It's not enough to secure your applications by simply locking the front door, expecting that that will keep attackers out. Modern web applications require security at many different levels: using appropriate HTTP headers, preventing CSRF and CORS attacks, matching URLs, securing method invocations, performing multi-tenancy and other ownership-based checks, etc.
In this presentation, Joris shows how to address these concerns with Spring Security, an OSS framework for securing Java-based web applications. He covers the built-in features, but also demonstrates how to extend those with custom functionality to meet the security needs that many applications have.
I did this presentation for one of my java user groups at work.
Basically, this is a mashed up version of various presentations, slides and images that I gathered over the internet.
I've quoted the sources in the end. Feel free to reuse it as you like.
I did this presentation for one of my java user groups at work.
Basically, this is a mashed up version of various presentations, slides and images that I gathered over the internet.
I've quoted the sources in the end. Feel free to reuse it as you like.
Enterprise Security mit Spring SecurityMike Wiesner
Spring Security, der Nachfolger des Acegi Security Frameworks, stellt ein Framework zur Umsetzung von Enterprise Security Anforderungen zur Verfügung, wie z.B. Authentifizierung, URL- und Methoden-Filter, Single-Sign-On und Insatzbasierten Berechtigungen. Dabei ist es ein reines Security Framework, welches mit nahezu jedem Web- und Anwendungsframework eingesetzt werden kann.
Vulnerabilities in modern web applicationsNiyas Nazar
Microsoft powerpoint presentation for BTech academic seminar.This seminar discuses about penetration testing, penetration testing tools, web application vulnerabilities, impact of vulnerabilities and security recommendations.
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...CA API Management
The adoption of Mobile and Cloud applications drives API traffic across domains. OAuth 2.0 is being implemented in complex enterprise environments where new authorization endpoints are combined with various existing identity components, in various configurations.
Handshakes are federated to help provide a single sign-on experience across applications and enhance adoption. Mediation between tokens at the edge of each domain helps extend existing data to new channels. Core grant types, extension grant types, custom schemes, standards, patterns and use cases – let us count the ways in which API access control is applied.
This presentation will examine the role of API management infrastructure in API Security, API Access Control and API Federation and its interaction with enterprise infrastructure, social identity and application developers.
Access Control is a necessary security control at almost every layer within a web application. This talk will discuss several of the key access control anti-patterns commonly found during website security audits. These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms. In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.
Cyber attacks are a real and growing threat to businesses and an increasing number of attacks take place at application layer. The best defence against is to develop applications where security is incorporated as part of the software development lifecycle.
The OWASP Top 10 Proactive Controls project is designed to integrate security in the software development lifecycle. In this special presentation for PHPNW, based on v2.0 released this year, you will learn how to incorporate security into your software projects.
Recommended to all developers who want to learn the security techniques that can help them build more secure applications.
Spring Security is a powerful and highly customizable authentication and access-control framework. It is the de-facto standard for securing Spring-based applications.
Seminar on various security issues faced by PHP developers and ways to avoid them.
The Examples used in the seminar can be downloaded from -> http://www.sanisoft.com/blog/wp-content/uploads/2009/08/security.tar.gz
Enterprise Security mit Spring SecurityMike Wiesner
Spring Security, der Nachfolger des Acegi Security Frameworks, stellt ein Framework zur Umsetzung von Enterprise Security Anforderungen zur Verfügung, wie z.B. Authentifizierung, URL- und Methoden-Filter, Single-Sign-On und Insatzbasierten Berechtigungen. Dabei ist es ein reines Security Framework, welches mit nahezu jedem Web- und Anwendungsframework eingesetzt werden kann.
Vulnerabilities in modern web applicationsNiyas Nazar
Microsoft powerpoint presentation for BTech academic seminar.This seminar discuses about penetration testing, penetration testing tools, web application vulnerabilities, impact of vulnerabilities and security recommendations.
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...CA API Management
The adoption of Mobile and Cloud applications drives API traffic across domains. OAuth 2.0 is being implemented in complex enterprise environments where new authorization endpoints are combined with various existing identity components, in various configurations.
Handshakes are federated to help provide a single sign-on experience across applications and enhance adoption. Mediation between tokens at the edge of each domain helps extend existing data to new channels. Core grant types, extension grant types, custom schemes, standards, patterns and use cases – let us count the ways in which API access control is applied.
