SlideShare a Scribd company logo

Javacro 2014 Spring Security 3 Speech

Fernando Redondo Ramírez
Fernando Redondo Ramírez

Slides of my talk at JavaCro 2014: Securing web applications with Spring Security 3

TechnologyNews & Politics
1 of 34
Download to read offline
Securing web applications with Spring Security 3 Fernando Redondo Ramírez @pronoide_fer
Roadmap • Who am I? • A brief introduction to Spring Security • Hands on • Furthermore
Roadmap • Who am I? • A brief introduction to Spring Security • Hands on • Furthermore
Brief Introduction to Spring Security • Isn’t Security within JEE a standard feature? Yes indeed, but: • JEE Security ⇒ It’s constraint based • JEE Security ⇒ It only defines a secured perimeter • JEE Security ⇒ its features are depending on each App Server (Realms, SSO, Cipher, etc) • JEE Security ⇒ Secured JEE Applications can’t easily move across different platforms or between server versions • JEE Security ⇒ Complex to adapt to Web 2.0 or changing requirements
Brief Introduction to Spring Security • Why use Spring Security then? because: • Spring Security ⇒ It’s granted based • Spring Security ⇒ Both perimeter and hierarchical • Spring Security ⇒ Features independent of the App Server • Spring Security ⇒ Transportable Secured JEE Applications • Spring Security ⇒ Adaptable and versatile
Brief Introduction to Spring Security • Architecture and we are done! Spring Security 3 internals SecurityContextHolder SecurityContext Authentication GrantedAuthority Web Requests Web/HTTP Security Security filter chain Authentication AuthenticationManager AuthenticationProviders UserDetailsService Authorization AccessDecisionManager Voters AfterInvocationManager Business Methods Business Object (Method) Security Proxies/Security Interceptors
Your next mission I need to put security within our FBI X-Files application!
Hands on! (Later at home) Before start, you have to… 1. Install git in your computer http://git-scm.com/book/en/Getting-Started-Installing-Git 2. Download Spring Tool Suite 3.5 https://spring.io/tools/sts/all 3. Start Spring Tool Suite 3.5 (STS) and choose or create a workspace (remember run it with a JDK) 4. Download http://pronoide.com/downloads/javacro2014- spring-security-xfiles.zip and unzip it into workspace folder. 5. Pace yourself! It’s all quite straightforward…
FBI X Files webapp Import webapp (File/Import/Git/Proyect from Git)
FBI X Files webapp Run webapp!
Stage: Setup Spring Security in webapp i. Setup a interceptor filter for all web requests
Stage: Setup Spring Security in webapp ii. Create a new spring bean configuration file with the least config and load through web.xml context parameter
Stage: Setup Spring Security in webapp iii. Explicitly config login / logout procedures iv. Fix issues with resources, images and CSS files
FBI X Files webapp
Stage: Setup Spring Security in webapp v. Encrypt user’s paswords via Spring Security Crypto Module • Encode passwords • Configure algorithm and salt field. Then use passwords within security config file
Stage: Setup Spring Security in webapp vi. Add Remember Me feature to users login process
Stage: Setup Spring Security in webapp vii. Secure transport channel (HTTPS) • Setup constrains and ports • Configure tomcat server (create SSL connector)
Stage: Setup Spring Security in webapp viii. Session expiration control ix. Session concurrency control
Stage: Setup Spring Security in webapp x. JSP tag library usage (Spring Security Taglibs)
Stage: Setup Spring Security in webapp xi. SpEL usage to protect URLs (Spring Expression Language) xii. SpEL usage with Spring security taglib
what have you done! Is there only security in the web resources access? Is that the very best you can make it? Try this URL and watch what is gonna happen: https://localhost:8443/fbi/xfiles/declassify?id=0
Stage: Setup Spring Security in business methods xii. Secure business method invocations thru Spring Security Annotations
Stage: Setup Spring Security in business methods xiii. Secure business method invocations thru AspectJ pointcuts
Stage: Setup Spring Security in business methods xiv. Secure business method invocations thru SpEL (Pre Invocation)
Much better! But… What are you doing viewing files that aren’t yours? How come you are able to access to your sister’s files? And why are you accessing at this time of the day?
Stage: Setup Spring Security in an hierarchical way xv. Secure business method invocations thru SpEL (Post Invocation) xvi. Secure business method invocations thru SpEL (Result Filtering)
Stage: Setup Spring Security in an hierarchical way xvii. Customization of access voters • Code a new voter
Stage: Setup Spring Security in an hierarchical way xviii.Customization of access voters (continuation) • Dismiss Spring Security auto-config and reveal actual config • Customize Access decision manager behavior
Stage: Spring Security Extras xix. Customization of security filter chain (Example A) • Create custom filter • Place it within the filter chain
Stage: Spring Security Extras xx. Customization of security filter chain (Example B) • Create custom filter • Place it within the filter chain
The smoking man All of these features about Spring Security are pretty fine, but I can always leverage a Java2 attack: <%System.exit(0);%>
Beyond this talk • Not implicit but explicit configs • ACL’s management • Autentification with DataSources, LDAP, X509, OPENID, JEE, etc • Captcha • Single Sign On • Java Config “… in most of my work, the laws of physics rarely seems to apply.” Fox Mulder 1x01 "Pilot"
Whoami • Entrepreneur and Business Manager at Pronoide since 2003 • Java & Friends Trainer (JEE, Spring, Groovy, Maven, Jenkins, Sonar, Weblogic, Jboss, Websphere, Disco Dancing and so ) • Doing things with Java from 1999 on • Computer Engineer • Happily married and proud father of two children • I used to wanna be a physics scientist and I really do love X-files series
Apendix: Hands on (Later at home)! Navigate along the project code with git presenter 1. Install jruby or ruby http://jruby.org/getting-started https://www.ruby-lang.org/en/installation/ 2. Install git presenter (gem install git_presenter) 3. When the code is ready use the "git-presenter init" command to initialize 4. Once it is initialized you can start the presentation with "git- presenter start" 5. Then use the following commands to navigate the presentation • next/n: move to the next slide (commit) • back/b: move to the back slide (commit) • end/e: move to the end of presentation • start/s: move to the start of presentation • list/l : list slides in presentation • help/h: display this message

