SlideShare a Scribd company logo

Building layers of defense for your application

VMware Tanzu, profile picture
VMware Tanzu

This document discusses building layers of defense for applications using the Spring Security framework. It begins with an introduction to authentication and authorization. It then discusses the layers of defense for a web application and provides an overview of Spring Security, how it works, and how to integrate it. The document outlines common security threats and how Spring Security protects against them. It also covers topics like basic authentication, JWT, OAuth, OpenID Connect, and content security policy. Code examples are provided to demonstrate concepts like CSRF protection, HTTP verb tampering prevention, and session fixation.

Software
1 of 68
Downloaded 28 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
Building Layers of Defense for Your Application Using Spring Security Framework Neha Sardana
About Me ● Software Developer ● Fellow JUG Leader at Garden State Java User Group, NJ and New York Java SIG, NY ● Building Spring based applications for almost 10 years ● Love to travel, practice yoga and watch cricket ● Github : nsardana-bny ● linkedin.com/in/nehasardana9786/ ● Twitter: @nehasardana09, Medium: @neha-nsit 2
Agenda ● Authentication and Authorization ● Layers of defense for a web app ● Spring Security - The 5Ws ● Common Security Threats ● Protection against threats ● Basic Authentication ● JWT, OAuth and OpenID Connect ● Code! ● Principles of Application Security 3
Pre-requisites ● Java ● Spring Framework ● Maven 4
What is Security? 5
Authentication ● Authentication is about validating your credentials like User Name/User ID and password to verify your identity. ● The system determines whether you are what you say you are using your credentials. 6
Authorization ● Authorization is the process to determine whether the authenticated user has access to particular resources. ● It verifies your rights to grant you access to resources such as information, databases, files, etc. ● Authorization usually comes after authentication which confirms your privileges to perform. 7
Layers of defense for a web app 8 ● Network Firewall ● Login Page ● Security Questions ● Authentication or Multi-factor Authentication ● Hashing and/or Salting ● Authorization Don’t give very specific error message to the user!!! EVER!
Introducing Spring Security Framework 9
10
What is Spring Security? ● Spring Security is a powerful and highly customizable authentication and access-control framework for Java based applications. ● It is the de-facto standard for securing Spring-based applications. ● Like all Spring projects, the real power of Spring Security is found in how easily it can be extended to meet custom requirements 11
Why Use Spring Security? ● Easy Integration with Spring Boot ● Supported by large Open Source Community ● Authentication/Authorization (Out of the box) ● Application layer framework (not tied to a particular web server) ● Loosely Coupled ● Filter Entry point/Servlet ● Multiple authentication models ● Protects from Common Security Threats! 12
Why use Spring Security? ● Due to increased adoption of frameworks like Spring Security, many of the previously common exploits such as: Cross Site Request Forgery and Clickjacking and many others are no longer on OWASP (Open Web Application Security Project) top 10. 13
How Spring Security integrates 14
15
How to use Spring Security in your application 16
17 Add below code to your pom.xml in Spring Boot Project
How Spring Security Works 18
19
● To enable Spring Security, you have to register Spring Security Filter, also known as, DelegatingFilterProxy, with your servlet container. ● DelegatingFilterProxy will forward all requests to other Spring Security Filters to perform Authentication or Authorization checks. ● Two important things to kick start your security framework: Dispatcher Servlet & Delegating Proxy Filter. 20 How Spring Security Works
21
Filter Interface 22
Filter Interface ● Init() - Called by the web container to indicate to a filter that it is being placed into service. ● destroy() - Called by the web container to indicate to a filter that it is being taken out of service. ● doFilter() - The doFilter method of the Filter is called by the container each time a request/response pair is passed through the chain due to a client request for a resource at the end of the chain. ● The FilterChain passed in to this method allows the Filter to pass on the request and response to the next entity in the chain. 23