This presentation will examine the role of API management infrastructure in API Security, API Access Control and API Federation and its interaction with enterprise infrastructure, social identity and application developers.
Access Control is a necessary security control at almost every layer within a web application. This talk will discuss several of the key access control anti-patterns commonly found during website security audits. These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms. In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.
Cyber attacks are a real and growing threat to businesses and an increasing number of attacks take place at application layer. The best defence against is to develop applications where security is incorporated as part of the software development lifecycle.
The OWASP Top 10 Proactive Controls project is designed to integrate security in the software development lifecycle. In this special presentation for PHPNW, based on v2.0 released this year, you will learn how to incorporate security into your software projects.
Recommended to all developers who want to learn the security techniques that can help them build more secure applications.
Spring Security is a powerful and highly customizable authentication and access-control framework. It is the de-facto standard for securing Spring-based applications.
Seminar on various security issues faced by PHP developers and ways to avoid them.
The Examples used in the seminar can be downloaded from -> http://www.sanisoft.com/blog/wp-content/uploads/2009/08/security.tar.gz
In this presentation John will show how Azure Devops can be used to automate the deployment and security checks of a website in the Azure cloud. In this presentation we will go through how a variety of tools are used to gain security insights into your code and deployed environment. We will explore how this relates to the pull security left philosophy from DevSecOps. After the presentation you will have gained a good insight into all the tools you can use to improve the security of your deployed code base.
Writing secure applications is critical. Whether you're writing code at the SMT level, MivaScript level, server level or anywhere else, it's important to keep security in mind. Come in and learn how to mitigate exploits, initiate exploits, and learn about incidence handling.
Action Jackson! Effective JSON processing in Spring Boot ApplicationsJoris Kuipers
JSON processing plays an important role in nearly all applications nowadays, and Jackson is the de-facto standard library for that. Most developers are therefore familiar with using it for simple (un)marshalling purposes, but never go beyond the basics. In this session Joris will show how to effectively configure and use Jackson, focusing on Spring Boot applications. Boot provides a lot of support for configuring ObjectMappers, which you can use directly but are also used internally by the framework for e.g. handling HTTP requests/responses or message conversion. Topics will include tuning mappings, using modules, applying views and using alternative parsing options like JSON Pointer and JsonPath, all illustrated through live demos. Don’t miss out on this presentation and become an Action Jackson yourself!
Hearts Of Darkness - a Spring DevOps ApocalypseJoris Kuipers
In this talk Joris shares several real-life failure cases concerning running Spring applications in production. Examples include services being killed because of health check issues, Micrometer metrics getting lost, circuit breakers never closing after opening, OOM errors caused by unbounded queues and other nightmarish scenario’s. Not only will you come to understand how these problems could sneak through staging to make their way to production, you will also be given practical tips on how to avoid these things from happening to your own applications. Otto von Bismarck famously said “Fools say that they learn by experience. I prefer to profit by others’ experience”. Don’t be a fool, and profit by viewing this talk!
Building and running Spring Cloud-based microservices on AWS ECSJoris Kuipers
For Spring I/O Barcelona 2018 I explained how we spent the last 6 months building and running a set of Spring Cloud based microservices on AWS Elastic Container Service, their Docker Orchestrator.
Come Fly With Me: Database Migration Patterns with FlywayJoris Kuipers
If your application is using a relational database, you’ll have to deal with regular schema changes and other database-related changes as part of your development and deploys. Flyway is an OSS Java tool that helps to you reliably and automatically execute database migrations to ensure that your database schema is always up-to-date with respect to your application’s expectations.
This presentation provides a quick introduction to Flyway for people not yet familiar with the tool to then follow up by explaining some more advanced patterns and use cases that Joris developed while using Flyway in different projects.
Topics discussed include:
- migration versioning when using maintenance branches;
- versioning and out-of-order migrations when using feature branches;
- dynamically including different migration locations to support e.g. different DBMSs or production data fixes in addition to regular migrations;
- periodically squashing migrations to prevent the number of migration files from getting out of hand;
- using multiple schema version tables as part of an ongoing monolith to microservices migration.