Recommended

Fun With Spring Security
Fun With Spring SecurityFun With Spring Security
Fun With Spring SecurityBurt Beckwith
 
Spring Security 3
Spring Security 3Spring Security 3
Spring Security 3Jason Ferguson
 
Building Layers of Defense with Spring Security
Building Layers of Defense with Spring SecurityBuilding Layers of Defense with Spring Security
Building Layers of Defense with Spring SecurityJoris Kuipers
 
Spring Security
Spring SecuritySpring Security
Spring SecurityBoy Tech
 
Spring Security
Spring SecuritySpring Security
Spring SecuritySumit Gole
 
Spring Security Introduction
Spring Security IntroductionSpring Security Introduction
Spring Security IntroductionMindfire Solutions
 
Spring security
Spring securitySpring security
Spring securitySaurabh Sharma
 
Codemotion 2015 spock_workshop
Codemotion 2015 spock_workshopCodemotion 2015 spock_workshop
Codemotion 2015 spock_workshopFernando Redondo Ramírez
 

Recommended

Fun With Spring Security
Fun With Spring SecurityFun With Spring Security
Fun With Spring SecurityBurt Beckwith
 
Spring Security 3
Spring Security 3Spring Security 3
Spring Security 3Jason Ferguson
 
Building Layers of Defense with Spring Security
Building Layers of Defense with Spring SecurityBuilding Layers of Defense with Spring Security
Building Layers of Defense with Spring SecurityJoris Kuipers
 
