[go: up one dir, main page]
Scribd
Upload
22 views32 pages

5 Spring Security

Chapter 5 discusses Spring Security, a framework for authentication and authorization in Java web applications and services. It covers key concepts, configurations, and practices for implementing security, including CSRF protection and various credential management methods. The chapter also highlights the importance of securing resources and provides examples of configuring security settings in Spring applications.

Uploaded by

Sen
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
22 views32 pages

5 Spring Security

Chapter 5 discusses Spring Security, a framework for authentication and authorization in Java web applications and services. It covers key concepts, configurations, and practices for implementing security, including CSRF protection and various credential management methods. The chapter also highlights the importance of securing resources and provides examples of configuring security settings in Spring applications.

Uploaded by

Sen
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 32

CHAPTER 5

SPRING SECURITY

1
Introduction
§ Spring Security is a framework that focuses on providing both
authentication and authorization (access control) to java web application
and SOAP/REST web services.
§ Spring framework supports integration with many technologies
• HTTP basic authentication
• LDAP
• OpenID providers
• JAAS API
• …
• And customized authentication system (by yourself)

2
Authentication vs Authorization

3
Authentication vs Authorization
Authentication Authorization
What does it do? Verifies credentials Grants or denies
permissions
Through settings
Through passwords, biometrics,
How does it work? maintained by security
one-time pins, or apps
teams
Is it visible to the
Yes No
user?
It is changeable by
Partially No
the user?
How does data Through access
Through ID tokens
move? tokens 4
Terminologies
§ Principal: User that performs the action
§ Authentication: Confirming truth of credentials
§ Authorization: Define access policy for principal
§ GrantedAuthority: Application permission granted to a principal
§ SecurityContext: Hold the authentication and other security information
§ SecurityContextHolder: Provides access to SecurityContext

5
Terminologies
§ AuthenticationManager: Controller in the authentication process
§ AuthenticationProvider: Interface that maps to a data store which stores
your user data.
§ Authentication Object: Object is created upon authentication, which holds
the login credentials.
§ UserDetails: Data object which contains the user credentials, but also the
Roles of the user.
§ UserDetailsService: Collects the user credentials, authorities(roles) and
build an UserDetails object.

6
Architecture

7
Flow

8
Practice
§ In Spring 6.x, by adding the dependency to project, when you access any
resources, you should provide the credential.
§ To manage the resources grant/deny permission, you should configure them
using XML or by code.
§ There are many way to implements the security in Spring.
§ Dependencies:
• Spring Web
• Spring Data JPA
• Spring Security
• Spring Boot Devtools
• MariaDB Driver
9
Practice (cont.)
Auto Config with SpringBoot
• Default username: user
• Default password: the password generate when we run the application

2024-11-02T09:18:35.973+07:00 WARN SpringWebMVCDemo


m.s.s.UserDetailsServiceAutoConfiguration

Using generated security password: 6a7dd9d1-495b-4e0b-


beb7-d181e940b708

This generated password is for development use only. Your


security configuration must be updated before running
your application in production.
10
Practice (cont.)
Auto Config with SpringBoot
• We can change the default password by specify in application.properties
• URL generator password: https://bcrypt-generator.com
# Security
spring.security.user.name=user01

# 123456
spring.security.user.password=$2a$12$i0bonNQB3xnev8Nzj
9pEJeNCKdrf1fWtrim8VuxhQVUSfniNy1JzK

11
Practice (cont.)
Default Login Form

12
Spring Security
Configuration
• Sample steps:
• Create any class with the @Configuration annotation.
• Add @EnableWebSecurity
• Create a method with a parameter with type AuthenticationManagerBuilder
• Create a bean with return type SecurityFilterChain and a parameter with type
HttpSecurity

13
Spring Security
Configuration (cont.)
@Configuration
@EnableWebSecurity
public class SecurityConfig {

@Autowired
public void configureGlobal(AuthenticationManagerBuilder
auth) throws Exception {}

@Bean
SecurityFilterChain filterChain(HttpSecurity httpSecurity)
throws Exception {}

@Bean
PasswordEncoder passwordEncoder() {}
} 14
Spring Security
Resource’s grant/deny permission
§ You should specify resources for protecting.
• permitAll()
• authenticated()
• denyAll()
• hasAnyRole()
• hasRole()
•…

15
Spring Security
Providing credentials
§ You can provide credential by many ways:
• In memory
• Using JDBC
• Using OAuth2AuthorizeRequest
• Using LDAP
• …
§ In this study, in memory and using JDBC credentials are used.

