JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redondo Ramírez
-
Upload
hujak-hrvatska-udruga-java-korisnika-croatian-java-user-association -
Category
Technology
-
view
1.389 -
download
3
description
Transcript of JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redondo Ramírez
![Page 1: JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redondo Ramírez](https://reader034.fdocuments.in/reader034/viewer/2022042714/555874d8d8b42aaa7e8b5374/html5/thumbnails/1.jpg)
Securing web applications with Spring Security 3
Fernando Redondo Ramírez
@pronoide_fer
![Page 2: JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redondo Ramírez](https://reader034.fdocuments.in/reader034/viewer/2022042714/555874d8d8b42aaa7e8b5374/html5/thumbnails/2.jpg)
Roadmap
• Who am I?
• A brief introduction to
Spring Security
• Hands on
• Furthermore
![Page 3: JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redondo Ramírez](https://reader034.fdocuments.in/reader034/viewer/2022042714/555874d8d8b42aaa7e8b5374/html5/thumbnails/3.jpg)
Whoami• Entrepreneur and Business Manager at Pronoide
since 2003
• Java & Friends Trainer (JEE, Spring, Groovy, Maven, Jenkins, Sonar,
Weblogic, Jboss, Websphere, Disco Dancing and so )
• Doing things with Java from 1999 on
• Computer Engineer
• Happily married and proud father of two children
• I used to wanna be a physics scientist and I really do love
X-files series
![Page 4: JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redondo Ramírez](https://reader034.fdocuments.in/reader034/viewer/2022042714/555874d8d8b42aaa7e8b5374/html5/thumbnails/4.jpg)
Brief Introduction to Spring Security
• Isn’t Security within JEE is a standard feature?
Yes indeed, but:
• JEE Security ⇒ It’s constraint based
• JEE Security ⇒ Only defines a secured perimeter
• JEE Security ⇒ Features are depending on each
App Server (Realms, SSO, Cipher, etc)
• JEE Security ⇒ Secured JEE Applications can’t
easily move across different platforms or between
server versions
• JEE Security ⇒ Complex to adapt to Web 2.0 or
changing requirements
![Page 5: JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redondo Ramírez](https://reader034.fdocuments.in/reader034/viewer/2022042714/555874d8d8b42aaa7e8b5374/html5/thumbnails/5.jpg)
Brief Introduction to Spring Security
• Why use Spring Security then?
because:
• Spring Security ⇒ It’s granted based
• Spring Security ⇒ Both perimeter and
hierarchical
• Spring Security ⇒ Features independent of the
App Server
• Spring Security ⇒ Transportable Secured JEE
Applications
• Spring Security ⇒ Adaptable and versatile
![Page 6: JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redondo Ramírez](https://reader034.fdocuments.in/reader034/viewer/2022042714/555874d8d8b42aaa7e8b5374/html5/thumbnails/6.jpg)
Brief Introduction to Spring Security
• Architecture and we are done!
Spring Security 3internals
SecurityContextHolderSecurityContextAuthentication
GrantedAuthority
Web Requests
Web/HTTP Security
Security filter chain
Authentication
AuthenticationManager
AuthenticationProviders
UserDetailsService
Authorization
AccessDecisionManager
Voters
AfterInvocationManager
Business Methods
Business Object (Method) Security
Proxies/Security Interceptors
![Page 7: JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redondo Ramírez](https://reader034.fdocuments.in/reader034/viewer/2022042714/555874d8d8b42aaa7e8b5374/html5/thumbnails/7.jpg)
Your next mission
I need to put security
within our FBI X-Files
application!
![Page 8: JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redondo Ramírez](https://reader034.fdocuments.in/reader034/viewer/2022042714/555874d8d8b42aaa7e8b5374/html5/thumbnails/8.jpg)
Hands on! (Later at home)
Before start, you have to…
1. Install git in your computerhttp://git-scm.com/book/en/Getting-Started-Installing-Git
2. Download Spring Tool Suite 3.5 https://spring.io/tools/sts/all
3. Start Spring Tool Suite 3.5 (STS) and choose or
create a workspace (remember run it with a JDK)
4. Download http://pronoide.com/downloads/javacro2014-
spring-security-xfiles.zip and unzip it into workspace
folder.