FilterChainProxy & Security Filter Chain ● DelegatingFilterProxy delegates the request to FilterChainProxy (FCP) which in turn delegates to another object SecurityFilterChain (SFC). ● SFC is a wrapper around collection of Spring Filters that performs actual security tasks. ● When a request comes, FCP iterates through SFC in order to find the one which matches with the request url. ● After the above step, the appropriate Filter is invoked to perform security tasks. ● The Order of SFC matters a lot! ● There are options to have multiple SFC in one application to have multiple types of authentication for different types of URLs. 24
SecurityFilterChain Interface 25
SecurityFilterChain Interface ● matches() - returns boolean to checks if the request matches the filter chain ● getFilters() - returns a list of security filters for the matched request 26
27
Authentication Flow 28
Authentication Flow ● Authentication Filter creates an “Authentication Request” and passes it to the Authentication Manager ● Authentication Manager delegates to the Authentication Provider ● Authentication Provider uses UserDetailsService to load the UserDetails and returns an “Authenticated Principal” ● Authentication Filter sets the Authentication in the SecurityContext 29
30 AuthenticationFilter Authentication Principal AuthenticationManager Authentication Providers Authentication Principal Security Context UserDetailsService generates authenticates delegates get UserDetails SecurityContextHolder adds
Authentication Object ● Principal - identifies the user. When authenticating with a username/password this is often an instance of UserDetails. ● Credentials - Often a password. In many cases this will be cleared after the user is authenticated to ensure it is not leaked. ● Authorities - the GrantedAuthorities are high level permissions the user is granted. A few examples are roles or scopes. 31
32 Authentication Object
Authorization Flow 33
Authorization Flow ● FilterSecurityInterceptor obtains the “Security Metadata” by matching the current request ● FilterSecurityInterceptor gets the current Authentication ● The Authentication, Security Metadata and Request is passed to the AccessDecisionManager ● AccessDecisionManager delegates it to the AccessDecisionVoter(s) for decisioning 34
What happens when there is Exception? ● When “Access Denied” for current Authentication, ExceptionTranslationFilter delegates to the AccessDeniedHandler and returns a Http 403 status code ● When current Authentication is “Anonymous”, ExceptionTranslationFilter delegates to the AuthenticationEntryPoint to start the Authentication Process 35
Filter Chain Ordering 1. ChannelProcessingFilter 2. WebAsyncManagerIntegrationFilter 3. SecurityContextPersistenceFilter 4. HeaderWriterFilter 5. CorsFilter 6. CsrfFilter 7. LogoutFilter 8. OAuth2AuthorizationRequestRedirectFilter 9. Saml2WebSsoAuthenticationRequestFilter 10. X509AuthenticationFilter 11. AbstractPreAuthenticatedProcessingFilter 12. CasAuthenticationFilter 13. OAuth2LoginAuthenticationFilter 14. Saml2WebSsoAuthenticationFilter 15. UsernamePasswordAuthenticationFilter 16. OpenIDAuthenticationFilter 17. DefaultLoginPageGeneratingFilter 36
Filter Chain Ordering (Contd.) 18. DefaultLogoutPageGeneratingFilter 19. ConcurrentSessionFilter 20. DigestAuthenticationFilter 21. BearerTokenAuthenticationFilter 22. BasicAuthenticationFilter 23. RequestCacheAwareFilter 24. SecurityContextHolderAwareRequestFilter 25. JaasApiIntegrationFilter 26. RememberMeAuthenticationFilter 27. AnonymousAuthenticationFilter 28. OAuth2AuthorizationCodeGrantFilter 29. SessionManagementFilter 30. ExceptionTranslationFilter 31. FilterSecurityInterceptor 32. SwitchUserFilter 37
Common Security Threats ● Injection ● Broken Authentication ● Sensitive Data Exposure ● XML External Entities ● Broken Access Control ● Security Misconfiguration ● Cross-Site Scripting ● Insecure Deserialization ● Using Components with Known Vulnerabilities ● Insufficient logging and monitoring 38
How Spring Security protects against Threats 39
Spring Security Headers 40
Spring Security Headers ● Disables Browser Cache ○ If your application provides its own cache control headers Spring Security will back out of the way ● Disables Content Sniffing ○ Content Sniffing- when the browser is trying to guess the content type of a request ● Disables Frame (prevents Clickjacking) ○ By default Spring Security disables rendering pages within an iframe ● HTTP Strict Transport Security (HSTS) ○ Instructs Browser to treat this domain and subdomains as an HSTS host for a year by default 41
Spring Security Headers ● Reflective XSS ○ Prevents Browser from rendering a page if it suspects a reflective XSS attack 42