Spring Security
Spring SecuritySpring Security
Spring SecurityBoy Tech
 
Spring Security
Spring SecuritySpring Security
Spring SecuritySumit Gole
 
Spring Security Introduction
Spring Security IntroductionSpring Security Introduction
Spring Security IntroductionMindfire Solutions
 
Spring security
Spring securitySpring security
Spring securitySaurabh Sharma
 
Codemotion 2015 spock_workshop
Codemotion 2015 spock_workshopCodemotion 2015 spock_workshop
Codemotion 2015 spock_workshopFernando Redondo Ramírez
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
 
Cyber ppt
Cyber pptCyber ppt
Cyber pptkarthik menon
 
Spring security
Spring securitySpring security
Spring securitysakhibarun
 
Injecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeInjecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeAjin Abraham
 
香港六合彩
香港六合彩香港六合彩
香港六合彩baoyin
 
Web Hacking Intro
Web Hacking IntroWeb Hacking Intro
Web Hacking IntroAditya Kamat
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linuxAjin Abraham
 
Security asp.net application
Security asp.net applicationSecurity asp.net application
Security asp.net applicationZAIYAUL HAQUE
 
[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?OWASP
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real worldMadhu Akula
 
Rapid Android Application Security Testing
Rapid Android Application Security TestingRapid Android Application Security Testing
Rapid Android Application Security TestingNutan Kumar Panda
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Christian Schneider
 
[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detailOWASP
 
Abusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAbusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAjin Abraham
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Ajin Abraham
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Yassine Aboukir
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automationOWASP
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersLewis Ardern
 
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
DevOps & Security: Here & Now
DevOps & Security: Here & NowDevOps & Security: Here & Now
DevOps & Security: Here & NowCheckmarx
 

More Related Content

What's hot

Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
 
Spring security
Spring securitySpring security
Spring securitysakhibarun
 
Injecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeInjecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeAjin Abraham
 
香港六合彩
香港六合彩香港六合彩
香港六合彩baoyin
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linuxAjin Abraham
 
Security asp.net application
Security asp.net applicationSecurity asp.net application
Security asp.net applicationZAIYAUL HAQUE
 
[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?OWASP
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real worldMadhu Akula
 
Rapid Android Application Security Testing
Rapid Android Application Security TestingRapid Android Application Security Testing
Rapid Android Application Security TestingNutan Kumar Panda
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Christian Schneider
 
[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detailOWASP
 
Abusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAbusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAjin Abraham
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Ajin Abraham
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Yassine Aboukir
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automationOWASP
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersLewis Ardern
 

What's hot (20)

Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
 
Spring security
Spring securitySpring security
Spring security
 
Injecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeInjecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at Runtime
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
 
Web Hacking Intro
Web Hacking IntroWeb Hacking Intro
Web Hacking Intro
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linux
 
Security asp.net application
Security asp.net applicationSecurity asp.net application
Security asp.net application
 
[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real world
 
Rapid Android Application Security Testing
Rapid Android Application Security TestingRapid Android Application Security Testing
Rapid Android Application Security Testing
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
 
[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail
 
Abusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAbusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox Addons
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & Testing
 
[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
 

Similar to Javacro 2014 Spring Security 3 Speech

DevOps & Security: Here & Now
DevOps & Security: Here & NowDevOps & Security: Here & Now
DevOps & Security: Here & NowCheckmarx
 
Dev opsandsecurity owasp
Dev opsandsecurity owaspDev opsandsecurity owasp
Dev opsandsecurity owaspHelen Bravo
 
Proactive Security AppSec Case Study
Proactive Security AppSec Case StudyProactive Security AppSec Case Study
Proactive Security AppSec Case StudyAndy Hoernecke
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsAmazon Web Services
 
Testing mit Codeception: Full-stack testing PHP framework
Testing mit Codeception: Full-stack testing PHP frameworkTesting mit Codeception: Full-stack testing PHP framework
Testing mit Codeception: Full-stack testing PHP frameworkSusannSgorzaly
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsAmazon Web Services
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsAmazon Web Services
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Jim Manico
 
