10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Morocco 2019
0 likes195 views
This document contains code snippets in Java and JavaScript that demonstrate how to: 1. Configure Spring Security to require HTTPS 2. Upload images to AWS S3 from a Node.js Lambda function using the AWS SDK 3. Define dependencies for the AWS SDK and node-fetch library
![@Value("${password}")
char[] password;](https://image.slidesharecdn.com/10excellentwaystosecureyourspringbootapplication-devoxxmorocco2019-191113170348/85/10-Excellent-Ways-to-Secure-Your-Spring-Boot-Application-Devoxx-Morocco-2019-54-320.jpg)
![Printing String password -> password
Printing char[] password -> [C@6e8cf4c6](https://image.slidesharecdn.com/10excellentwaystosecureyourspringbootapplication-devoxxmorocco2019-191113170348/85/10-Excellent-Ways-to-Secure-Your-Spring-Boot-Application-Devoxx-Morocco-2019-55-320.jpg)
10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Morocco 2019
- 1. ��
- 6. @Configuration public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.requiresChannel().anyRequest().requiresSecure(); } }
- 7. @Configuration public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.requiresChannel() .requestMatchers(r -> r.getHeader("X-Forwarded-Proto") != null) .requiresSecure(); } }
- 13. 'use strict'; const fetch = require('node-fetch'); const AWS = require('aws-sdk'); // eslint-disable-line import/no-extraneous-dependencies const s3 = new AWS.S3(); module.exports.save = (event, context, callback) => { fetch(event.image_url) .then((response) => { if (response.ok) { return response; } return Promise.reject(new Error( `Failed to fetch ${response.url}: ${response.status} ${response.statusText}`)); }) .then(response => response.buffer()) .then(buffer => ( s3.putObject({ Bucket: process.env.BUCKET, Key: event.key, Body: buffer, }).promise() )) .then(v => callback(null, v), callback); };
- 14. 'use strict'; const fetch = require('node-fetch'); const AWS = require('aws-sdk'); // eslint-disable-line import/no-extraneous-dependencies const s3 = new AWS.S3(); module.exports.save = (event, context, callback) => { fetch(event.image_url) .then((response) => { if (response.ok) { return response; } return Promise.reject(new Error( `Failed to fetch ${response.url}: ${response.status} ${response.statusText}`)); }) .then(response => response.buffer()) .then(buffer => ( s3.putObject({ Bucket: process.env.BUCKET, Key: event.key, Body: buffer, }).promise() )) .then(v => callback(null, v), callback); }; { "dependencies": { "aws-sdk": "^2.7.9", "node-fetch": "^1.6.3" } }
- 15. 'use strict'; const fetch = require('node-fetch'); const AWS = require('aws-sdk'); // eslint-disable-line import/no-extraneous-dependencies const s3 = new AWS.S3(); module.exports.save = (event, context, callback) => { fetch(event.image_url) .then((response) => { if (response.ok) { return response; } return Promise.reject(new Error( `Failed to fetch ${response.url}: ${response.status} ${response.statusText}`)); }) .then(response => response.buffer()) .then(buffer => ( s3.putObject({ Bucket: process.env.BUCKET, Key: event.key, Body: buffer, }).promise() )) .then(v => callback(null, v), callback); }; { "dependencies": { "aws-sdk": "^2.7.9", "node-fetch": "^1.6.3" } }
- 16. 'use strict'; const fetch = require('node-fetch'); const AWS = require('aws-sdk'); // eslint-disable-line import/no-extraneous-dependencies const s3 = new AWS.S3(); module.exports.save = (event, context, callback) => { fetch(event.image_url) .then((response) => { if (response.ok) { return response; } return Promise.reject(new Error( `Failed to fetch ${response.url}: ${response.status} ${response.statusText}`)); }) .then(response => response.buffer()) .then(buffer => ( s3.putObject({ Bucket: process.env.BUCKET, Key: event.key, Body: buffer, }).promise() )) .then(v => callback(null, v), callback); }; 😱 { "dependencies": { "aws-sdk": "^2.7.9", "node-fetch": "^1.6.3" } }
- 22. 23
- 23. npm i -g npm-check-updates ncu
- 27. @EnableWebSecurity public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .csrf() .csrfTokenRepository( CookieCsrfTokenRepository.withHttpOnlyFalse()); } }
- 30. Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains X-Frame-Options: DENY X-XSS-Protection: 1; mode=block
- 31. @EnableWebSecurity public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.headers() .contentSecurityPolicy("script-src 'self' " + "https://trustedscripts.example.com; " + "object-src https://trustedplugins.example.com; " + "report-uri /csp-report-endpoint/"); } }
- 37. spring: security: oauth2: client: registration: okta: client-id: {clientId} client-secret: {clientSecret} provider: okta: issuer-uri: https://{yourOktaDomain}/oauth2/default
- 38. @Grab('spring-boot-starter-oauth2-client') @RestController class Application { @GetMapping('/') String home(java.security.Principal user) { 'Hello ' + user.name } }
- 39. okta: oauth2: issuer: https://{yourOktaDomain}/oauth2/default client-id: {yourClientId} client-secret: {yourClientSecret} <dependency> <groupId>com.okta.spring</groupId> <artifactId>okta-spring-boot-starter</artifactId> <version>1.3.0</version> </dependency>
- 41. 🎉
- 44. hash("TSD") = 3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3 hash("TSD") = 3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3 hash("TSD") = 3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3 hash("TSD") = 3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3
- 45. hash("TSD0") = 3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3 hash("TSD1") = 98eadd540e6c0579a1bcbe375c8d1ae2863beacdfb9af803e5f4d6dd1f8926c2 hash("TSD2") = 665ec59d7fb01f6070622780e744040239f0aaa993eae1d088bc4f0137d270ef hash("TSD3") = 7ae89eb10a765ec2459bee59ed1d3ed97dbb9f31ec5c7bd13d19380bc39f5288
- 46. hash("TSD") = 3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3 hash("123") != 3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3
- 47. @Bean public PasswordEncoder passwordEncoder() { return new SCryptPasswordEncoder(); }
- 48. @Autowired private PasswordEncoder passwordEncoder; public String hashPassword(String password) { return passwordEncoder.encode(password); }
- 49. 🐓
- 55. Printing String password -> password Printing char[] password -> [C@6e8cf4c6
- 64. 👌
- 65. 68