CSRF Protection ● Cross-Site Request Forgery is an attack that forces a user to execute unwanted actions in an application they’re currently logged into. ● If the user is a normal user, a successful attack can involve state-changing requests like transferring funds or changing their email address. ● If the user has elevated permissions, a CSRF attack can compromise the entire application. ● Spring Security uses Synchronizer Token Pattern where along with creating the session cookie on authentication, it also creates a csrf token which a malicious site can not access or use. ● On the backend side, CSRF Filter expects this token along with state changing requests to allow the request to pass through. 43
Example of CSRF for SPA 44
HTTP Verb Tampering ● HTTP Verb Tampering is an attack that exploits vulnerabilities in HTTP verb (also known as HTTP method) authentication and access control mechanisms. ● Many authentication mechanisms only limit access to the most common HTTP methods, thus allowing unauthorized access to restricted resources by other HTTP methods. 45
Example of HTTP Verb Tampering 46
Enable Content Security Policy to Prevent XSS Attacks ● Content Security Policy (CSP) is an added layer of security that helps mitigate XSS (cross-site scripting) and data injection attacks. ● To enable it, you need to configure your app to return a Content-Security-Policy header. ● You can also use a <meta http-equiv="Content-Security-Policy"> tag in your HTML page. 47
Example for Content Security Policy prevention 48
Session Fixation ● Session fixation attacks are a potential risk where it is possible for a malicious attacker to create a session by accessing a site, then persuade another user to log in with the same session (by sending them a link containing the session identifier as a parameter, for example). ● Spring Security protects against this automatically by creating a new session or otherwise changing the session ID when a user logs in. 49
HTTPS in Production and NOT HTTP! 50
Basic Authentication 51
Basic Authentication ● Credentials are transmitted through header ● Header name: Authentication ● Header value: Basic + Base64(username:password) ● Eg: Authorization: Basic YMDDdnskdslkdlklsklddlk 52
Common Challenges with Basic Authentication ● Base64 is easy to decode! ● Managing password hash with application data is a bottleneck. ● Sharing username and password for integrating with third party vendor can cause a lot of problems. ● In case of a distributed application, while scaling up, you have to scale up the identity and authentication mechanism as well. ● If starting from a monolith application and going further down into Microservices, you will require Authentication and Authorization for each of the service which creating a problem later. 53
Introducing OAuth2, OIDC and JWT 54
55
Goal of OAuth2 ● This was driven mainly because the applications realised that user password sharing with multiple unknown apps was a big security threat. ● To allow applications to access data from third party apps without the users sharing their password. ● Problems while implementing single sign on because of the need to share passwords between applications 56
OAuth2 ● OAuth 2.0 is the industry-standard protocol for authorization. ● OAuth 1.0 was published in Dec 2007. ● It uses scopes to define permissions about what actions an authorized user can perform. ● However, OAuth 2.0 is not an authentication protocol and provides no information about the authenticated user. ● https://auth0.com/ 57
OpenID Connect ● OpenID Connect (OIDC) is an OAuth 2.0 extension that provides user information. ● It adds an ID token in addition to an access token, as well as a /userinfo endpoint that you can get additional information from. ● It also adds an endpoint discovery feature and dynamic client registration. 58
59 JSON Web Token (JWT) ● Light weight ○ JSON Map Information ● Verifiable ○ Digitally signed and Base64 URL encoded ● Protocol Agnostic ○ Can be used standalone ● Expiration Time
60 Field Description iat Indicates the token was "issued at" jit JSON Token ID iss Issuer of the token exp Expiry time sub Subject aud Audience JSON Structure ● Header ● Payload ● Signature
61
62
63
Code: https://github.com/nsardana-bny/spring-security- oauth2-okta-sample 64
Final Thoughts 65
Core Principles of Application Security ● Minimize attack surface area ● Establish secure defaults ● The principle of least privilege ● The principle of defense in depth ● Fail securely ● Don’t trust services ● Separation of duties ● Avoid security by obscurity ● Keep security simple ● Fix security issues correctly 66
References Medium Blog - Spring Security Code Walkthrough Spring Design Principles Top Courses on Spring Security OWASP Top 10 Spring Security Reference OAuth 2.1 Picture Credits: https://tinyurl.com/fp5pfux7 (Pluralsight.com) 67
Thank you! Twitter: @nehasardana09 68

