JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redondo Ramírez

Securing web applications with Spring Security 3

Fernando Redondo Ramírez

@pronoide_fer

Roadmap

• Who am I?

• A brief introduction to

Spring Security

• Hands on

• Furthermore

Whoami• Entrepreneur and Business Manager at Pronoide

since 2003

• Java & Friends Trainer (JEE, Spring, Groovy, Maven, Jenkins, Sonar,

Weblogic, Jboss, Websphere, Disco Dancing and so )

• Doing things with Java from 1999 on

• Computer Engineer

• Happily married and proud father of two children

• I used to wanna be a physics scientist and I really do love

X-files series

Brief Introduction to Spring Security

• Isn’t Security within JEE is a standard feature?

Yes indeed, but:

• JEE Security ⇒ It’s constraint based

• JEE Security ⇒ Only defines a secured perimeter

• JEE Security ⇒ Features are depending on each

App Server (Realms, SSO, Cipher, etc)

• JEE Security ⇒ Secured JEE Applications can’t

easily move across different platforms or between

server versions

• JEE Security ⇒ Complex to adapt to Web 2.0 or

changing requirements


• Why use Spring Security then?

because:

• Spring Security ⇒ It’s granted based

• Spring Security ⇒ Both perimeter and

hierarchical

• Spring Security ⇒ Features independent of the

App Server

• Spring Security ⇒ Transportable Secured JEE

Applications

• Spring Security ⇒ Adaptable and versatile


• Architecture and we are done!

Spring Security 3internals

SecurityContextHolderSecurityContextAuthentication

GrantedAuthority

Web Requests

Web/HTTP Security

Security filter chain

Authentication

AuthenticationManager

AuthenticationProviders

UserDetailsService

Authorization

AccessDecisionManager

Voters

AfterInvocationManager

Business Methods

Business Object (Method) Security

Proxies/Security Interceptors

Your next mission

I need to put security

within our FBI X-Files

application!

Hands on! (Later at home)

Before start, you have to…

1. Install git in your computerhttp://git-scm.com/book/en/Getting-Started-Installing-Git

2. Download Spring Tool Suite 3.5 https://spring.io/tools/sts/all

3. Start Spring Tool Suite 3.5 (STS) and choose or

create a workspace (remember run it with a JDK)

4. Download http://pronoide.com/downloads/javacro2014-

spring-security-xfiles.zip and unzip it into workspace

folder.

5. Pace yourself! It’s all quite straightforward…

FBI X Files webapp

Import webapp (File/Import/Git/Proyect from Git)

FBI X Files webappRun webapp!

Stage: Setup Spring Security in webapp

i. Setup a interceptor filter for all web requests


ii. Create a new spring bean configuration file with the least

config and load through web.xml context parameter


iii. Explicitly config login / logout procedures

iv. Fix issues with resources, images and CSS files

FBI X Files webapp


v. Encrypt user’s paswords via Spring Security Crypto Module

• Encode passwords

• Configure algorithm and salt field. Then use passwords

within security config file


vi. Add Remember Me feature to users login process


vii. Secure transport channel (HTTPS)

• Setup constrains and ports

• Configure tomcat server (create SSL connector)


viii. Session expiration control

ix. Session concurrency control


x. JSP tag library usage (Spring Security Taglibs)


xi. SpEL usage to protect URLs (Spring Expression Language)

xii. SpEL usage with Spring security taglib

what have you done!

Is there only security in

the web resources

access? Is that the very

best you can make it?

Try this URL and watch what is gonna happen:

https://localhost:8443/fbi/xfiles/declassify?id=0

Stage: Setup Spring Security in business methods

xii. Secure business method invocations thru Spring Security

Annotations


xiii. Secure business method invocations thru AspectJ pointcuts


xiv. Secure business method invocations thru SpEL (Pre Invocation)

Much better! But…

What are you doing viewing files

that aren’t yours?

How come you are able to access to

your sister’s files?

And why are you accessing at this

time of the day?

Stage: Setup Spring Security in an hierarchical way

xv. Secure business method invocations thru SpEL (Post Invocation)

xvi. Secure business method invocations thru SpEL (Result Filtering)


xvii. Customization of access voters

• Code a new voter


xviii.Customization of access voters (continuation)

• Dismiss Spring Security auto-config and reveal actual config

• Customize Access decision manager behavior

Stage: Spring Security Extras

xix. Customization of security filter chain (Example A)

• Create custom filter

• Place it within the filter chain

Stage: Spring Security Extras

xx. Customization of security filter chain (Example B)

• Create custom filter

• Place it within the filter chain

The smoking man

All of these features about Spring

Security are pretty fine, but I can

always leverage a Java2 attack:

<%System.exit(0);%>

Beyond this talk

• Not implicit but explicit configs

• ACL’s management

• Autentification with DataSources,

LDAP, X509, OPENID, JEE, etc

• Captcha

• Single Sign On

• Java Config

“… in most of my work, the laws of physics rarely seems to apply.”

Fox Mulder 1x01 "Pilot"

Thanks!@pronoide_fer

https://github.com/fredondo/

[email protected]

http://pronoide.com

Apendix: Hands on (Later at home)! Navigate along the proyect code with git presenter

1. Install jruby or rubyhttp://jruby.org/getting-startedhttps://www.ruby-lang.org/en/installation/

2. Install git presenter (gem install git_presenter)

3. When the code is ready use the "git-presenter init" command to initialize

4. Once it is initialized you can start the presentation with "git-presenter start"

5. Then use the following commands to navigate the presentation

• next/n: move to the next slide (commit)

• back/b: move to the back slide (commit)

• end/e: move to the end of presentation

• start/s: move to the start of presentation

• list/l : list slides in presentation

• help/h: display this message

JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redondo Ramírez

Technology

Transcript of JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redondo Ramírez