javantura v3 - Rational Team Concert – integrated agile development and colla...Javantura v3 - Rational Team Concert – integrated agile development and colla...
Javantura v3 - Rational Team Concert – integrated agile development and colla...HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Javantura v3 - Logs – the missing gold mine – Franjo Žilić
Javantura v3 - Logs – the missing gold mine – Franjo ŽilićJavantura v3 - Logs – the missing gold mine – Franjo Žilić
Javantura v3 - Logs – the missing gold mine – Franjo ŽilićHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Javantura v3 - Microservice – no fluff the REAL stuff – Nakul Mishra
Javantura v3 - Microservice – no fluff the REAL stuff – Nakul MishraJavantura v3 - Microservice – no fluff the REAL stuff – Nakul Mishra
Javantura v3 - Microservice – no fluff the REAL stuff – Nakul MishraHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Javantura v3 - What really motivates developers – Ivan Krnić
Javantura v3 - What really motivates developers – Ivan KrnićJavantura v3 - What really motivates developers – Ivan Krnić
Javantura v3 - What really motivates developers – Ivan KrnićHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Javantura v3 - Real-time BigData ingestion and querying of aggregated data – ...
Javantura v3 - Real-time BigData ingestion and querying of aggregated data – ...Javantura v3 - Real-time BigData ingestion and querying of aggregated data – ...
Javantura v3 - Real-time BigData ingestion and querying of aggregated data – ...HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Javantura v3 - ELK – Big Data for DevOps – Maarten Mulders
Javantura v3 - ELK – Big Data for DevOps – Maarten MuldersJavantura v3 - ELK – Big Data for DevOps – Maarten Mulders
Javantura v3 - ELK – Big Data for DevOps – Maarten MuldersHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Javantura v4 - DMN – supplement your BPMN - Željko Šmaguc
Javantura v4 - DMN – supplement your BPMN - Željko ŠmagucJavantura v4 - DMN – supplement your BPMN - Željko Šmaguc
Javantura v4 - DMN – supplement your BPMN - Željko ŠmagucHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Javantura v4 - CroDuke Indy and the Kingdom of Java Skills - Branko Mihaljevi...
Javantura v4 - CroDuke Indy and the Kingdom of Java Skills - Branko Mihaljevi...Javantura v4 - CroDuke Indy and the Kingdom of Java Skills - Branko Mihaljevi...
Javantura v4 - CroDuke Indy and the Kingdom of Java Skills - Branko Mihaljevi...HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Javantura v4 - Java or Scala – Web development with Playframework 2.5.x - Kre...
Javantura v4 - Java or Scala – Web development with Playframework 2.5.x - Kre...Javantura v4 - Java or Scala – Web development with Playframework 2.5.x - Kre...
Javantura v4 - Java or Scala – Web development with Playframework 2.5.x - Kre...HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Javantura v4 - FreeMarker in Spring web - Marin Kalapać
Javantura v4 - FreeMarker in Spring web - Marin KalapaćJavantura v4 - FreeMarker in Spring web - Marin Kalapać
Javantura v4 - FreeMarker in Spring web - Marin KalapaćHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Javantura v4 - JVM++ The GraalVM - Martin Toshev
Javantura v4 - JVM++ The GraalVM - Martin ToshevJavantura v4 - JVM++ The GraalVM - Martin Toshev
Javantura v4 - JVM++ The GraalVM - Martin ToshevHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Javantura v4 - Let me tell you a story why Scrum is not for you - Roko Roić
Javantura v4 - Let me tell you a story why Scrum is not for you - Roko RoićJavantura v4 - Let me tell you a story why Scrum is not for you - Roko Roić
Javantura v4 - Let me tell you a story why Scrum is not for you - Roko RoićHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Javantura v4 - Getting started with Apache Spark - Dinko Srkoč
Javantura v4 - Getting started with Apache Spark - Dinko SrkočJavantura v4 - Getting started with Apache Spark - Dinko Srkoč
Javantura v4 - Getting started with Apache Spark - Dinko SrkočHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Javantura v4 - The power of cloud in professional services company - Ivan Krn...
Javantura v4 - The power of cloud in professional services company - Ivan Krn...Javantura v4 - The power of cloud in professional services company - Ivan Krn...
Javantura v4 - The power of cloud in professional services company - Ivan Krn...HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Javantura v4 - Support SpringBoot application development lifecycle using Ora...
Javantura v4 - Support SpringBoot application development lifecycle using Ora...Javantura v4 - Support SpringBoot application development lifecycle using Ora...
Javantura v4 - Support SpringBoot application development lifecycle using Ora...HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Javantura v4 - KumuluzEE – Microservices with Java - Matjaž B. Jurič & Tilen ...
Javantura v4 - KumuluzEE – Microservices with Java - Matjaž B. Jurič & Tilen ...Javantura v4 - KumuluzEE – Microservices with Java - Matjaž B. Jurič & Tilen ...
Javantura v4 - KumuluzEE – Microservices with Java - Matjaž B. Jurič & Tilen ...HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Javantura v4 - Test-driven documentation with Spring REST Docs - Danijel Mitar
Javantura v4 - Test-driven documentation with Spring REST Docs - Danijel MitarJavantura v4 - Test-driven documentation with Spring REST Docs - Danijel Mitar
Javantura v4 - Test-driven documentation with Spring REST Docs - Danijel MitarHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Javantura v3 - Mutation Testing for everyone – Nicolas Fränkel
Javantura v3 - Mutation Testing for everyone – Nicolas FränkelJavantura v3 - Mutation Testing for everyone – Nicolas Fränkel
Javantura v3 - Mutation Testing for everyone – Nicolas FränkelHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Web App Security for Devs
Web App Security for DevsWeb App Security for Devs
Web App Security for DevsAxilis
 