More Related Content

PDF
Spring Security
Knoldus Inc.
 
PDF
REST APIs with Spring
Joshua Long
 
PDF
Microservices with Java, Spring Boot and Spring Cloud
Eberhard Wolff
 
PPTX
GraphQL Introduction with Spring Boot
vipin kumar
 
PPTX
Spring boot Introduction
Jeevesh Pandey
 
PDF
OAuth2 and Spring Security
Orest Ivasiv
 
PDF
Networking in Java with NIO and Netty
Constantine Slisenka
 
PPTX
Rest API Security
Stormpath
 
Spring Security
Knoldus Inc.
 
REST APIs with Spring
Joshua Long
 
Microservices with Java, Spring Boot and Spring Cloud
Eberhard Wolff
 
GraphQL Introduction with Spring Boot
vipin kumar
 
Spring boot Introduction
Jeevesh Pandey
 
OAuth2 and Spring Security
Orest Ivasiv
 
Networking in Java with NIO and Netty
Constantine Slisenka
 
Rest API Security
Stormpath
 

What's hot (20)

PPTX
Spring boot
Gyanendra Yadav
 
PPTX
Project Reactor By Example
Denny Abraham Cheriyan
 
PDF
Spring Boot
Jaran Flaath
 
PPTX
An Introduction To REST API
Aniruddh Bhilvare
 
PPTX
Spring Boot Tutorial
Naphachara Rattanawilai
 
PPT
Spring Boot in Action
Alex Movila
 
PPT
Source Code Analysis with SAST
Blueinfy Solutions
 
PDF
Spring Boot
koppenolski
 
PPTX
Spring mvc
Pravin Pundge
 
PPTX
API Security Fundamentals
José Haro Peralta
 
PPT
Microservices
Đức Giang Nguyễn
 
PDF
Deploying Elasticsearch and Kibana on Kubernetes with the Elastic Operator / ECK
Imma Valls Bernaus
 
PPTX
Spring boot Under Da Hood
Michel Schudel
 
PDF
Testing with Spring: An Introduction
Sam Brannen
 
PDF
REST API Best (Recommended) Practices
Rasheed Waraich
 
PPTX
Spring Boot and REST API
07.pallav
 
PDF
Spring Boot
Pei-Tang Huang
 
PDF
Postman
Igor Shubovych
 
PPTX
Software architecture for high traffic website
Tung Nguyen Thanh
 
PPTX
Introduction to Microservices
Roger van de Kimmenade
 
Spring boot
Gyanendra Yadav
 
Project Reactor By Example
Denny Abraham Cheriyan
 
Spring Boot
Jaran Flaath
 
An Introduction To REST API
Aniruddh Bhilvare
 
Spring Boot Tutorial
Naphachara Rattanawilai
 
Spring Boot in Action
Alex Movila
 
Source Code Analysis with SAST
Blueinfy Solutions
 
Spring Boot
koppenolski
 
Spring mvc
Pravin Pundge
 
API Security Fundamentals
José Haro Peralta
 
Microservices
Đức Giang Nguyễn
 
Deploying Elasticsearch and Kibana on Kubernetes with the Elastic Operator / ECK
Imma Valls Bernaus
 
Spring boot Under Da Hood
Michel Schudel
 
Testing with Spring: An Introduction
Sam Brannen
 
REST API Best (Recommended) Practices
Rasheed Waraich
 
Spring Boot and REST API
07.pallav
 
Spring Boot
Pei-Tang Huang
 
Postman
Igor Shubovych
 
Software architecture for high traffic website
Tung Nguyen Thanh
 
Introduction to Microservices
Roger van de Kimmenade
 
Ad

Similar to Building layers of defense for your application (20)

PPTX
SCWCD : Secure web
Ben Abdallah Helmi
 
PPTX
SCWCD : Secure web : CHAP : 7
Ben Abdallah Helmi
 
PDF
Top 20 certified ethical hacker interview questions and answer
ShivamSharma909
 
PDF
Getting started with Spring Security
Knoldus Inc.
 
PDF
Secure coding guidelines
Zakaria SMAHI
 
PPTX
Cloud Identity Management
Damian T. Gordon
 
PPTX
How to Test for The OWASP Top Ten
Security Innovation
 
PPTX
Web Exploitation Security
Aman Singh
 
PPT
Security Testing
ISsoft
 
PDF
Common Web Application Attacks
Ahmed Sherif
 
PDF
TW SEAT - DevOps: Security 干我何事?
smalltown
 
PDF
Spring Security
Knoldus Inc.
 
PPS
Security testing
Tabăra de Testare
 
PDF
Owasp top 10
YasserElsnbary
 
PPTX
Security testing
Rihab Chebbah
 
PPTX
Web applications security conference slides
Bassam Al-Khatib
 
PPTX
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Security Innovation
 
PDF
Client /server security overview
Mohamed Sayed
 
PPTX
Security Testing Training With Examples
Alwin Thayyil
 
PDF
OWASP Top 10 Proactive Control 2016 (C5-C10)
Narudom Roongsiriwong, CISSP
 
SCWCD : Secure web
Ben Abdallah Helmi
 
SCWCD : Secure web : CHAP : 7
Ben Abdallah Helmi
 
Top 20 certified ethical hacker interview questions and answer
ShivamSharma909
 
Getting started with Spring Security
Knoldus Inc.
 