Vulnex app secusa2013
Vulnex app secusa2013Vulnex app secusa2013
Vulnex app secusa2013drewz lin
 
AusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS ApplicationsAusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS Applicationseightbit
 
Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Amazon Web Services
 
Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...Yury Chemerkin
 
Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC Rafał Hryniewski
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxThe Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxlior mazor
 
WordPress Security and Best Practices
WordPress Security and Best PracticesWordPress Security and Best Practices
WordPress Security and Best PracticesRobert Vidal
 
Learn Spring Boot With Bisky - Intoduction
Learn Spring Boot With Bisky - IntoductionLearn Spring Boot With Bisky - Intoduction
Learn Spring Boot With Bisky - IntoductionMarshallChabaga
 
JS Fest 2019. Виктор Турский. 6 способов взломать твое JavaScript приложение
JS Fest 2019. Виктор Турский. 6 способов взломать твое JavaScript приложениеJS Fest 2019. Виктор Турский. 6 способов взломать твое JavaScript приложение
JS Fest 2019. Виктор Турский. 6 способов взломать твое JavaScript приложениеJSFestUA
 

Similar to Javacro 2014 Spring Security 3 Speech (20)

JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
 
DevOps & Security: Here & Now
DevOps & Security: Here & NowDevOps & Security: Here & Now
DevOps & Security: Here & Now
 
Dev opsandsecurity owasp
Dev opsandsecurity owaspDev opsandsecurity owasp
Dev opsandsecurity owasp
 
Proactive Security AppSec Case Study
Proactive Security AppSec Case StudyProactive Security AppSec Case Study
Proactive Security AppSec Case Study
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
 
Securing Legacy CFML Code
Securing Legacy CFML CodeSecuring Legacy CFML Code
Securing Legacy CFML Code
 
Testing mit Codeception: Full-stack testing PHP framework
Testing mit Codeception: Full-stack testing PHP frameworkTesting mit Codeception: Full-stack testing PHP framework
Testing mit Codeception: Full-stack testing PHP framework
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5
 
Vulnex app secusa2013
Vulnex app secusa2013Vulnex app secusa2013
Vulnex app secusa2013
 
AusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS ApplicationsAusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS Applications
 
Securing applications
Securing applicationsSecuring applications
Securing applications
 
Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration
 
Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...
 
Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxThe Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
 
WordPress Security and Best Practices
WordPress Security and Best PracticesWordPress Security and Best Practices
WordPress Security and Best Practices
 
Learn Spring Boot With Bisky - Intoduction
Learn Spring Boot With Bisky - IntoductionLearn Spring Boot With Bisky - Intoduction
Learn Spring Boot With Bisky - Intoduction
 
JS Fest 2019. Виктор Турский. 6 способов взломать твое JavaScript приложение
JS Fest 2019. Виктор Турский. 6 способов взломать твое JavaScript приложениеJS Fest 2019. Виктор Турский. 6 способов взломать твое JavaScript приложение
JS Fest 2019. Виктор Турский. 6 способов взломать твое JavaScript приложение
 

More from Fernando Redondo Ramírez

Seguridad de las aplicaciones web con Spring Security 3.x
Seguridad de las aplicaciones web con Spring Security 3.xSeguridad de las aplicaciones web con Spring Security 3.x
Seguridad de las aplicaciones web con Spring Security 3.xFernando Redondo Ramírez
 
Springio2012 taller-seguridad-web-springsecurity-3
Springio2012 taller-seguridad-web-springsecurity-3Springio2012 taller-seguridad-web-springsecurity-3
Springio2012 taller-seguridad-web-springsecurity-3Fernando Redondo Ramírez
 

More from Fernando Redondo Ramírez (7)

Spring IO 2015 Spock Workshop
Spring IO 2015 Spock WorkshopSpring IO 2015 Spock Workshop
Spring IO 2015 Spock Workshop
 