Web App Security for Devs
Web App Security for DevsWeb App Security for Devs
Web App Security for DevsVedran Maršić
 

More Related Content

Viewers also liked

Viewers also liked (20)

Javantura v3 - ES6 – Future Is Now – Nenad Pečanac
Javantura v3 - ES6 – Future Is Now – Nenad PečanacJavantura v3 - ES6 – Future Is Now – Nenad Pečanac
Javantura v3 - ES6 – Future Is Now – Nenad Pečanac
 
Javantura v3 - Husky – (y)our tool for tracking value in data – Mladen Marovi...
Javantura v3 - Husky – (y)our tool for tracking value in data – Mladen Marovi...Javantura v3 - Husky – (y)our tool for tracking value in data – Mladen Marovi...
Javantura v3 - Husky – (y)our tool for tracking value in data – Mladen Marovi...
 
Javantura v3 - Rational Team Concert – integrated agile development and colla...
Javantura v3 - Rational Team Concert – integrated agile development and colla...Javantura v3 - Rational Team Concert – integrated agile development and colla...
Javantura v3 - Rational Team Concert – integrated agile development and colla...
 
Javantura v3 - Logs – the missing gold mine – Franjo Žilić
Javantura v3 - Logs – the missing gold mine – Franjo ŽilićJavantura v3 - Logs – the missing gold mine – Franjo Žilić
Javantura v3 - Logs – the missing gold mine – Franjo Žilić
 
Javantura v3 - Microservice – no fluff the REAL stuff – Nakul Mishra
Javantura v3 - Microservice – no fluff the REAL stuff – Nakul MishraJavantura v3 - Microservice – no fluff the REAL stuff – Nakul Mishra
Javantura v3 - Microservice – no fluff the REAL stuff – Nakul Mishra
 
Javantura v3 - What really motivates developers – Ivan Krnić
Javantura v3 - What really motivates developers – Ivan KrnićJavantura v3 - What really motivates developers – Ivan Krnić
Javantura v3 - What really motivates developers – Ivan Krnić
 
Javantura v3 - Real-time BigData ingestion and querying of aggregated data – ...
Javantura v3 - Real-time BigData ingestion and querying of aggregated data – ...Javantura v3 - Real-time BigData ingestion and querying of aggregated data – ...
Javantura v3 - Real-time BigData ingestion and querying of aggregated data – ...
 