16
Credentials
In-memory credential

Provide role
for users

Using
BCryptPassw
ordEncoder
for encoding
the password

17
Credentials
Using JDBC credential

18
Credentials
Using JDBC credential (cont.)

19
Credentials
Using JDBC credential (cont.)

20
Credentials
Using JDBC credential (cont.)

21
Credentials
Using JDBC credential (cont.)

22
Credentials
Using JDBC credential (cont.)

23
Method level security
Method’s security
§ In case of specifying roles for accessing methods, you should enable method
security.
§ Using @EnableMethodSecurity annotation an any @Configuration class

24
Spring Security
Other techniques
§ OAuth2 (Single sign-On)
§ JSON Web Token (JWT)
§ OpenID Connect
§…

25
Cross-Site Request Forgery (CSRF)
Introduction
§ Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute
unwanted actions on a web application in which they’re currently authenticated.
§ With a little help of social engineering (such as sending a link via email or chat), an
attacker may trick the users of a web application into executing actions of the
attacker’s choosing.
§ If the victim is a normal user, a successful CSRF attack can force the user to perform
state changing requests like transferring funds, changing their email address, and so
forth.
§ If the victim is an administrative account, CSRF can compromise the entire web
application.
§ There are multiple forms of CSRF attack. Two simple CSRF attacks that most
common happen:
• Using GET method
26
• Using POST method
CSRF attacks
Using GET method
§ Let’s consider the following GET request used by a logged-in user to transfer
money to a specific bank account 1234

GET http://bank.com/transfer?accountNo=1234&amount=100

§ If the attacker wants to transfer money from a victim’s account to his own
account instead — 5678 — he needs to make the victim trigger the request:

GET http://bank.com/transfer?accountNo=5678&amount=1000

27
CSRF attacks
Using GET method (cont.)
§ There are multiple ways to make that happen:
• Link – The attacker can convince the victim to click on this link, for
example, to execute the transfer:
<a href="http://bank.com/transfer?accountNo=5678&amount=1000">
Show Kittens Pictures
</a>

• Image – The attacker may use an <img/> tag with the target URL as the
image source. In other words, the click isn’t even necessary. The request
will be automatically executed when the page loads:
<img src="http://bank.com/transfer?accountNo=5678&amount=1000"/>
28
CSRF attacks
Using POST method
§ Suppose the main request needs to be a POST request:
POST http://bank.com/transfer?accountNo=1234&amount=100
§ In this case, the attacker needs to have the victim run a similar request:
POST http://bank.com/transfer?accountNo=5678&amount=1000
§ Neither the <a> nor the <img/> tags will work in this case.
§ The attacker will need a <form>: The form can be submitted
<form action="http://bank.com/transfer" automatically using JavaScript:
method="POST">
<input type="hidden" name="accountNo" <body onload="document.forms[0].submit()">
value="5678"/> <form>
<input type="hidden" name="amount" value="1000"/> ...
<input type="submit" value="Show Kittens Pictures"/> </form>
</form> 29
Spring MVC Web with CSRF
Client prevent CSRF attack configuration
§ We need to include the CSRF token in our requests. The _csrf attribute contains the
following information:
• token – the CSRF token value
• parameterName – name of the HTML form parameter, which must include the token
value
• headerName – name of the HTTP header, which must include the token value
§ In case of using HTML forms, the headerName and token values should be added
HTTP header.
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
§ In case of using JSON view forms, the headerName and token values should be added
HTTP header.

30
Spring MVC Web with CSRF
Client prevent CSRF attack configuration (cont.)
§ In case of using JSON view forms, the headerName and token values should be added
HTTP header.
//1. include the token value and the header name in meta tags
<meta name="_csrf" content="${_csrf.token}"/>
<meta name="_csrf_header" content="${_csrf.headerName}"/

//2. Then let’s retrieve the meta tag values with JQuery:
var token = $("meta[name='_csrf']").attr("content");
var header = $("meta[name='_csrf_header']").attr("content");

// 3. Finally, let’s use these values to set our XHR header:


$(document).ajaxSend(function (e, xhr, options) {
xhr.setRequestHeader(header, token);
});
31
Q&A
32

You might also like