Greach 2015 Spock workshop
Greach 2015 Spock workshopGreach 2015 Spock workshop
Greach 2015 Spock workshop
 
Seguridad de las aplicaciones web con Spring Security 3.x
Seguridad de las aplicaciones web con Spring Security 3.xSeguridad de las aplicaciones web con Spring Security 3.x
Seguridad de las aplicaciones web con Spring Security 3.x
 
Javacro 2014 SemameStreet Grails 2 Speech
Javacro 2014 SemameStreet Grails 2 SpeechJavacro 2014 SemameStreet Grails 2 Speech
Javacro 2014 SemameStreet Grails 2 Speech
 
Greach 2014 Sesamestreet Grails2 Workshop
Greach 2014 Sesamestreet Grails2 Workshop Greach 2014 Sesamestreet Grails2 Workshop
Greach 2014 Sesamestreet Grails2 Workshop
 
Greach2013 taller-grails2
Greach2013 taller-grails2Greach2013 taller-grails2
Greach2013 taller-grails2
 
Springio2012 taller-seguridad-web-springsecurity-3
Springio2012 taller-seguridad-web-springsecurity-3Springio2012 taller-seguridad-web-springsecurity-3
Springio2012 taller-seguridad-web-springsecurity-3
 

Recently uploaded

Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 

Recently uploaded (20)

Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 

Javacro 2014 Spring Security 3 Speech

  • 1. Securing web applications with Spring Security 3 Fernando Redondo Ramírez @pronoide_fer
  • 2. Roadmap • Who am I? • A brief introduction to Spring Security • Hands on • Furthermore
  • 3. Roadmap • Who am I? • A brief introduction to Spring Security • Hands on • Furthermore
  • 4. Brief Introduction to Spring Security • Isn’t Security within JEE a standard feature? Yes indeed, but: • JEE Security ⇒ It’s constraint based • JEE Security ⇒ It only defines a secured perimeter • JEE Security ⇒ its features are depending on each App Server (Realms, SSO, Cipher, etc) • JEE Security ⇒ Secured JEE Applications can’t easily move across different platforms or between server versions • JEE Security ⇒ Complex to adapt to Web 2.0 or changing requirements
  • 5. Brief Introduction to Spring Security • Why use Spring Security then? because: • Spring Security ⇒ It’s granted based • Spring Security ⇒ Both perimeter and hierarchical • Spring Security ⇒ Features independent of the App Server • Spring Security ⇒ Transportable Secured JEE Applications • Spring Security ⇒ Adaptable and versatile
  • 6. Brief Introduction to Spring Security • Architecture and we are done! Spring Security 3 internals SecurityContextHolder SecurityContext Authentication GrantedAuthority Web Requests Web/HTTP Security Security filter chain Authentication AuthenticationManager AuthenticationProviders UserDetailsService Authorization AccessDecisionManager Voters AfterInvocationManager Business Methods Business Object (Method) Security Proxies/Security Interceptors
  • 7. Your next mission I need to put security within our FBI X-Files application!
  • 8. Hands on! (Later at home) Before start, you have to… 1. Install git in your computer http://git-scm.com/book/en/Getting-Started-Installing-Git 2. Download Spring Tool Suite 3.5 https://spring.io/tools/sts/all 3. Start Spring Tool Suite 3.5 (STS) and choose or create a workspace (remember run it with a JDK) 4. Download http://pronoide.com/downloads/javacro2014- spring-security-xfiles.zip and unzip it into workspace folder. 5. Pace yourself! It’s all quite straightforward…
  • 9. FBI X Files webapp Import webapp (File/Import/Git/Proyect from Git)
  • 10. FBI X Files webapp Run webapp!
  • 11. Stage: Setup Spring Security in webapp i. Setup a interceptor filter for all web requests
  • 12. Stage: Setup Spring Security in webapp ii. Create a new spring bean configuration file with the least config and load through web.xml context parameter
  • 13. Stage: Setup Spring Security in webapp iii. Explicitly config login / logout procedures iv. Fix issues with resources, images and CSS files
  • 14. FBI X Files webapp
  • 15. Stage: Setup Spring Security in webapp v. Encrypt user’s paswords via Spring Security Crypto Module • Encode passwords • Configure algorithm and salt field. Then use passwords within security config file
  • 16. Stage: Setup Spring Security in webapp vi. Add Remember Me feature to users login process
  • 17. Stage: Setup Spring Security in webapp vii. Secure transport channel (HTTPS) • Setup constrains and ports • Configure tomcat server (create SSL connector)
  • 18. Stage: Setup Spring Security in webapp viii. Session expiration control ix. Session concurrency control
  • 19. Stage: Setup Spring Security in webapp x. JSP tag library usage (Spring Security Taglibs)
  • 20. Stage: Setup Spring Security in webapp xi. SpEL usage to protect URLs (Spring Expression Language) xii. SpEL usage with Spring security taglib
  • 21. what have you done! Is there only security in the web resources access? Is that the very best you can make it? Try this URL and watch what is gonna happen: https://localhost:8443/fbi/xfiles/declassify?id=0
  • 22. Stage: Setup Spring Security in business methods xii. Secure business method invocations thru Spring Security Annotations
  • 23. Stage: Setup Spring Security in business methods xiii. Secure business method invocations thru AspectJ pointcuts
  • 24. Stage: Setup Spring Security in business methods xiv. Secure business method invocations thru SpEL (Pre Invocation)
  • 25. Much better! But… What are you doing viewing files that aren’t yours? How come you are able to access to your sister’s files? And why are you accessing at this time of the day?
  • 26. Stage: Setup Spring Security in an hierarchical way xv. Secure business method invocations thru SpEL (Post Invocation) xvi. Secure business method invocations thru SpEL (Result Filtering)
  • 27. Stage: Setup Spring Security in an hierarchical way xvii. Customization of access voters • Code a new voter
  • 28. Stage: Setup Spring Security in an hierarchical way xviii.Customization of access voters (continuation) • Dismiss Spring Security auto-config and reveal actual config • Customize Access decision manager behavior
  • 29. Stage: Spring Security Extras xix. Customization of security filter chain (Example A) • Create custom filter • Place it within the filter chain
  • 30. Stage: Spring Security Extras xx. Customization of security filter chain (Example B) • Create custom filter • Place it within the filter chain
  • 31. The smoking man All of these features about Spring Security are pretty fine, but I can always leverage a Java2 attack: <%System.exit(0);%>
  • 32. Beyond this talk • Not implicit but explicit configs • ACL’s management • Autentification with DataSources, LDAP, X509, OPENID, JEE, etc • Captcha • Single Sign On • Java Config “… in most of my work, the laws of physics rarely seems to apply.” Fox Mulder 1x01 "Pilot"
  • 33. Whoami • Entrepreneur and Business Manager at Pronoide since 2003 • Java & Friends Trainer (JEE, Spring, Groovy, Maven, Jenkins, Sonar, Weblogic, Jboss, Websphere, Disco Dancing and so ) • Doing things with Java from 1999 on • Computer Engineer • Happily married and proud father of two children • I used to wanna be a physics scientist and I really do love X-files series
  • 34. Apendix: Hands on (Later at home)! Navigate along the project code with git presenter 1. Install jruby or ruby http://jruby.org/getting-started https://www.ruby-lang.org/en/installation/ 2. Install git presenter (gem install git_presenter) 3. When the code is ready use the "git-presenter init" command to initialize 4. Once it is initialized you can start the presentation with "git- presenter start" 5. Then use the following commands to navigate the presentation • next/n: move to the next slide (commit) • back/b: move to the back slide (commit) • end/e: move to the end of presentation • start/s: move to the start of presentation • list/l : list slides in presentation • help/h: display this message