Javantura v3 - ELK – Big Data for DevOps – Maarten Mulders
Javantura v3 - ELK – Big Data for DevOps – Maarten MuldersJavantura v3 - ELK – Big Data for DevOps – Maarten Mulders
Javantura v3 - ELK – Big Data for DevOps – Maarten Mulders
 
Javantura v4 - DMN – supplement your BPMN - Željko Šmaguc
Javantura v4 - DMN – supplement your BPMN - Željko ŠmagucJavantura v4 - DMN – supplement your BPMN - Željko Šmaguc
Javantura v4 - DMN – supplement your BPMN - Željko Šmaguc
 
Javantura v4 - CroDuke Indy and the Kingdom of Java Skills - Branko Mihaljevi...
Javantura v4 - CroDuke Indy and the Kingdom of Java Skills - Branko Mihaljevi...Javantura v4 - CroDuke Indy and the Kingdom of Java Skills - Branko Mihaljevi...
Javantura v4 - CroDuke Indy and the Kingdom of Java Skills - Branko Mihaljevi...
 
Javantura v4 - Java or Scala – Web development with Playframework 2.5.x - Kre...
Javantura v4 - Java or Scala – Web development with Playframework 2.5.x - Kre...Javantura v4 - Java or Scala – Web development with Playframework 2.5.x - Kre...
Javantura v4 - Java or Scala – Web development with Playframework 2.5.x - Kre...
 
Javantura v4 - FreeMarker in Spring web - Marin Kalapać
Javantura v4 - FreeMarker in Spring web - Marin KalapaćJavantura v4 - FreeMarker in Spring web - Marin Kalapać
Javantura v4 - FreeMarker in Spring web - Marin Kalapać
 
Javantura v4 - JVM++ The GraalVM - Martin Toshev
Javantura v4 - JVM++ The GraalVM - Martin ToshevJavantura v4 - JVM++ The GraalVM - Martin Toshev
Javantura v4 - JVM++ The GraalVM - Martin Toshev
 
Javantura v4 - Let me tell you a story why Scrum is not for you - Roko Roić
Javantura v4 - Let me tell you a story why Scrum is not for you - Roko RoićJavantura v4 - Let me tell you a story why Scrum is not for you - Roko Roić
Javantura v4 - Let me tell you a story why Scrum is not for you - Roko Roić
 
Javantura v4 - Getting started with Apache Spark - Dinko Srkoč
Javantura v4 - Getting started with Apache Spark - Dinko SrkočJavantura v4 - Getting started with Apache Spark - Dinko Srkoč
Javantura v4 - Getting started with Apache Spark - Dinko Srkoč
 
Javantura v4 - The power of cloud in professional services company - Ivan Krn...
Javantura v4 - The power of cloud in professional services company - Ivan Krn...Javantura v4 - The power of cloud in professional services company - Ivan Krn...
Javantura v4 - The power of cloud in professional services company - Ivan Krn...
 
Javantura v4 - Support SpringBoot application development lifecycle using Ora...
Javantura v4 - Support SpringBoot application development lifecycle using Ora...Javantura v4 - Support SpringBoot application development lifecycle using Ora...
Javantura v4 - Support SpringBoot application development lifecycle using Ora...
 
Javantura v4 - KumuluzEE – Microservices with Java - Matjaž B. Jurič & Tilen ...
Javantura v4 - KumuluzEE – Microservices with Java - Matjaž B. Jurič & Tilen ...Javantura v4 - KumuluzEE – Microservices with Java - Matjaž B. Jurič & Tilen ...
Javantura v4 - KumuluzEE – Microservices with Java - Matjaž B. Jurič & Tilen ...
 