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTier1 app
Even though at surface level ‘java.lang.OutOfMemoryError’ appears as one single error; underlyingly there are 9 types of OutOfMemoryError. Each type of OutOfMemoryError has different causes, diagnosis approaches and solutions. This session equips you with the knowledge, tools, and techniques needed to troubleshoot and conquer OutOfMemoryError in all its forms, ensuring smoother, more efficient Java applications.
Enhancing Research Orchestration Capabilities at ORNL.pdfGlobus
Cross-facility research orchestration comes with ever-changing constraints regarding the availability and suitability of various compute and data resources. In short, a flexible data and processing fabric is needed to enable the dynamic redirection of data and compute tasks throughout the lifecycle of an experiment. In this talk, we illustrate how we easily leveraged Globus services to instrument the ACE research testbed at the Oak Ridge Leadership Computing Facility with flexible data and task orchestration capabilities.
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Globus
The Earth System Grid Federation (ESGF) is a global network of data servers that archives and distributes the planet’s largest collection of Earth system model output for thousands of climate and environmental scientists worldwide. Many of these petabyte-scale data archives are located in proximity to large high-performance computing (HPC) or cloud computing resources, but the primary workflow for data users consists of transferring data, and applying computations on a different system. As a part of the ESGF 2.0 US project (funded by the United States Department of Energy Office of Science), we developed pre-defined data workflows, which can be run on-demand, capable of applying many data reduction and data analysis to the large ESGF data archives, transferring only the resultant analysis (ex. visualizations, smaller data files). In this talk, we will showcase a few of these workflows, highlighting how Globus Flows can be used for petabyte-scale climate analysis.
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisGlobus
JASMIN is the UK’s high-performance data analysis platform for environmental science, operated by STFC on behalf of the UK Natural Environment Research Council (NERC). In addition to its role in hosting the CEDA Archive (NERC’s long-term repository for climate, atmospheric science & Earth observation data in the UK), JASMIN provides a collaborative platform to a community of around 2,000 scientists in the UK and beyond, providing nearly 400 environmental science projects with working space, compute resources and tools to facilitate their work. High-performance data transfer into and out of JASMIN has always been a key feature, with many scientists bringing model outputs from supercomputers elsewhere in the UK, to analyse against observational or other model data in the CEDA Archive. A growing number of JASMIN users are now realising the benefits of using the Globus service to provide reliable and efficient data movement and other tasks in this and other contexts. Further use cases involve long-distance (intercontinental) transfers to and from JASMIN, and collecting results from a mobile atmospheric radar system, pushing data to JASMIN via a lightweight Globus deployment. We provide details of how Globus fits into our current infrastructure, our experience of the recent migration to GCSv5.4, and of our interest in developing use of the wider ecosystem of Globus services for the benefit of our user community.
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...informapgpstrackings
Keep tabs on your field staff effortlessly with Informap Technology Centre LLC. Real-time tracking, task assignment, and smart features for efficient management. Request a live demo today!
For more details, visit us : https://informapuae.com/field-staff-tracking/
How Recreation Management Software Can Streamline Your Operations.pptxwottaspaceseo
Recreation management software streamlines operations by automating key tasks such as scheduling, registration, and payment processing, reducing manual workload and errors. It provides centralized management of facilities, classes, and events, ensuring efficient resource allocation and facility usage. The software offers user-friendly online portals for easy access to bookings and program information, enhancing customer experience. Real-time reporting and data analytics deliver insights into attendance and preferences, aiding in strategic decision-making. Additionally, effective communication tools keep participants and staff informed with timely updates. Overall, recreation management software enhances efficiency, improves service delivery, and boosts customer satisfaction.
Enterprise Resource Planning System includes various modules that reduce any business's workload. Additionally, it organizes the workflows, which drives towards enhancing productivity. Here are a detailed explanation of the ERP modules. Going through the points will help you understand how the software is changing the work dynamics.
To know more details here: https://blogs.nyggs.com/nyggs/enterprise-resource-planning-erp-system-modules/
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamtakuyayamamoto1800
In this slide, we show the simulation example and the way to compile this solver.
In this solver, the Helmholtz equation can be solved by helmholtzFoam. Also, the Helmholtz equation with uniformly dispersed bubbles can be simulated by helmholtzBubbleFoam.