5. Pace yourself! It’s all quite straightforward…
![Page 9: JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redondo Ramírez](https://reader034.fdocuments.in/reader034/viewer/2022042714/555874d8d8b42aaa7e8b5374/html5/thumbnails/9.jpg)
FBI X Files webapp
Import webapp (File/Import/Git/Proyect from Git)
![Page 10: JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redondo Ramírez](https://reader034.fdocuments.in/reader034/viewer/2022042714/555874d8d8b42aaa7e8b5374/html5/thumbnails/10.jpg)
FBI X Files webappRun webapp!
![Page 11: JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redondo Ramírez](https://reader034.fdocuments.in/reader034/viewer/2022042714/555874d8d8b42aaa7e8b5374/html5/thumbnails/11.jpg)
Stage: Setup Spring Security in webapp
i. Setup a interceptor filter for all web requests
![Page 12: JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redondo Ramírez](https://reader034.fdocuments.in/reader034/viewer/2022042714/555874d8d8b42aaa7e8b5374/html5/thumbnails/12.jpg)
Stage: Setup Spring Security in webapp
ii. Create a new spring bean configuration file with the least
config and load through web.xml context parameter
![Page 13: JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redondo Ramírez](https://reader034.fdocuments.in/reader034/viewer/2022042714/555874d8d8b42aaa7e8b5374/html5/thumbnails/13.jpg)
Stage: Setup Spring Security in webapp
iii. Explicitly config login / logout procedures
iv. Fix issues with resources, images and CSS files
![Page 14: JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redondo Ramírez](https://reader034.fdocuments.in/reader034/viewer/2022042714/555874d8d8b42aaa7e8b5374/html5/thumbnails/14.jpg)
FBI X Files webapp
![Page 15: JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redondo Ramírez](https://reader034.fdocuments.in/reader034/viewer/2022042714/555874d8d8b42aaa7e8b5374/html5/thumbnails/15.jpg)
Stage: Setup Spring Security in webapp
v. Encrypt user’s paswords via Spring Security Crypto Module
• Encode passwords
• Configure algorithm and salt field. Then use passwords
within security config file
![Page 16: JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redondo Ramírez](https://reader034.fdocuments.in/reader034/viewer/2022042714/555874d8d8b42aaa7e8b5374/html5/thumbnails/16.jpg)
Stage: Setup Spring Security in webapp
vi. Add Remember Me feature to users login process
![Page 17: JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redondo Ramírez](https://reader034.fdocuments.in/reader034/viewer/2022042714/555874d8d8b42aaa7e8b5374/html5/thumbnails/17.jpg)
Stage: Setup Spring Security in webapp
vii. Secure transport channel (HTTPS)
• Setup constrains and ports
• Configure tomcat server (create SSL connector)
![Page 18: JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redondo Ramírez](https://reader034.fdocuments.in/reader034/viewer/2022042714/555874d8d8b42aaa7e8b5374/html5/thumbnails/18.jpg)
Stage: Setup Spring Security in webapp
viii. Session expiration control
ix. Session concurrency control
![Page 19: JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redondo Ramírez](https://reader034.fdocuments.in/reader034/viewer/2022042714/555874d8d8b42aaa7e8b5374/html5/thumbnails/19.jpg)
Stage: Setup Spring Security in webapp
x. JSP tag library usage (Spring Security Taglibs)
![Page 20: JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redondo Ramírez](https://reader034.fdocuments.in/reader034/viewer/2022042714/555874d8d8b42aaa7e8b5374/html5/thumbnails/20.jpg)
Stage: Setup Spring Security in webapp
xi. SpEL usage to protect URLs (Spring Expression Language)
xii. SpEL usage with Spring security taglib
![Page 21: JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redondo Ramírez](https://reader034.fdocuments.in/reader034/viewer/2022042714/555874d8d8b42aaa7e8b5374/html5/thumbnails/21.jpg)
what have you done!
Is there only security in
the web resources
access? Is that the very
best you can make it?