Javantura v4 - Test-driven documentation with Spring REST Docs - Danijel Mitar
Javantura v4 - Test-driven documentation with Spring REST Docs - Danijel MitarJavantura v4 - Test-driven documentation with Spring REST Docs - Danijel Mitar
Javantura v4 - Test-driven documentation with Spring REST Docs - Danijel Mitar
 
Javantura v3 - Mutation Testing for everyone – Nicolas Fränkel
Javantura v3 - Mutation Testing for everyone – Nicolas FränkelJavantura v3 - Mutation Testing for everyone – Nicolas Fränkel
Javantura v3 - Mutation Testing for everyone – Nicolas Fränkel
 

Similar to Javantura v3 - Java & JWT Stateless authentication – Karlo Novak

Web App Security for Devs
Web App Security for DevsWeb App Security for Devs
Web App Security for DevsAxilis
 
Web App Security for Devs
Web App Security for DevsWeb App Security for Devs
Web App Security for DevsVedran Maršić
 
MSNetwork 4 - Enterprise funkcionalnosti u malim tvrtkama sa Office 365
MSNetwork 4 - Enterprise funkcionalnosti u malim tvrtkama sa Office 365MSNetwork 4 - Enterprise funkcionalnosti u malim tvrtkama sa Office 365
MSNetwork 4 - Enterprise funkcionalnosti u malim tvrtkama sa Office 365Tomislav Lulic
 
JavaCro14: Pakiranje i instalacija JEE rješenja
JavaCro14: Pakiranje i instalacija JEE rješenjaJavaCro14: Pakiranje i instalacija JEE rješenja
JavaCro14: Pakiranje i instalacija JEE rješenjaMiroslav Resetar
 
Zašto nam treba PaaS u Srcu?
Zašto nam treba PaaS u Srcu?Zašto nam treba PaaS u Srcu?
Zašto nam treba PaaS u Srcu?Denis Kranjčec
 
WinDays 13 - Internet Explorer 10 - san koji je postao java
WinDays 13 - Internet Explorer 10 - san koji je postao javaWinDays 13 - Internet Explorer 10 - san koji je postao java
WinDays 13 - Internet Explorer 10 - san koji je postao javaMatija Šmalcelj
 
Kako pretvoriti server_sobu_u_cloud
Kako pretvoriti server_sobu_u_cloudKako pretvoriti server_sobu_u_cloud
Kako pretvoriti server_sobu_u_cloudDubravko Marak
 

Similar to Javantura v3 - Java & JWT Stateless authentication – Karlo Novak (10)

Web App Security for Devs
Web App Security for DevsWeb App Security for Devs
Web App Security for Devs
 
Web App Security for Devs
Web App Security for DevsWeb App Security for Devs
Web App Security for Devs
 
MSNetwork 4 - Enterprise funkcionalnosti u malim tvrtkama sa Office 365
MSNetwork 4 - Enterprise funkcionalnosti u malim tvrtkama sa Office 365MSNetwork 4 - Enterprise funkcionalnosti u malim tvrtkama sa Office 365
MSNetwork 4 - Enterprise funkcionalnosti u malim tvrtkama sa Office 365
 
JavaCro'15 - Microservice architecture - Nenad Pečanac
JavaCro'15 - Microservice architecture - Nenad PečanacJavaCro'15 - Microservice architecture - Nenad Pečanac
JavaCro'15 - Microservice architecture - Nenad Pečanac
 
JavaCro14: Pakiranje i instalacija JEE rješenja
JavaCro14: Pakiranje i instalacija JEE rješenjaJavaCro14: Pakiranje i instalacija JEE rješenja
JavaCro14: Pakiranje i instalacija JEE rješenja
 
Zašto nam treba PaaS u Srcu?
Zašto nam treba PaaS u Srcu?Zašto nam treba PaaS u Srcu?
Zašto nam treba PaaS u Srcu?
 