Accelerate Enterprise Software Engineering with PlatformlessWSO2
Key takeaways:
Challenges of building platforms and the benefits of platformless.
Key principles of platformless, including API-first, cloud-native middleware, platform engineering, and developer experience.
How Choreo enables the platformless experience.
How key concepts like application architecture, domain-driven design, zero trust, and cell-based architecture are inherently a part of Choreo.
Demo of an end-to-end app built and deployed on Choreo.
Navigating the Metaverse: A Journey into Virtual Evolution"Donna Lenk
Join us for an exploration of the Metaverse's evolution, where innovation meets imagination. Discover new dimensions of virtual events, engage with thought-provoking discussions, and witness the transformative power of digital realms."
Globus Connect Server Deep Dive - GlobusWorld 2024Globus
We explore the Globus Connect Server (GCS) architecture and experiment with advanced configuration options and use cases. This content is targeted at system administrators who are familiar with GCS and currently operate—or are planning to operate—broader deployments at their institution.
Cyaniclab : Software Development Agency Portfolio.pdfCyanic lab
CyanicLab, an offshore custom software development company based in Sweden,India, Finland, is your go-to partner for startup development and innovative web design solutions. Our expert team specializes in crafting cutting-edge software tailored to meet the unique needs of startups and established enterprises alike. From conceptualization to execution, we offer comprehensive services including web and mobile app development, UI/UX design, and ongoing software maintenance. Ready to elevate your business? Contact CyanicLab today and let us propel your vision to success with our top-notch IT solutions.
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Shahin Sheidaei
Games are powerful teaching tools, fostering hands-on engagement and fun. But they require careful consideration to succeed. Join me to explore factors in running and selecting games, ensuring they serve as effective teaching tools. Learn to maintain focus on learning objectives while playing, and how to measure the ROI of gaming in education. Discover strategies for pitching gaming to leadership. This session offers insights, tips, and examples for coaches, team leads, and enterprise leaders seeking to teach from simple to complex concepts.
Into the Box Keynote Day 2: Unveiling amazing updates and announcements for modern CFML developers! Get ready for exciting releases and updates on Ortus tools and products. Stay tuned for cutting-edge innovations designed to boost your productivity.
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus
As part of the DOE Integrated Research Infrastructure (IRI) program, NERSC at Lawrence Berkeley National Lab and ALCF at Argonne National Lab are working closely with General Atomics on accelerating the computing requirements of the DIII-D experiment. As part of the work the team is investigating ways to speedup the time to solution for many different parts of the DIII-D workflow including how they run jobs on HPC systems. One of these routes is looking at Globus Compute as a way to replace the current method for managing tasks and we describe a brief proof of concept showing how Globus Compute could help to schedule jobs and be a tool to connect compute at different facilities.
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Globus
The U.S. Geological Survey (USGS) has made substantial investments in meeting evolving scientific, technical, and policy driven demands on storing, managing, and delivering data. As these demands continue to grow in complexity and scale, the USGS must continue to explore innovative solutions to improve its management, curation, sharing, delivering, and preservation approaches for large-scale research data. Supporting these needs, the USGS has partnered with the University of Chicago-Globus to research and develop advanced repository components and workflows leveraging its current investment in Globus. The primary outcome of this partnership includes the development of a prototype enterprise repository, driven by USGS Data Release requirements, through exploration and implementation of the entire suite of the Globus platform offerings, including Globus Flow, Globus Auth, Globus Transfer, and Globus Search. This presentation will provide insights into this research partnership, introduce the unique requirements and challenges being addressed and provide relevant project progress.
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Building Layers of Defense with Spring Security
1. Building Layers of Defense
with Spring Security
“We have to distrust each other.
It is our only defense against betrayal.”