Secure coding guidelines
Zakaria SMAHI
 
Cloud Identity Management
Damian T. Gordon
 
How to Test for The OWASP Top Ten
Security Innovation
 
Web Exploitation Security
Aman Singh
 
Security Testing
ISsoft
 
Common Web Application Attacks
Ahmed Sherif
 
TW SEAT - DevOps: Security 干我何事?
smalltown
 
Spring Security
Knoldus Inc.
 
Security testing
Tabăra de Testare
 
Owasp top 10
YasserElsnbary
 
Security testing
Rihab Chebbah
 
Web applications security conference slides
Bassam Al-Khatib
 
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Security Innovation
 
Client /server security overview
Mohamed Sayed
 
Security Testing Training With Examples
Alwin Thayyil
 
OWASP Top 10 Proactive Control 2016 (C5-C10)
Narudom Roongsiriwong, CISSP
 
Ad

More from VMware Tanzu (20)

PDF
Spring into AI presented by Dan Vega 5/14
VMware Tanzu
 
PDF
What AI Means For Your Product Strategy And What To Do About It
VMware Tanzu
 
PDF
Make the Right Thing the Obvious Thing at Cardinal Health 2023
VMware Tanzu
 
PPTX
Enhancing DevEx and Simplifying Operations at Scale
VMware Tanzu
 
PDF
Spring Update | July 2023
VMware Tanzu
 
PPTX
Platforms, Platform Engineering, & Platform as a Product
VMware Tanzu
 
PPTX
Building Cloud Ready Apps
VMware Tanzu
 
PDF
Spring Boot 3 And Beyond
VMware Tanzu
 
PDF
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
VMware Tanzu
 
PDF
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
VMware Tanzu
 
PDF
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
VMware Tanzu
 
PPTX
tanzu_developer_connect.pptx
VMware Tanzu
 
PDF
Tanzu Virtual Developer Connect Workshop - French
VMware Tanzu
 
PDF
Tanzu Developer Connect Workshop - English
VMware Tanzu
 
PDF
Virtual Developer Connect Workshop - English
VMware Tanzu
 
PDF
Tanzu Developer Connect - French
VMware Tanzu
 
PDF
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
VMware Tanzu
 
PDF
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
VMware Tanzu
 
PDF
SpringOne Tour: The Influential Software Engineer
VMware Tanzu
 
PDF
SpringOne Tour: Domain-Driven Design: Theory vs Practice
VMware Tanzu
 
Spring into AI presented by Dan Vega 5/14
VMware Tanzu
 
What AI Means For Your Product Strategy And What To Do About It
VMware Tanzu
 
Make the Right Thing the Obvious Thing at Cardinal Health 2023
VMware Tanzu
 
Enhancing DevEx and Simplifying Operations at Scale
VMware Tanzu
 
Spring Update | July 2023
VMware Tanzu
 
Platforms, Platform Engineering, & Platform as a Product
VMware Tanzu
 
Building Cloud Ready Apps
VMware Tanzu
 
Spring Boot 3 And Beyond
VMware Tanzu
 
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
VMware Tanzu
 
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
VMware Tanzu
 
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
VMware Tanzu
 
tanzu_developer_connect.pptx
VMware Tanzu
 
Tanzu Virtual Developer Connect Workshop - French
VMware Tanzu
 
Tanzu Developer Connect Workshop - English
VMware Tanzu
 
Virtual Developer Connect Workshop - English
VMware Tanzu
 
Tanzu Developer Connect - French
VMware Tanzu
 
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
VMware Tanzu
 
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
VMware Tanzu
 
SpringOne Tour: The Influential Software Engineer
VMware Tanzu
 
SpringOne Tour: Domain-Driven Design: Theory vs Practice
VMware Tanzu
 

Recently uploaded (20)

PPT
Introduction Database Management System for Course Database
ReinertYosua
 
PPTX
ISO 45001 Occupational Health and Safety Management System
EHA Soft Solutions
 
PDF
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
PPTX
Odoo POS Development Services by CandidRoot Solutions
CandidRoot Solutions Private Limited
 