JavaCro'14 - Packaging and installing of the JEE solution – Miroslav Rešetar
JavaCro'14 - Packaging and installing of the JEE solution – Miroslav RešetarJavaCro'14 - Packaging and installing of the JEE solution – Miroslav Rešetar
JavaCro'14 - Packaging and installing of the JEE solution – Miroslav Rešetar
 
WinDays 13 - Internet Explorer 10 - san koji je postao java
WinDays 13 - Internet Explorer 10 - san koji je postao javaWinDays 13 - Internet Explorer 10 - san koji je postao java
WinDays 13 - Internet Explorer 10 - san koji je postao java
 
Kako pretvoriti server_sobu_u_cloud
Kako pretvoriti server_sobu_u_cloudKako pretvoriti server_sobu_u_cloud
Kako pretvoriti server_sobu_u_cloud
 
Java card (2003)
Java card (2003)Java card (2003)
Java card (2003)
 

More from HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association

More from HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association (20)

Java cro'21 the best tools for java developers in 2021 - hujak
Java cro'21 the best tools for java developers in 2021 - hujakJava cro'21 the best tools for java developers in 2021 - hujak
Java cro'21 the best tools for java developers in 2021 - hujak
 
JavaCro'21 - Java is Here To Stay - HUJAK Keynote
JavaCro'21 - Java is Here To Stay - HUJAK KeynoteJavaCro'21 - Java is Here To Stay - HUJAK Keynote
JavaCro'21 - Java is Here To Stay - HUJAK Keynote
 
Javantura v7 - Behaviour Driven Development with Cucumber - Ivan Lozić
Javantura v7 - Behaviour Driven Development with Cucumber - Ivan LozićJavantura v7 - Behaviour Driven Development with Cucumber - Ivan Lozić
Javantura v7 - Behaviour Driven Development with Cucumber - Ivan Lozić
 
Javantura v7 - The State of Java - Today and Tomowwow - HUJAK's Community Key...
Javantura v7 - The State of Java - Today and Tomowwow - HUJAK's Community Key...Javantura v7 - The State of Java - Today and Tomowwow - HUJAK's Community Key...
Javantura v7 - The State of Java - Today and Tomowwow - HUJAK's Community Key...
 
Javantura v7 - Learning to Scale Yourself: The Journey from Coder to Leader -...
Javantura v7 - Learning to Scale Yourself: The Journey from Coder to Leader -...Javantura v7 - Learning to Scale Yourself: The Journey from Coder to Leader -...
Javantura v7 - Learning to Scale Yourself: The Journey from Coder to Leader -...
 
JavaCro'19 - The State of Java and Software Development in Croatia - Communit...
JavaCro'19 - The State of Java and Software Development in Croatia - Communit...JavaCro'19 - The State of Java and Software Development in Croatia - Communit...
JavaCro'19 - The State of Java and Software Development in Croatia - Communit...
 
Javantura v6 - Java in Croatia and HUJAK - Branko Mihaljević, Aleksander Radovan
Javantura v6 - Java in Croatia and HUJAK - Branko Mihaljević, Aleksander RadovanJavantura v6 - Java in Croatia and HUJAK - Branko Mihaljević, Aleksander Radovan
Javantura v6 - Java in Croatia and HUJAK - Branko Mihaljević, Aleksander Radovan
 
Javantura v6 - On the Aspects of Polyglot Programming and Memory Management i...
Javantura v6 - On the Aspects of Polyglot Programming and Memory Management i...Javantura v6 - On the Aspects of Polyglot Programming and Memory Management i...
Javantura v6 - On the Aspects of Polyglot Programming and Memory Management i...
 
Javantura v6 - Case Study: Marketplace App with Java and Hyperledger Fabric -...
Javantura v6 - Case Study: Marketplace App with Java and Hyperledger Fabric -...Javantura v6 - Case Study: Marketplace App with Java and Hyperledger Fabric -...
Javantura v6 - Case Study: Marketplace App with Java and Hyperledger Fabric -...
 