― Tennessee Williams
2. About Me
Joris Kuipers ( @jkuipers)
Hands-on architect and
fly-by-night Spring trainer @ Trifork
@author tag in Spring Session’s support for
Spring Security
3. Layers Of Defense
Security concerns many levels
Physical, hardware, network, OS, middleware,
applications, process / social, …
This talk focuses on applications
4. Layers Of Defense
Web application has many layers to protect
Sometimes orthogonal
Often additive
5. Layers Of Defense
Additivity implies some redundancy
That’s by design
Don’t rely on just a single layer of defense
Might have an error in security config / impl
Might be circumvented
AKA Defense in depth
6. Spring Security
OSS framework for application-level
authentication & authorization
Supports common standards & protocols
Works with any Java web application
8. Spring Security
Decouples authentication & authorization
Hooks into application through interceptors
Servlet Filters at web layer
Aspects at lower layers
Configured using Java-based fluent API
9. Spring Security Configuration
Steps to add Spring Security support:
1. Configure dependency and servlet filter chain
2. Centrally configure authentication
3. Centrally configure authorization
4. Configure code-specific authorization
10. Config: Authentication
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
/* set up authentication: */
@Autowired
void configureGlobal(AuthenticationManagerBuilder
authMgrBuilder) throws Exception
{
authMgrBuilder.userDetailsService(
myCustomUserDetailsService());
}
// ...
11. Config: HTTP Authorization
/* ignore requests to these URLS: */
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers(
"/css/**", "/img/**", "/js/**", "/favicon.ico");
}
// ...
14. HTTP Response Headers
“We are responsible for actions performed in response to
circumstances for which we are not responsible”
― Allan Massie
15. Disable Browser Cache
Modern browsers also cache HTTPS responses
Attacker could see old page even after user logs out
In general not good for dynamic content
For URLs not ignored, these headers are added
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
16. Disable Content Sniffing
Content type guessed based on content
Attacker might upload polyglot file
Valid as both e.g. PostScript and JavaScript
JavaScript executed on download
Disabled using this header
X-Content-Type-Options: nosniff
17. Enable HSTS
HTTP Strict Transport Security
Enforce HTTPS for all requests to domain
Optionally incl. subdomains
Prevents man-in-the-middling initial request
Enabled by default for HTTPS requests:
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
18. HSTS War Story
Note: one HTTPS request triggers HSTS
for entire domain and subdomains
Webapp might not support HTTPS-only
Domain may host more than just
your application
Might be better handled by load
balancer
19. Disable Framing
Prevent Clickjacking
Attacker embeds app in frame as invisible overlay
Tricks users into clicking on something they shouldn’t
All framing disabled using this header
Can configure other options, e.g. SAME ORIGIN
X-Frame-Options: DENY
20. Block X-XSS Content
Built-in browser support to recognize
reflected XSS attacks
http://example.com/index.php?user=<script>alert(
123)</script>
Ensure support is enabled and
blocks (not fixes) content
X-XSS-Protection: 1; mode=block
21. Other Headers Support
Other headers you can configure
(disabled by default):
HTTP Public Key Pinning (HPKP)-related
Content Security Policy-related
Referrer-Policy
22. CSRF / Session Riding Protection
“One thing I learned about riding is to look for trouble
before it happens.”
― Joe Davis
23. Cross-Site Request Forgery
CSRF tricks logged in users to make requests
Session cookie sent automatically
Look legit to server, but user never intended them
24. Cross-Site Request Forgery
Add session-specific token to all forms
Correct token means app initiated request
attacker cannot know token
Not needed for GET with proper HTTP verb usage
GETs should be safe
Also prevents leaking token through URL
25. CSRF Protection in Spring Security
Default: enabled for non-GET requests
Using session-scoped token
Include token as form request parameter
<form action="/logout" method="post">
<input type="submit" value="Log out" />
<input type="hidden"
name="${_csrf.parameterName}"
value="${_csrf.token}"/>
</form>
26. CSRF Protection in Spring Security
Doesn’t work for JSON-sending SPAs
Store token in cookie and pass as header instead
No server-side session state, but still quite secure
Defaults work with AngularJS as-is
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf()
.csrfTokenRepository(
CookieCsrfTokenRepository.withHttpOnlyFalse())
.and()
// additional configuration…
28. URL-based Authorization
Very common, esp. with role-based authorization
Map URL structure to authorities
Optionally including HTTP methods
Good for coarse-grained rules
31. URL-based Authorization
Can be tricky to do properly
Rules matched in order
Matchers might not behave
like you think they do
Need to have a catch-all
.anyRequest().authenticated();
.anyRequest().denyAll();
32. URL Matching Rules Gotchas
http.authorizeRequests()
.antMatchers("/products/inventory/**").hasRole("ADMIN")
.antMatchers("/products/**").hasAnyRole("USER", "ADMIN")
.antMatchers(…
Ordering very
significant here!