Try this URL and watch what is gonna happen:
https://localhost:8443/fbi/xfiles/declassify?id=0
![Page 22: JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redondo Ramírez](https://reader034.fdocuments.in/reader034/viewer/2022042714/555874d8d8b42aaa7e8b5374/html5/thumbnails/22.jpg)
Stage: Setup Spring Security in business methods
xii. Secure business method invocations thru Spring Security
Annotations
![Page 23: JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redondo Ramírez](https://reader034.fdocuments.in/reader034/viewer/2022042714/555874d8d8b42aaa7e8b5374/html5/thumbnails/23.jpg)
Stage: Setup Spring Security in business methods
xiii. Secure business method invocations thru AspectJ pointcuts
![Page 24: JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redondo Ramírez](https://reader034.fdocuments.in/reader034/viewer/2022042714/555874d8d8b42aaa7e8b5374/html5/thumbnails/24.jpg)
Stage: Setup Spring Security in business methods
xiv. Secure business method invocations thru SpEL (Pre Invocation)
![Page 25: JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redondo Ramírez](https://reader034.fdocuments.in/reader034/viewer/2022042714/555874d8d8b42aaa7e8b5374/html5/thumbnails/25.jpg)
Much better! But…
What are you doing viewing files
that aren’t yours?
How come you are able to access to
your sister’s files?
And why are you accessing at this
time of the day?
![Page 26: JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redondo Ramírez](https://reader034.fdocuments.in/reader034/viewer/2022042714/555874d8d8b42aaa7e8b5374/html5/thumbnails/26.jpg)
Stage: Setup Spring Security in an hierarchical way
xv. Secure business method invocations thru SpEL (Post Invocation)
xvi. Secure business method invocations thru SpEL (Result Filtering)
![Page 27: JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redondo Ramírez](https://reader034.fdocuments.in/reader034/viewer/2022042714/555874d8d8b42aaa7e8b5374/html5/thumbnails/27.jpg)
Stage: Setup Spring Security in an hierarchical way
xvii. Customization of access voters
• Code a new voter
![Page 28: JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redondo Ramírez](https://reader034.fdocuments.in/reader034/viewer/2022042714/555874d8d8b42aaa7e8b5374/html5/thumbnails/28.jpg)
Stage: Setup Spring Security in an hierarchical way
xviii.Customization of access voters (continuation)
• Dismiss Spring Security auto-config and reveal actual config
• Customize Access decision manager behavior
![Page 29: JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redondo Ramírez](https://reader034.fdocuments.in/reader034/viewer/2022042714/555874d8d8b42aaa7e8b5374/html5/thumbnails/29.jpg)
Stage: Spring Security Extras
xix. Customization of security filter chain (Example A)
• Create custom filter
• Place it within the filter chain
![Page 30: JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redondo Ramírez](https://reader034.fdocuments.in/reader034/viewer/2022042714/555874d8d8b42aaa7e8b5374/html5/thumbnails/30.jpg)
Stage: Spring Security Extras
xx. Customization of security filter chain (Example B)
• Create custom filter
• Place it within the filter chain
![Page 31: JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redondo Ramírez](https://reader034.fdocuments.in/reader034/viewer/2022042714/555874d8d8b42aaa7e8b5374/html5/thumbnails/31.jpg)
The smoking man
All of these features about Spring
Security are pretty fine, but I can
always leverage a Java2 attack:
<%System.exit(0);%>
![Page 32: JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redondo Ramírez](https://reader034.fdocuments.in/reader034/viewer/2022042714/555874d8d8b42aaa7e8b5374/html5/thumbnails/32.jpg)
Beyond this talk
• Not implicit but explicit configs
• ACL’s management
• Autentification with DataSources,
LDAP, X509, OPENID, JEE, etc
• Captcha
• Single Sign On
• Java Config
“… in most of my work, the laws of physics rarely seems to apply.”
Fox Mulder 1x01 "Pilot"
![Page 34: JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redondo Ramírez](https://reader034.fdocuments.in/reader034/viewer/2022042714/555874d8d8b42aaa7e8b5374/html5/thumbnails/34.jpg)
Apendix: Hands on (Later at home)! Navigate along the proyect code with git presenter
1. Install jruby or rubyhttp://jruby.org/getting-startedhttps://www.ruby-lang.org/en/installation/
2. Install git presenter (gem install git_presenter)
3. When the code is ready use the "git-presenter init" command to initialize
4. Once it is initialized you can start the presentation with "git-presenter start"
5. Then use the following commands to navigate the presentation
• next/n: move to the next slide (commit)
• back/b: move to the back slide (commit)
• end/e: move to the end of presentation
• start/s: move to the start of presentation
• list/l : list slides in presentation
• help/h: display this message