PDF
AI in Product Development-omnex systems
omnex systems
 
PDF
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
PPTX
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
PDF
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
PDF
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
PPTX
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
PDF
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
PDF
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
PPTX
history of c programming in notes for students .pptx
Vijayakumari829030
 
PDF
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
PDF
Nekopoi APK 2025 free lastest update
umarali35kp
 
PPTX
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
PDF
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
PDF
System and Network Administraation Chapter 3
jaramharo
 
PDF
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
PDF
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
Introduction Database Management System for Course Database
ReinertYosua
 
ISO 45001 Occupational Health and Safety Management System
EHA Soft Solutions
 
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
Odoo POS Development Services by CandidRoot Solutions
CandidRoot Solutions Private Limited
 
AI in Product Development-omnex systems
omnex systems
 
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
history of c programming in notes for students .pptx
Vijayakumari829030
 
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
Nekopoi APK 2025 free lastest update
umarali35kp
 
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
System and Network Administraation Chapter 3
jaramharo
 
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 

Building layers of defense for your application

  • 1. Building Layers of Defense for Your Application Using Spring Security Framework Neha Sardana
  • 2. About Me ● Software Developer ● Fellow JUG Leader at Garden State Java User Group, NJ and New York Java SIG, NY ● Building Spring based applications for almost 10 years ● Love to travel, practice yoga and watch cricket ● Github : nsardana-bny ● linkedin.com/in/nehasardana9786/ ● Twitter: @nehasardana09, Medium: @neha-nsit 2
  • 3. Agenda ● Authentication and Authorization ● Layers of defense for a web app ● Spring Security - The 5Ws ● Common Security Threats ● Protection against threats ● Basic Authentication ● JWT, OAuth and OpenID Connect ● Code! ● Principles of Application Security 3
  • 4. Pre-requisites ● Java ● Spring Framework ● Maven 4
  • 6. Authentication ● Authentication is about validating your credentials like User Name/User ID and password to verify your identity. ● The system determines whether you are what you say you are using your credentials. 6
  • 7. Authorization ● Authorization is the process to determine whether the authenticated user has access to particular resources. ● It verifies your rights to grant you access to resources such as information, databases, files, etc. ● Authorization usually comes after authentication which confirms your privileges to perform. 7
  • 8. Layers of defense for a web app 8 ● Network Firewall ● Login Page ● Security Questions ● Authentication or Multi-factor Authentication ● Hashing and/or Salting ● Authorization Don’t give very specific error message to the user!!! EVER!
  • 10. 10
  • 11. What is Spring Security? ● Spring Security is a powerful and highly customizable authentication and access-control framework for Java based applications. ● It is the de-facto standard for securing Spring-based applications. ● Like all Spring projects, the real power of Spring Security is found in how easily it can be extended to meet custom requirements 11
  • 12. Why Use Spring Security? ● Easy Integration with Spring Boot ● Supported by large Open Source Community ● Authentication/Authorization (Out of the box) ● Application layer framework (not tied to a particular web server) ● Loosely Coupled ● Filter Entry point/Servlet ● Multiple authentication models ● Protects from Common Security Threats! 12
  • 13. Why use Spring Security? ● Due to increased adoption of frameworks like Spring Security, many of the previously common exploits such as: Cross Site Request Forgery and Clickjacking and many others are no longer on OWASP (Open Web Application Security Project) top 10. 13
  • 15. 15
  • 16. How to use Spring Security in your application 16
  • 17. 17 Add below code to your pom.xml in Spring Boot Project
  • 19. 19
  • 20. ● To enable Spring Security, you have to register Spring Security Filter, also known as, DelegatingFilterProxy, with your servlet container. ● DelegatingFilterProxy will forward all requests to other Spring Security Filters to perform Authentication or Authorization checks. ● Two important things to kick start your security framework: Dispatcher Servlet & Delegating Proxy Filter. 20 How Spring Security Works
  • 21. 21