Javantura v6 - How to help customers report bugs accurately - Miroslav Čerkez...
Javantura v6 - How to help customers report bugs accurately - Miroslav Čerkez...Javantura v6 - How to help customers report bugs accurately - Miroslav Čerkez...
Javantura v6 - How to help customers report bugs accurately - Miroslav Čerkez...
 
Javantura v6 - When remote work really works - the secrets behind successful ...
Javantura v6 - When remote work really works - the secrets behind successful ...Javantura v6 - When remote work really works - the secrets behind successful ...
Javantura v6 - When remote work really works - the secrets behind successful ...
 
Javantura v6 - Kotlin-Java Interop - Matej Vidaković
Javantura v6 - Kotlin-Java Interop - Matej VidakovićJavantura v6 - Kotlin-Java Interop - Matej Vidaković
Javantura v6 - Kotlin-Java Interop - Matej Vidaković
 
Javantura v6 - Spring HATEOAS hypermedia-driven web services, and clients tha...
Javantura v6 - Spring HATEOAS hypermedia-driven web services, and clients tha...Javantura v6 - Spring HATEOAS hypermedia-driven web services, and clients tha...
Javantura v6 - Spring HATEOAS hypermedia-driven web services, and clients tha...
 
Javantura v6 - End to End Continuous Delivery of Microservices for Kubernetes...
Javantura v6 - End to End Continuous Delivery of Microservices for Kubernetes...Javantura v6 - End to End Continuous Delivery of Microservices for Kubernetes...
Javantura v6 - End to End Continuous Delivery of Microservices for Kubernetes...
 
Javantura v6 - Istio Service Mesh - The magic between your microservices - Ma...
Javantura v6 - Istio Service Mesh - The magic between your microservices - Ma...Javantura v6 - Istio Service Mesh - The magic between your microservices - Ma...
Javantura v6 - Istio Service Mesh - The magic between your microservices - Ma...
 
Javantura v6 - How can you improve the quality of your application - Ioannis ...
Javantura v6 - How can you improve the quality of your application - Ioannis ...Javantura v6 - How can you improve the quality of your application - Ioannis ...
Javantura v6 - How can you improve the quality of your application - Ioannis ...
 
Javantura v6 - Just say it v2 - Pavao Varela Petrac
Javantura v6 - Just say it v2 - Pavao Varela PetracJavantura v6 - Just say it v2 - Pavao Varela Petrac
Javantura v6 - Just say it v2 - Pavao Varela Petrac
 
Javantura v6 - Automation of web apps testing - Hrvoje Ruhek
Javantura v6 - Automation of web apps testing - Hrvoje RuhekJavantura v6 - Automation of web apps testing - Hrvoje Ruhek
Javantura v6 - Automation of web apps testing - Hrvoje Ruhek
 
Javantura v6 - Master the Concepts Behind the Java 10 Challenges and Eliminat...
Javantura v6 - Master the Concepts Behind the Java 10 Challenges and Eliminat...Javantura v6 - Master the Concepts Behind the Java 10 Challenges and Eliminat...
Javantura v6 - Master the Concepts Behind the Java 10 Challenges and Eliminat...
 
Javantura v6 - Building IoT Middleware with Microservices - Mario Kusek
Javantura v6 - Building IoT Middleware with Microservices - Mario KusekJavantura v6 - Building IoT Middleware with Microservices - Mario Kusek
Javantura v6 - Building IoT Middleware with Microservices - Mario Kusek
 