.antMatchers("/products/delete").hasRole("ADMIN")
Does NOT match
/products/delete/
(trailing slash)!
.mvcMatchers("/products/delete").hasRole("ADMIN")
37. Expressions in @Pre-/PostAuthorize
Built-ins
hasRole(), hasAnyRole(), isAuthenticated(),
isAnonymous(), …
Can add your own…
Relatively complex
38. Expressions in @Pre-/PostAuthorize
…or just call method on Spring Bean instead
@PreAuthorize("@authChecks.isTreatedByCurrentUser(#patient)")
public void addReport(Patient patient, Report report) {
@Service
public class AuthChecks {
public boolean isTreatedByCurrentUser(Patient patient) {
// ...
}
39. Method-level Security
Support for standard Java @RolesAllowed
Role-based checks only
Enable explicitly
@EnableGlobalMethodSecurity(
prePostEnabled = true, jsr250Enabled = true)
@RolesAllowed("ROLE_PRODUCT_MGR")
Product saveNew(ProductForm productForm) {
40. Programmatic Security
Easy programmatic access & checks
Nice for e.g. custom interceptors
Preferably not mixed with business logic
Authentication auth =
SecurityContextHolder.getContext().getAuthentication();
if (auth != null && auth.getPrincipal() instanceof MyUser) {
MyUser user = (MyUser) auth.getPrincipal();
// ...
41. Programmatic Use Cases
Look up current user to:
Perform authorization in custom filter/aspect
Populate Logger MDC
Pass current tenant as Controller method parameter
Auto-fill last-modified-by DB column
Propagate security context to worker thread
…
43. ACL Support
Spring Security supports Access Control Lists
Fine-grained permissions per secured item
Check before / after accessing item
Declaratively or programmatically
Not needed for most applications
44. Defining ACLs
Persisted in dedicated DB tables
Entity defined by type and ID
Access to entity per-user or per-authority
Access permissions defined by int bitmask
read, write, delete, etc.
granting or denying
45. Checking ACLs
Check performed against instance or type+id
Multiple options for permission checks
Using SpEL expressions is easy
@PreAuthorize("hasPermission(#contact, 'delete') or
hasPermission(#contact, 'admin')")
void delete(Contact contact);
@PreAuthorize("hasPermission(#id, 'sample.Contact', 'read') or
hasPermission(#id, 'sample.Contact', 'admin')")
Contact getById(Long id);
47. Enforcing HTTPS
Can enforce HTTPS channel
Redirect when request uses plain HTTP
HTTPS is usually important
Even if your data isn’t
Attacker could insert malicious content
Might be better handled by load balancer
48. Limiting Concurrent Sessions
How often can single user log in at the same time?
Limit to max nr of sessions
Built-in support limited to single node
Supports multi-node through Spring Session
49. Password Hashing
Are you storing your own users and passwords?
Ensure appropriate hashing algorithm
BCrypt, PBKDF2 & SCrypt support built in
Don’t copy old blogs showing MD5/SHA + Salt!
50. CORS
Cross-Origin Resource Sharing
Relaxes same-origin policy
Allow JS communication with other servers
Server must allow origin, sent in request header
Preflight request used to check access:
must be handled before Spring Security!
51. Enabling CORS Support
Spring-MVC has CORS support
For Spring Security, just configure filter
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.cors().and()
// ... other config
No Spring-MVC?
Add CorsConfigurationSource bean
52. Conclusion
Spring Security handles security at
all application layers
Combine to provide defense in depth
Understand your security framework
Become unhackable!
Or at least be able to blame someone else…
Editor's Notes
Browser-side, URL-based, Method-level, Data-level
No dependency on e.g. Spring-MVC
Login page should always be changed to your custom page
Requires proper Content-Type header in responses!
Token exposed through request attributes, adding it can be automated (JSP taglib, Thymeleaf)
Using Annotations & Spring Expression Language
@Pre-/PostAuthorize can be used as meta-annotations for easy DRY reuse