  • 23. Filter Interface ● Init() - Called by the web container to indicate to a filter that it is being placed into service. ● destroy() - Called by the web container to indicate to a filter that it is being taken out of service. ● doFilter() - The doFilter method of the Filter is called by the container each time a request/response pair is passed through the chain due to a client request for a resource at the end of the chain. ● The FilterChain passed in to this method allows the Filter to pass on the request and response to the next entity in the chain. 23
  • 24. FilterChainProxy & Security Filter Chain ● DelegatingFilterProxy delegates the request to FilterChainProxy (FCP) which in turn delegates to another object SecurityFilterChain (SFC). ● SFC is a wrapper around collection of Spring Filters that performs actual security tasks. ● When a request comes, FCP iterates through SFC in order to find the one which matches with the request url. ● After the above step, the appropriate Filter is invoked to perform security tasks. ● The Order of SFC matters a lot! ● There are options to have multiple SFC in one application to have multiple types of authentication for different types of URLs. 24
  • 26. SecurityFilterChain Interface ● matches() - returns boolean to checks if the request matches the filter chain ● getFilters() - returns a list of security filters for the matched request 26
  • 27. 27
  • 29. Authentication Flow ● Authentication Filter creates an “Authentication Request” and passes it to the Authentication Manager ● Authentication Manager delegates to the Authentication Provider ● Authentication Provider uses UserDetailsService to load the UserDetails and returns an “Authenticated Principal” ● Authentication Filter sets the Authentication in the SecurityContext 29
  • 30. 30 AuthenticationFilter Authentication Principal AuthenticationManager Authentication Providers Authentication Principal Security Context UserDetailsService generates authenticates delegates get UserDetails SecurityContextHolder adds
  • 31. Authentication Object ● Principal - identifies the user. When authenticating with a username/password this is often an instance of UserDetails. ● Credentials - Often a password. In many cases this will be cleared after the user is authenticated to ensure it is not leaked. ● Authorities - the GrantedAuthorities are high level permissions the user is granted. A few examples are roles or scopes. 31
  • 34. Authorization Flow ● FilterSecurityInterceptor obtains the “Security Metadata” by matching the current request ● FilterSecurityInterceptor gets the current Authentication ● The Authentication, Security Metadata and Request is passed to the AccessDecisionManager ● AccessDecisionManager delegates it to the AccessDecisionVoter(s) for decisioning 34
  • 35. What happens when there is Exception? ● When “Access Denied” for current Authentication, ExceptionTranslationFilter delegates to the AccessDeniedHandler and returns a Http 403 status code ● When current Authentication is “Anonymous”, ExceptionTranslationFilter delegates to the AuthenticationEntryPoint to start the Authentication Process 35
  • 36. Filter Chain Ordering 1. ChannelProcessingFilter 2. WebAsyncManagerIntegrationFilter 3. SecurityContextPersistenceFilter 4. HeaderWriterFilter 5. CorsFilter 6. CsrfFilter 7. LogoutFilter 8. OAuth2AuthorizationRequestRedirectFilter 9. Saml2WebSsoAuthenticationRequestFilter 10. X509AuthenticationFilter 11. AbstractPreAuthenticatedProcessingFilter 12. CasAuthenticationFilter 13. OAuth2LoginAuthenticationFilter 14. Saml2WebSsoAuthenticationFilter 15. UsernamePasswordAuthenticationFilter 16. OpenIDAuthenticationFilter 17. DefaultLoginPageGeneratingFilter 36
  • 37. Filter Chain Ordering (Contd.) 18. DefaultLogoutPageGeneratingFilter 19. ConcurrentSessionFilter 20. DigestAuthenticationFilter 21. BearerTokenAuthenticationFilter 22. BasicAuthenticationFilter 23. RequestCacheAwareFilter 24. SecurityContextHolderAwareRequestFilter 25. JaasApiIntegrationFilter 26. RememberMeAuthenticationFilter 27. AnonymousAuthenticationFilter 28. OAuth2AuthorizationCodeGrantFilter 29. SessionManagementFilter 30. ExceptionTranslationFilter 31. FilterSecurityInterceptor 32. SwitchUserFilter 37
  • 38. Common Security Threats ● Injection ● Broken Authentication ● Sensitive Data Exposure ● XML External Entities ● Broken Access Control ● Security Misconfiguration ● Cross-Site Scripting ● Insecure Deserialization ● Using Components with Known Vulnerabilities ● Insufficient logging and monitoring 38
  • 39. How Spring Security protects against Threats 39
  • 41. Spring Security Headers ● Disables Browser Cache ○ If your application provides its own cache control headers Spring Security will back out of the way ● Disables Content Sniffing ○ Content Sniffing- when the browser is trying to guess the content type of a request ● Disables Frame (prevents Clickjacking) ○ By default Spring Security disables rendering pages within an iframe ● HTTP Strict Transport Security (HSTS) ○ Instructs Browser to treat this domain and subdomains as an HSTS host for a year by default 41