Javantura v3 - Java & JWT Stateless authentication – Karlo Novak

  • 1. Java & JWT Stateless autentikacija Karlo Novak, SV Group d.o.o. karlo.novak@svgroup.hr
  • 2. • Stateful autentikacija • JSON Web Tokens • Java i JWT • Implementacija sa Springom • Zaključak Sadržaj
  • 3. • Cookie-i su „klasičan” mehanizam održavanja autentikacije između različitih zahtjeva istog korisnika (session) • ID sessiona pamti se u memoriji na serveru čime se kreira stanje (state) – otežava skaliranje Stateful autentikacija 1/5
  • 4. Stateful autentikacija 2/5 Session se pohranjuje u memoriji i identificra se putem cookiea kojeg korisnik na svakom zahtjevu šalje. Što ako imamo više od jednog aplikacijskog servera?
  • 5. Stateful autentikacija 3/5 Moramo pronaći način da oba servera prepoznaju isti cookie!
  • 6. Stateful autentikacija 4/5 Što ako se aplikacijski server na kojem se nalazi korisnikov session sruši? Rješenje 1 – Sticky session
  • 7. Stateful autentikacija 5/5 Svaki request ide na bazu? Možemo uvesti cache, ali to se teško skalira (na veći broj servera) Rješenje 2 – Session u bazi
  • 8. JSON Web Tokens • Otvoren standard koji omogućava siguran prijenos informacija među različitim stranama (sustavima, korisnicima..) • Najčešće korišten pri autentikaciji, no može se koristiti i za prijenos ostalih podataka Koristi se nakon uspješne inicijalne autentikacije! (npr. Basic Auth-om)
  • 9. Struktura tokena • Header – tip tokena i algoritam hashiranja • Payload – podaci tj. prava (claims), mogu biti reserved, public ili private • Signature – potpis kao potvrda da se korisnik ne predstavlja lažno i da poruka nije mijenjana na putu
  • 10. JWT u akciji Token nije spremljen u memoriji, bazi ili cache-u! Stateless autentikacija ✓
  • 11. Java i JWT • JWT je (trenutno) relativno slabo podržan • 3 najpopularnija librarya za generiranje i verifikaciju tokena: – JJWT – Nimbus – Java JWT • Većina popularnih security frameworka i dalje ne podržava JWT out of the box
  • 12. Kako to implementirati? • Potrebna je ručna implementacija korištenjem jednog od navedenih librarya • Idealno ako imamo security framework koji se lagano može proširivati....
  • 13. Spring Security + JWT SecurityContextPersistenceFilter LogoutFilter UsernamePasswordProcessingFilter ExceptionTranslationFilter FilterSecurityInterceptor Resource {NašJwtFilter
  • 14. Spring Security + JWT AuthenticationManager AuthenticationProvider DaoAuthenticationProvider LdapAuthenticationProvider JWTAuthenticationProvider
  • 15. Spring Security + JWT Filter dohvaća token iz HTTP requesta i šalje ga na provjeru AuthenticationManager-u
  • 16. Spring Security + JWT AuthenticationProvider uz pomoć JWT librarya parsira token i izvlači iz njega podatke. U ovom slučaju to je korisničko ime od kojeg se zatim kreira User objekt koji se sprema u SecurityContext kao logirani korisnik. Ako je taj objekt postavljen Spring Security propušta korisnika do zaštićenog resursa.
  • 17. Pohrana tokena na klijentu • U local storage-u (HTML5) – XSS? • U.... cookieu! – CSRF? • Šalje se u headeru pri svakom requestu
  • 18. Prednosti JWT-a • Veličina – Malen, stane u HTTP header, malen overhead prijenosa • Samostalan – Sadrži sve informacije potrebne za autentikaciju čime miče potrebu za višestrukim korištenjem baze ili drugog autentikacijskog resursa • Izračunljiv – Nije ga potrebno pohranjivati na serveru, podatke je moguće na svakom zahtjevu „izračunati” iz tokena
  • 19. Ima li to i kakvu manu? • Na svakom requestu potrebno je procesorsko vrijeme za provjeru i „izračun” podataka iz tokena – S druge strane i dohvat iz baze traje određeno vrijeme... • Neporez pri rukovanju na klijentu – Podložno XSS, CSRF napadima • Nepodržanost out of the box
  • 20. Zaključak Budućnost = Rast korisnika na Internetu Rast korisnika na Internetu = Skaliranje Skaliranje = JWT JWT = Budućnost