  • 42. Spring Security Headers ● Reflective XSS ○ Prevents Browser from rendering a page if it suspects a reflective XSS attack 42
  • 43. CSRF Protection ● Cross-Site Request Forgery is an attack that forces a user to execute unwanted actions in an application they’re currently logged into. ● If the user is a normal user, a successful attack can involve state-changing requests like transferring funds or changing their email address. ● If the user has elevated permissions, a CSRF attack can compromise the entire application. ● Spring Security uses Synchronizer Token Pattern where along with creating the session cookie on authentication, it also creates a csrf token which a malicious site can not access or use. ● On the backend side, CSRF Filter expects this token along with state changing requests to allow the request to pass through. 43
  • 44. Example of CSRF for SPA 44
  • 45. HTTP Verb Tampering ● HTTP Verb Tampering is an attack that exploits vulnerabilities in HTTP verb (also known as HTTP method) authentication and access control mechanisms. ● Many authentication mechanisms only limit access to the most common HTTP methods, thus allowing unauthorized access to restricted resources by other HTTP methods. 45
  • 46. Example of HTTP Verb Tampering 46
  • 47. Enable Content Security Policy to Prevent XSS Attacks ● Content Security Policy (CSP) is an added layer of security that helps mitigate XSS (cross-site scripting) and data injection attacks. ● To enable it, you need to configure your app to return a Content-Security-Policy header. ● You can also use a <meta http-equiv="Content-Security-Policy"> tag in your HTML page. 47
  • 48. Example for Content Security Policy prevention 48
  • 49. Session Fixation ● Session fixation attacks are a potential risk where it is possible for a malicious attacker to create a session by accessing a site, then persuade another user to log in with the same session (by sending them a link containing the session identifier as a parameter, for example). ● Spring Security protects against this automatically by creating a new session or otherwise changing the session ID when a user logs in. 49
  • 50. HTTPS in Production and NOT HTTP! 50
  • 52. Basic Authentication ● Credentials are transmitted through header ● Header name: Authentication ● Header value: Basic + Base64(username:password) ● Eg: Authorization: Basic YMDDdnskdslkdlklsklddlk 52
  • 53. Common Challenges with Basic Authentication ● Base64 is easy to decode! ● Managing password hash with application data is a bottleneck. ● Sharing username and password for integrating with third party vendor can cause a lot of problems. ● In case of a distributed application, while scaling up, you have to scale up the identity and authentication mechanism as well. ● If starting from a monolith application and going further down into Microservices, you will require Authentication and Authorization for each of the service which creating a problem later. 53
  • 55. 55
  • 56. Goal of OAuth2 ● This was driven mainly because the applications realised that user password sharing with multiple unknown apps was a big security threat. ● To allow applications to access data from third party apps without the users sharing their password. ● Problems while implementing single sign on because of the need to share passwords between applications 56
  • 57. OAuth2 ● OAuth 2.0 is the industry-standard protocol for authorization. ● OAuth 1.0 was published in Dec 2007. ● It uses scopes to define permissions about what actions an authorized user can perform. ● However, OAuth 2.0 is not an authentication protocol and provides no information about the authenticated user. ● https://auth0.com/ 57
  • 58. OpenID Connect ● OpenID Connect (OIDC) is an OAuth 2.0 extension that provides user information. ● It adds an ID token in addition to an access token, as well as a /userinfo endpoint that you can get additional information from. ● It also adds an endpoint discovery feature and dynamic client registration. 58
  • 59. 59 JSON Web Token (JWT) ● Light weight ○ JSON Map Information ● Verifiable ○ Digitally signed and Base64 URL encoded ● Protocol Agnostic ○ Can be used standalone ● Expiration Time
  • 60. 60 Field Description iat Indicates the token was "issued at" jit JSON Token ID iss Issuer of the token exp Expiry time sub Subject aud Audience JSON Structure ● Header ● Payload ● Signature
  • 61. 61
  • 62. 62
  • 63. 63
  • 66. Core Principles of Application Security ● Minimize attack surface area ● Establish secure defaults ● The principle of least privilege ● The principle of defense in depth ● Fail securely ● Don’t trust services ● Separation of duties ● Avoid security by obscurity ● Keep security simple ● Fix security issues correctly 66
  • 67. References Medium Blog - Spring Security Code Walkthrough Spring Design Principles Top Courses on Spring Security OWASP Top 10 Spring Security Reference OAuth 2.1 Picture Credits: https://tinyurl.com/fp5pfux7 (Pluralsight.com) 67